Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undetected malicious virus


  • This topic is locked This topic is locked
26 replies to this topic

#1 Techscan

Techscan

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 25 September 2009 - 07:02 AM

I picked up a very malicious virus about 3 or 4 days ago. The symptoms are:
BSOD, shutting down my internet connection, corrupting my operatiing system by removing icons from the start menu, diabling applications from starting,

creating a variety of errors I have never seen before, causing so much damage that I continually have to reboot the computer to get it working again.

I have run Malwarebytes and removed everything it found. I have run Spybot as well and removed what it found. I am presently running Kaspersky

AntiVirus and it found viruses that it said it removed but I don't see them in the log. In fact, the log shows nothing after September 21 so I don't know

if it is being affected by the virus. After a full system scan it says my system is fine but it is not.

I also tried a few specialized scans for specific viruses and came up empty but I know I'm seriously infected.
My computer specs are as follows:

Gateway Q9330 dualcore quad
6gb ram
Nvidia 9800GT
Windows Vista Ultimate

Any help would be greatly appreciated. I don't know how long it will be before the computer is toast.

Thank You.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:49 AM

Posted 25 September 2009 - 07:25 AM

Hi Techscan and :thumbsup: to BleepingComputer!

Can you please post the MBAM log (not a new one, but one that shows what was deleted).

ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Techscan

Techscan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 25 September 2009 - 09:52 AM

Unfortunately, I reran Malwarebytes several times over the last few days while trying to get rid of this virus and I purged all of the old logs. The new log is clean but I do remember that one of the viruses was named "trojan.dropper.

Below is a copy of the rootrepeal log that you requested.

Thanks


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/25 08:31
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x936EB000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_dumpfve.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys
Address: 0x93700000 Size: 69632 File Visible: No Signed: -
Status: -

Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x936F6000 Size: 40960 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA4876000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sppv.sys
Image Path: C:\Windows\System32\Drivers\sppv.sys
Address: 0x82693000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{552bc413-a6dd-11de-a98f-d9ee05156787}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{655cdd7f-a37f-11de-af56-8a9ad8cf368e}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{655cddd5-a37f-11de-af56-8a9ad8cf368e}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{655cddf4-a37f-11de-af56-8a9ad8cf368e}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6654aa70-a612-11de-bcc8-a7c02e0610bb}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7a961907-a8fb-11de-89dd-d71bb738e938}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7d6b44e4-a647-11de-8993-ddb5d90f54e3}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7d6b44f2-a647-11de-8993-ddb5d90f54e3}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{94774fe1-a7ba-11de-b9d9-895d726d60b9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9cb64ede-a48b-11de-a862-bf667022b8bb}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9cc77f9a-a96b-11de-b091-db73f0fa147d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{aa82204e-a84d-11de-a325-d2a9ab7be9bb}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb9638d8-a74a-11de-9e63-d13f7b9e5db9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{cf4480e1-a61e-11de-b70f-d39432f2a7ba}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ebad26de-a519-11de-b59b-de97ee9d64ba}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f463d021-a5db-11de-a9b4-8ae48e01a1cd}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f463d055-a5db-11de-a9b4-bcc8ea1dc0c8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f463d06b-a5db-11de-a9b4-ba3cae3ddda5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f463d071-a5db-11de-a9b4-ba3cae3ddda5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f463d09f-a5db-11de-a9b4-ba3cae3ddda5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f463d00c-a5db-11de-a9b4-e04584f08421}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: c:\windows\microsoft.net\framework\netfxsbs12.hkf
Status: Allocation size mismatch (API: 36864, Raw: 45056)

Path: C:\Windows\inf\.NET Data Provider for Oracle\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.0.2.0_none_6a1e9669df5e3841.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_8a15b53c6beb8591.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d5e63e93b68.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d25a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c1279468b7b84b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.flightsimulator.simconnect_67c7c14424d61b5b_10.0.61259.0_none_55f5ecdc14f60568.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.flightsimulator.simconnect_67c7c14424d61b5b_10.0.61242.0_none_e079b46b85043c20.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.flightsimulator.simconnect_67c7c14424d61b5b_10.0.60905.0_none_dd92b94d8a196297.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.0.2.0_none_3473ce69dd3e3b0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5ca663317c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_cs-cz_d9f4bc64420b8d63\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_da-dk_772e9c8b38518962\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_de-de_745a31c73a27ddfc\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_el-gr_1cf05f5a293d468a\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_en-us_1d4b07c02905e9c1\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_es-es_1d1664a4292cdb66\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_bfcddaa31bfef1c8\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_hu-hu_073e5aeb005ec0e4\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_da-dk_10c2bcd25a6f45eb\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_de-de_0dee520e5c459a85\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_el-gr_b6847fa14b5b0313\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_en-us_b6df28074b23a64a\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_es-es_b6aa84eb4b4a97ef\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_fi-fi_55c5899840648a19\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_5961faea3e1cae51\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_fi-fi_bc3169511e46cd90\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_el-gr_9c85d8321884ca1a\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_cs-cz_598a353c315310f3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_da-dk_f6c4156327990cf2\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_de-de_f3efaa9f296f618c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_en-us_9ce08098184d6d51\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_es-es_9cabdd7c18745ef6\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_fi-fi_3bc6e2290d8e5120\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_3f63537b0b467558\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_hu-hu_86d3d3c2efa64474\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\AVANTG~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\CASSIO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\DEFAUL~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\DOCOMO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\ERICSS~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\EZWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\GATEWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\GENERI~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\GOAMER~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\JATAAY~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\JPHONE~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\LEGEND~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\NETSCA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\NOKIA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\OPENWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\OPERA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\PALM~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\PANASO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\WEBTV~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\WINWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6001.18111_none_71052252cbc3ee97\XIINO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.16720_none_7081409dee51e2d7\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.20883_none_59b9574207f427ca\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.18111_none_705c2553eea3ef78\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.22230_none_599095f00849688b\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.16720_none_85fe1e046d872951\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.16720_none_85fe1e046d872951\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.20883_none_6f3634a887296e44\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.20883_none_6f3634a887296e44\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18000_none_85d8195c6dda02a9\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18000_none_85d8195c6dda02a9\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18111_none_85d902ba6dd935f2\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18111_none_85d902ba6dd935f2\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.22230_none_6f0d7356877eaf05\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.22230_none_6f0d7356877eaf05\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-uninstallsqlstate_sql_b03f5f7f11d50a3a_6.0.6001.18111_none_a2d17efc27f8ebd7\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_c1843fad322b4004\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_c1c8fbc84b7d2218\_SERVI~1.INI
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.18000_none_c3627a1d2f590916\_servicemodeloperationperfcounters_d.ini
Status: Allocation size mismatch (API: 245760, Raw: 56)

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_c3072c8d2f9c9c99\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_c3f41b1e486f70bf\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6000.16708_none_4c6d3f4bfe5170cb\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6000.20864_none_4cb1fb6717a352df\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6001.18096_none_4df02c2bfbc2cd60\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalsansserifcf_31bf3856ad364e35_6.0.6001.22208_none_4edd1abd1495a186\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.16708_none_319b7f14a2b4f78c\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.20864_none_31e03b2fbc06d9a0\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_cs-cz_7388dcab642949ec\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_hu-hu_a0d27b32227c7d6d\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.16720_none_9b31bbe79077558b\GROUPE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.20883_none_8469d28baa199a7e\GROUPE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6001.18111_none_9b0ca09d90c9622c\GROUPE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6001.22230_none_84411139aa6edb3f\GROUPE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\AVANTG~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\CASSIO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\DEFAUL~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\DOCOMO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\ERICSS~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\EZWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\GATEWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\GENERI~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\GOAMER~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\JATAAY~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\JPHONE~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\LEGEND~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\NETSCA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\NOKIA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\OPENWA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\OPERA~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\PALM~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\PANASO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\WEBTV~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\WINWAP~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.16720_none_712a3d9ccb71e1f6\XIINO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\AVANTG~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\CASSIO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\DEFAUL~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.6000.20883_none_5a625440e51426e9\DOCOMO~1.BRO
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regbrowser_files_b03f5f7f11d50a3a_6.0.600Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1192 Status: Locked to the Windows API!

SSDT
-------------------
#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f08e06

#: 022 Function Name: NtAlpcCreatePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f08f84

#: 038 Function Name: NtAlpcSendWaitReceivePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f09014

#: 048 Function Name: NtClose
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f07df8

#: 054 Function Name: NtConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f084ea

#: 058 Function Name: NtCreateEvent
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f08816

#: 060 Function Name: NtCreateFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f07f66

#: 067 Function Name: NtCreateMutant
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f086ee

#: 068 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f079d2

#: 071 Function Name: NtCreatePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f085aa

#: 075 Function Name: NtCreateSection
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f07b8c

#: 076 Function Name: NtCreateSemaphore
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f08948

#: 115 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f0864c

#: 150 Function Name: NtFsControlFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f080c4

#: 184 Function Name: NtOpenEvent
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f088b8

#: 186 Function Name: NtOpenFile
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f07e34

#: 191 Function Name: NtOpenMutant
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f08786

#: 197 Function Name: NtOpenSection
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f0945c

#: 198 Function Name: NtOpenSemaphore
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f089ea

#: 219 Function Name: NtQueryDirectoryObject
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f09214

#: 270 Function Name: NtReplyPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f08d74

#: 271 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f08c3a

#: 286 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f081f0

#: 307 Function Name: NtSetInformationToken
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f092c8

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x85bd01f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_CREATE]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_CLOSE]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_READ]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_WRITE]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_QUERY_EA]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_SET_EA]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_SHUTDOWN]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_CLEANUP]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: fastfat줋Ї慖⁤꒨袚, IRP_MJ_PNP]
Process: System Address: 0x889c11f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CREATE]
Process: System Address: 0x85bcc1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CLOSE]
Process: System Address: 0x85bcc1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bcc1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bcc1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_POWER]
Process: System Address: 0x85bcc1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bcc1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_PNP]
Process: System Address: 0x85bcc1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x85bce1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x85bce1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bce1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bce1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x85bce1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bce1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x85bce1f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_CREATE]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_CLOSE]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_READ]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_WRITE]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_SHUTDOWN]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_POWER]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: cdrom蛇坰蛛П牄跘谆

ៈ轙, IRP_MJ_PNP]
Process: System Address: 0x876211f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x87ecd500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x875511f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x875511f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x875511f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x875511f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x875511f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x875511f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x875511f8 Size: 121

Object: Hidden Code [Driver: SmbꃶІ䡕䉕ǰ, IRP_MJ_CREATE]
Process: System Address: 0x87c68500 Size: 121

Object: Hidden Code [Driver: SmbꃶІ䡕䉕ǰ, IRP_MJ_CLOSE]
Process: System Address: 0x87c68500 Size: 121

Object: Hidden Code [Driver: SmbꃶІ䡕䉕ǰ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87c68500 Size: 121

Object: Hidden Code [Driver: SmbꃶІ䡕䉕ǰ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87c68500 Size: 121

Object: Hidden Code [Driver: SmbꃶІ䡕䉕ǰ, IRP_MJ_CLEANUP]
Process: System Address: 0x87c68500 Size: 121

Object: Hidden Code [Driver: SmbꃶІ䡕䉕ǰ, IRP_MJ_PNP]
Process: System Address: 0x87c68500 Size: 121

Object: Hidden Code [Driver: netbt蓗ā, IRP_MJ_CREATE]
Process: System Address: 0x87c33500 Size: 121

Object: Hidden Code [Driver: netbt蓗ā, IRP_MJ_CLOSE]
Process: System Address: 0x87c33500 Size: 121

Object: Hidden Code [Driver: netbt蓗ā, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87c33500 Size: 121

Object: Hidden Code [Driver: netbt蓗ā, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87c33500 Size: 121

Object: Hidden Code [Driver: netbt蓗ā, IRP_MJ_CLEANUP]
Process: System Address: 0x87c33500 Size: 121

Object: Hidden Code [Driver: netbt蓗ā, IRP_MJ_PNP]
Process: System Address: 0x87c33500 Size: 121

Object: Hidden Code [Driver: iScsiPrtЌ捓䥐P, IRP_MJ_CREATE]
Process: System Address: 0x85bcd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЌ捓䥐P, IRP_MJ_CLOSE]
Process: System Address: 0x85bcd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЌ捓䥐P, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bcd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЌ捓䥐P, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bcd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЌ捓䥐P, IRP_MJ_POWER]
Process: System Address: 0x85bcd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЌ捓䥐P, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bcd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЌ捓䥐P, IRP_MJ_PNP]
Process: System Address: 0x85bcd1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x85bca1f8 Size: 121

Object: Hidden Code [Driver: amy5fmmlЅ晖呉倠讟㈴舳, IRP_MJ_CREATE]
Process: System Address: 0x876261f8 Size: 121

Object: Hidden Code [Driver: amy5fmmlЅ晖呉倠讟㈴舳, IRP_MJ_CLOSE]
Process: System Address: 0x876261f8 Size: 121

Object: Hidden Code [Driver: amy5fmmlЅ晖呉倠讟㈴舳, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x876261f8 Size: 121

Object: Hidden Code [Driver: amy5fmmlЅ晖呉倠讟㈴舳, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x876261f8 Size: 121

Object: Hidden Code [Driver: amy5fmmlЅ晖呉倠讟㈴舳, IRP_MJ_POWER]
Process: System Address: 0x876261f8 Size: 121

Object: Hidden Code [Driver: amy5fmmlЅ晖呉倠讟㈴舳, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x876261f8 Size: 121

Object: Hidden Code [Driver: amy5fmmlЅ晖呉倠讟㈴舳, IRP_MJ_PNP]
Process: System Address: 0x876261f8 Size: 121

Object: Hidden Code [Driver: usbehcim楆냨蝒睈蝇, IRP_MJ_CREATE]
Process: System Address: 0x8766f1f8 Size: 121

Object: Hidden Code [Driver: usbehcim楆냨蝒睈蝇, IRP_MJ_CLOSE]
Process: System Address: 0x8766f1f8 Size: 121

Object: Hidden Code [Driver: usbehcim楆냨蝒睈蝇, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8766f1f8 Size: 121

Object: Hidden Code [Driver: usbehcim楆냨蝒睈蝇, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8766f1f8 Size: 121

Object: Hidden Code [Driver: usbehcim楆냨蝒睈蝇, IRP_MJ_POWER]
Process: System Address: 0x8766f1f8 Size: 121

Object: Hidden Code [Driver: usbehcim楆냨蝒睈蝇, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8766f1f8 Size: 121

Object: Hidden Code [Driver: usbehcim楆냨蝒睈蝇, IRP_MJ_PNP]
Process: System Address: 0x8766f1f8 Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_POWER]
Process: System Address: 0x85bcf1f8 Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bcf1f8 Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_PNP]
Process: System Address: 0x85bcf1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLOSE]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_READ]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_WRITE]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_EA]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLEANUP]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_POWER]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_PNP]
Process: System Address: 0x87def500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_CREATE]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_CLOSE]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_READ]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_WRITE]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_CLEANUP]
Process: System Address: 0x87de8500 Size: 121

Object: Hidden Code [Driver: cdfsЙ䑎浡āăĄĎďĐ, IRP_MJ_PNP]
Process: System Address: 0x87de8500 Size: 121

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15ac2

#: 235 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15b86

#: 245 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15bec

#: 301 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15b22

#: 317 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f1565c

#: 333 Function Name: NtUserCallOneParam
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f159da

#: 391 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f1584a

#: 397 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f155c4

#: 428 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15912

#: 430 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15610

#: 479 Function Name: NtUserMessageCall
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f1579c

#: 497 Function Name: NtUserPostMessage
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f156f2

#: 498 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15746

#: 513 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f158a2

#: 525 Function Name: NtUserSendInput
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f157fc

#: 573 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f15514

#: 576 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x92f1556a

==EOF==

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:49 AM

Posted 25 September 2009 - 10:51 AM

Hi again, that looks clean :thumbsup:

DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by elise025, 25 September 2009 - 02:59 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Techscan

Techscan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 25 September 2009 - 02:53 PM

Hi elise025,

Thanks so much for the help. I am presently working on my other computer that is networked to the infected computer and it looks like this one is now infected as well with the same virus.
Anyways, I didn't want you to give up on me because it looks like it may be a day or 2 before this scan completes. I set it according to your instructions and am running it in safe mode but it is running extremely slow.

I'll post again when it finally completes.

Thanks

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:49 AM

Posted 25 September 2009 - 02:58 PM

Okay, I will wait for your reply.

Please make sure to isolate the infected computer, malware can easily spread on a network. If you suspect your other computer being infected as well, you can scan that one as well and post the results here. Make sure to mention clearly what computer you are posting the scans of.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Techscan

Techscan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 September 2009 - 07:29 AM

Hi elise025,

Well the program has been running for about 20 hours now and at the speed it's running (very,very slow) and judging by the task completion bar at the bottom and the number of files checked and assuming the program doesn't slow down anymore, it should finish in about 10 days or so.

It started off quickly enough but slowed to a crawl as time progressed. This has been one of the symptoms I have been dealing with. The program did however, identify during the initial memory scan that my Host file was corrupted and offered to replace it and I allowed it to do so.

I cannot afford to have my computer down for the next 10 days or so as I run my business on it. Is there something else I can try?

Thanks

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:49 AM

Posted 26 September 2009 - 08:27 AM

Okay, lets try another scan. A scan can take a couple of hours, but what you mention is a bit much :thumbsup:

SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Techscan

Techscan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 September 2009 - 10:50 AM

Hi again,

This scan seems to be working pretty well but will take some time to complete. I had a hard time getting into safe mode and had to try three times to get there.

While it is running, I checked the Dr. Cureit folder in the documents folder even though it never finished scanning. I found two files in the Quarantine folder. One was named "Hosts" and the other was named "descript.ion". The period is not a typo. There is also a cureit log file that I decided not to open yet while the other scan is running because the properties show it to be 101mb. I'm guessing that there is something seriously wrong with it being that particular size and I didn't want to try and open any file that big while the other scan is running.

Let me know if when this scan is complete you want me to post these articles to you along with the SuperSpyware log.

Thanks again for all your help.

#10 Techscan

Techscan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 September 2009 - 02:48 PM

Hello Elise

Here is the log from SuperSpyWare:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/26/2009 at 02:53 PM

Application Version : 4.29.1002

Core Rules Database Version : 4126
Trace Rules Database Version: 2065

Scan type : Complete Scan
Total Scan Time : 03:51:01

Memory items scanned : 341
Memory threats detected : 0
Registry items scanned : 10271
Registry threats detected : 0
File items scanned : 352032
File threats detected : 179

Adware.Tracking Cookie
.iacas.adbureau.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.doubleclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.questionmarket.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.questionmarket.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.atdmt.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.www.versiontracker.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.versiontracker.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.versiontracker.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.versiontracker.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.versiontracker.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.versiontracker.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
ads.revsci.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
ad.yieldmanager.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.zedo.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.zedo.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.zedo.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.usatoday1.112.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.mediaplex.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.apmebf.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.advertising.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.advertising.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.advertising.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.advertising.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.advertising.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
base.liveperson.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
base.liveperson.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.statcounter.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.trafficmp.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.trafficmp.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.trafficmp.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.trafficmp.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.trafficmp.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.adbrite.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.adbrite.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
statse.webtrendslive.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.adopt.specificclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.overture.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.overture.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
data.coremetrics.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tribalfusion.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.fastclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.fastclick.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
sales.liveperson.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
sales.liveperson.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.s.clickability.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.s.clickability.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.cbs.112.2o7.net [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.interclick.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.interclick.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.hitbox.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ehg-nikoninc.hitbox.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.spylog.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ehg-wachovia.hitbox.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ehg-wachovia.hitbox.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.insightexpressai.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.insightexpressai.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.insightexpressai.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.insightexpressai.com [ C:\Holder\Public\Holder\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.chitika.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.collective-media.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacas.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ads.pointroll.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ads.pointroll.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ads.pointroll.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ads.pointroll.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ads.pointroll.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ads.pointroll.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.ads.pointroll.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.247realmedia.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.247realmedia.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.at.atwola.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.at.atwola.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.eaeacom.112.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.iacsb1.adbureau.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.insightexpressai.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.insightexpressai.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.interclick.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.kaspersky.122.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.msnbc.112.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.msnportal.112.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.paypal.112.2o7.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.questionmarket.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.questionmarket.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.revsci.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificclick.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.specificmedia.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.stats.paypal.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.tacoda.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
.trafficmp.com [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
server.iad.liveperson.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]
server.iad.liveperson.net [ C:\Users\Buzz\AppData\Roaming\Mozilla\Profiles\Default

Userbuzz\c7oi59ur.slt\cookies.txt ]

Trojan.Agent/Gen-ImageDocFake
C:\SURFCAM\VELOCITY3\SURFCAM.BMP
C:\SURFCAM\VELOCITY3\TOOLBAR.BMP


Do you want the ones from my last post?

Best Regards,

Buzz

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:49 AM

Posted 26 September 2009 - 03:05 PM

What does that Cureit log show? And how long is it?? If it shows detected items, I will have to see them (though you mentioned two already in your post).

I am a bit curious here, I have seen long logs, but for a log to reach that size.......... Can you tell me the file extension?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Techscan

Techscan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 September 2009 - 03:30 PM

Elise,

The log file is a .log and it is in fact the log of all the items that it had checked so far. At the bottom it showed no no active threats detected. That's probably because it didn't finish but it did find the "Host" and the "descipt.ion" problems. They are both quarantined.

What would you like me to do with these files?

Buzz

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:49 AM

Posted 27 September 2009 - 01:14 AM

You can delete those 2 quarantained files.

Please do a search for hosts using the windows search option (start > search). Make sure you search all locations and under the Advanced options, check search hidden locations.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Techscan

Techscan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 27 September 2009 - 07:44 AM

I did the search and it returned 110 folders and files. I have no way to print them from Windows so I did a print screen and saved it as a .jpg but I cannot seem to paste it here.
Do you want me to type up a list of what is there?

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:49 AM

Posted 27 September 2009 - 07:48 AM

just look if there is one in c:\windows\system32\drivers\etc

Note, it should be called hosts, not hosts.txt or hosts.bak

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users