Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avabon browser redirect issues - further info


  • This topic is locked This topic is locked
10 replies to this topic

#1 slands

slands

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 17 November 2009 - 02:47 PM

Hi,

(Informational / discussion post)

I am currently experiencing issues with FF, when browsing links on Google and clicking them it redirects to avabon links.

There is very little info about this on the net, apart from several users on this site reporting the same issue.

I have disabled FF addons (FavIcon Picker 2, Java Quick Starter, MS .NET Framework Assistant 1.1, Ovi Maps Browser Plugin, PC Sync 2 Synchronisation Extension, and XMarks) and the issue has been mostly resolved, although my homepage (Google Search - hxxp://www.google.com/webhp?complete=1&hl=en) does not display the search box. Google.co.uk and google.com display and follow links correctly.

I will try to investigate the issue further, but just wanted to register and post here as it seems to be the most frequent place people are posting about this issue. I am surprised not to find more info about this issue on the web.

I have ran Malwarebytes Anti-Malware and SUPERAntiSpyware after seeing them mentioned on this site, and removed a couple of trojans, and also resolved issue of Windows Security Centre warnings being disabled.

Not sure where I picked these trojans up as FF is never used for browsing nefarious sites. I recently was trying to watch streaming TV and had blue screen issues after opening a site which opened many popups and tried to save files etc, resulting in a repair of Windows, this is my likely suspect.

Should probably re-enable Sophos :thumbsup:

Other observations include:
browsing to avabon.com redirects to google.co.uk, but pinging them gives different IP addresses.
does not appear to happen in Chrome or IE

I hope this helps someone with the same issue, or the mods and technical guys from this site. Any input would also be appreciated

Cheers

Edited by Orange Blossom, 17 November 2009 - 06:41 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 17 November 2009 - 04:37 PM

Turns out it is back even with addons disabled. But only for my homepage google suggest - first browsing to google.co.uk / .com seems to work.

Cheers

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:47 AM

Posted 17 November 2009 - 06:42 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 AM

Posted 17 November 2009 - 09:20 PM

Hello. please post your Malwarebytes and SAS log
MBAM
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

SAS
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this: Post another log,thanks.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 18 November 2009 - 09:38 AM

Initial MBAM Log: (Full Scan)
Malwarebytes' Anti-Malware 1.41
Database version: 3185
Windows 5.1.2600 Service Pack 2

17/11/2009 12:53:16
mbam-log-2009-11-17 (12-53-07).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 202747
Time elapsed: 1 hour(s), 37 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defence (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\WINDOWS\addins\addins (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\All Users\Defence\smss.exe (Trojan.Agent) -> No action taken.


Second MBAM Scan Log: (Quick Scan)

Malwarebytes' Anti-Malware 1.41
Database version: 3185
Windows 5.1.2600 Service Pack 2

17/11/2009 14:04:18
mbam-log-2009-11-17 (14-04-18).txt

Scan type: Quick Scan
Objects scanned: 120336
Time elapsed: 12 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SAS Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/17/2009 at 06:19 PM

Application Version : 4.30.1004

Core Rules Database Version : 4280
Trace Rules Database Version: 2156

Scan type : Quick Scan
Total Scan Time : 04:06:32

Memory items scanned : 516
Memory threats detected : 0
Registry items scanned : 497
Registry threats detected : 0
File items scanned : 8074
File threats detected : 1

NotHarmful.Sysinternals Bluescreen Screen Saver
E:\WORK SYNC FOLDER\SOFTWARE\SYSINTERNALS\BLUESCREEN\SYSINTERNALS BLUESCREEN.SCR






Thanks for any assistance. The redirects are only happening when using http://www.google.com/webhp?complete=1&hl=en (iGoogle / Google Suggest) for the searchpage.



Cheers!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 AM

Posted 18 November 2009 - 11:24 AM

Hi, please do 2 more things and tell me how we are.

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 19 November 2009 - 05:45 AM

Thanks again :thumbsup:

GooredFix
GooredFix by jpshortstuff (18.11.09.1)
Log created at 10:28 on 19/11/2009 (clisslands)
Firefox version 3.5.5 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{8CE11043-9A15-4207-A565-0C94C42D590D} [20:12 09/11/2009]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:41 17/11/2009]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [02:22 28/11/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [02:21 28/11/2008]
"maps@ovi.com"="C:\Program Files\Nokia\Ovi maps\Mozilla Firefox plugin\XPI" [00:19 03/12/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [09:45 25/02/2009]
"bkmrksync@nokia.com"="C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\" [22:34 14/05/2009]

-=E.O.F=-


MBAM
Malwarebytes' Anti-Malware 1.41
Database version: 3195
Windows 5.1.2600 Service Pack 2

19/11/2009 10:42:18
mbam-log-2009-11-19 (10-42-17).txt

Scan type: Quick Scan
Objects scanned: 120597
Time elapsed: 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Problem still being experienced

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 AM

Posted 19 November 2009 - 02:22 PM

OK, next look for rotkits.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 24 November 2009 - 05:43 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/22 23:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAACBE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89D0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA99D3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Mozilla Firefox\settings.dat
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-31A3858E.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB944338-v2\KB944338-v2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Status: Locked to the Windows API!

Path: C:\WINDOWS\system\IOSUBSYS\IOSUBSYS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\nso6.tmp\nso6.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d1\d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d2\d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d3\d3
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d4\d4
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d5\d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d6\d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d7\d7
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d8\d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\Setup\UpdSh.bak
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\AppPatch\Custom\Custom
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\clisslands\Local Settings\Temp\fla23.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\RtSigs\Data\Data
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\vmware-temp\vmware-SYSTEM\vmware-SYSTEM
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1241770528\1241770528
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\History\Results\Results
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\News\News
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\5599132effaee562760dce29f8ca8491\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\System\System
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\SXS\SXS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinLH_IA64\WinLH_IA64
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_AMD64\WinXP_AMD64
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_i386\WinXP_i386
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_IA64\WinXP_IA64
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F5.tmp\ZAP1F5.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58.tmp\ZAP58.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP62.tmp\ZAP62.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\ZAPD9.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDD.tmp\ZAPDD.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE0.tmp\ZAPE0.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEB.tmp\ZAPEB.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\Documents and Settings\clisslands\Local Settings\Apps\2.0\Z8H6WJCP.VN6\4MWZRJV9.N25\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\clisslands\Local Settings\Apps\2.0\Z8H6WJCP.VN6\4MWZRJV9.N25\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\CommonAppData\Sophos\Sophos Anti-Virus\Config\Config
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xaadc30b0

Shadow SSDT
-------------------
#: 000 Function Name: NtGdiAbortDoc
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf93707d

#: 001 Function Name: NtGdiAbortPath
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf948616

#: 002 Function Name: NtGdiAddFontResourceW
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf890b86

#: 003 Function Name: NtGdiAddRemoteFontToDC
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9401ba

#: 004 Function Name: NtGdiAddFontMemResourceEx
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf949c38

#: 005 Function Name: NtGdiRemoveMergeFont
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf937311

#: 006 Function Name: NtGdiAddRemoteMMInstanceToDC
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9373b6

#: 007 Function Name: NtGdiAlphaBlend
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8369d9

#: 008 Function Name: NtGdiAngleArc
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf949554

#: 009 Function Name: NtGdiAnyLinkedFonts
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf935482

#: 010 Function Name: NtGdiFontIsLinked
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf949b4c

#: 011 Function Name: NtGdiArcInternal
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf90fc72

#: 012 Function Name: NtGdiBeginPath
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf90229c

#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf809ace

#: 014 Function Name: NtGdiCancelDC
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf949a1e

#: 015 Function Name: NtGdiCheckBitmapBits
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94b225

#: 016 Function Name: NtGdiCloseFigure
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf900b99

#: 017 Function Name: NtGdiClearBitmapAttributes
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf897c5c

#: 018 Function Name: NtGdiClearBrushAttributes
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf949afc

#: 019 Function Name: NtGdiColorCorrectPalette
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94b358

#: 020 Function Name: NtGdiCombineRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf81c9b3

#: 021 Function Name: NtGdiCombineTransform
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8dcc33

#: 022 Function Name: NtGdiComputeXformCoefficients
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf87e405

#: 023 Function Name: NtGdiConsoleTextOut
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf863bbf

#: 024 Function Name: NtGdiConvertMetafileRect
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf910ead

#: 025 Function Name: NtGdiCreateBitmap
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80e44d

#: 026 Function Name: NtGdiCreateClientObj
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8dc8db

#: 027 Function Name: NtGdiCreateColorSpace
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94b01d

#: 028 Function Name: NtGdiCreateColorTransform
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94bf28

#: 029 Function Name: NtGdiCreateCompatibleBitmap
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80fcbc

#: 030 Function Name: NtGdiCreateCompatibleDC
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80ca2a

#: 031 Function Name: NtGdiCreateDIBBrush
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8d18ec

#: 032 Function Name: NtGdiCreateDIBitmapInternal
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf834500

#: 033 Function Name: NtGdiCreateDIBSection
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf82a0da

#: 034 Function Name: NtGdiCreateEllipticRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf939931

#: 035 Function Name: NtGdiCreateHalftonePalette
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf878e3a

#: 036 Function Name: NtGdiCreateHatchBrushInternal
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94cfb4

#: 037 Function Name: NtGdiCreateMetafileDC
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8e8aa7

#: 038 Function Name: NtGdiCreatePaletteInternal
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf87d018

#: 039 Function Name: NtGdiCreatePatternBrushInternal
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf86df36

#: 040 Function Name: NtGdiCreatePen
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf86ad27

#: 041 Function Name: NtGdiCreateRectRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf83c0a9

#: 042 Function Name: NtGdiCreateRoundRectRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8877d2

#: 043 Function Name: NtGdiCreateServerMetaFile
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf910db2

#: 044 Function Name: NtGdiCreateSolidBrush
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf81a0cf

#: 045 Function Name: NtGdiD3dContextCreate
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934aa2

#: 046 Function Name: NtGdiD3dContextDestroy
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934ab5

#: 047 Function Name: NtGdiD3dContextDestroyAll
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934ac8

#: 048 Function Name: NtGdiD3dValidateTextureStageState
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934adb

#: 049 Function Name: NtGdiD3dDrawPrimitives2
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934aee

#: 050 Function Name: NtGdiDdGetDriverState
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b01

#: 051 Function Name: NtGdiDdAddAttachedSurface
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934977

#: 052 Function Name: NtGdiDdAlphaBlt
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934bc1

#: 053 Function Name: NtGdiDdAttachSurface
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907a8c

#: 054 Function Name: NtGdiDdBeginMoCompFrame
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b6c

#: 055 Function Name: NtGdiDdBlt
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907a9f

#: 056 Function Name: NtGdiDdCanCreateSurface
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907879

#: 057 Function Name: NtGdiDdCanCreateD3DBuffer
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934a79

#: 058 Function Name: NtGdiDdColorControl
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf93498a

#: 059 Function Name: NtGdiDdCreateDirectDrawObject
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8f7115

#: 060 Function Name: NtGdiDdCreateSurface
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8f7128

#: 061 Function Name: NtGdiDdCreateD3DBuffer
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934a63

#: 062 Function Name: NtGdiDdCreateMoComp
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9078b8

#: 063 Function Name: NtGdiDdCreateSurfaceObject
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907ee3

#: 064 Function Name: NtGdiDdDeleteDirectDrawObject
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8f7371

#: 065 Function Name: NtGdiDdDeleteSurfaceObject
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907a60

#: 066 Function Name: NtGdiDdDestroyMoComp
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf90788c

#: 067 Function Name: NtGdiDdDestroySurface
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8f735b

#: 068 Function Name: NtGdiDdDestroyD3DBuffer
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934a8c

#: 069 Function Name: NtGdiDdEndMoCompFrame
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b7f

#: 070 Function Name: NtGdiDdFlip
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907f89

#: 071 Function Name: NtGdiDdFlipToGDISurface
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf908694

#: 072 Function Name: NtGdiDdGetAvailDriverMemory
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907a76

#: 073 Function Name: NtGdiDdGetBltStatus
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf93499d

#: 074 Function Name: NtGdiDdGetDC
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9077e4

#: 075 Function Name: NtGdiDdGetDriverInfo
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907823

#: 076 Function Name: NtGdiDdGetDxHandle
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934a0b

#: 077 Function Name: NtGdiDdGetFlipStatus
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9349b3

#: 078 Function Name: NtGdiDdGetInternalMoCompInfo
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b56

#: 079 Function Name: NtGdiDdGetMoCompBuffInfo
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b40

#: 080 Function Name: NtGdiDdGetMoCompGuids
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9078a2

#: 081 Function Name: NtGdiDdGetMoCompFormats
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b2a

#: 082 Function Name: NtGdiDdGetScanLine
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf90879a

#: 083 Function Name: NtGdiDdLock
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8e684a

#: 084 Function Name: NtGdiDdLockD3D
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934a37

#: 085 Function Name: NtGdiDdQueryDirectDrawObject
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8f70b4

#: 086 Function Name: NtGdiDdQueryMoCompStatus
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934bab

#: 087 Function Name: NtGdiDdReenableDirectDrawObject
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8f70ef

#: 088 Function Name: NtGdiDdReleaseDC
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907958

#: 089 Function Name: NtGdiDdRenderMoComp
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b95

#: 090 Function Name: NtGdiDdResetVisrgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8e6690

#: 091 Function Name: NtGdiDdSetColorKey
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907f9f

#: 092 Function Name: NtGdiDdSetExclusiveMode
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9349c9

#: 093 Function Name: NtGdiDdSetGammaRamp
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934a21

#: 094 Function Name: NtGdiDdCreateSurfaceEx
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934b14

#: 095 Function Name: NtGdiDdSetOverlayPosition
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9349df

#: 096 Function Name: NtGdiDdUnattachSurface
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907b2c

#: 097 Function Name: NtGdiDdUnlock
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8e6640

#: 098 Function Name: NtGdiDdUnlockD3D
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934a4d

#: 099 Function Name: NtGdiDdUpdateOverlay
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf907f73

#: 100 Function Name: NtGdiDdWaitForVerticalBlank
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9349f5

#: 101 Function Name: NtGdiDvpCanCreateVideoPort
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934bd4

#: 102 Function Name: NtGdiDvpColorControl
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934bea

#: 103 Function Name: NtGdiDvpCreateVideoPort
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c00

#: 104 Function Name: NtGdiDvpDestroyVideoPort
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c16

#: 105 Function Name: NtGdiDvpFlipVideoPort
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c2c

#: 106 Function Name: NtGdiDvpGetVideoPortBandwidth
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c42

#: 107 Function Name: NtGdiDvpGetVideoPortField
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c58

#: 108 Function Name: NtGdiDvpGetVideoPortFlipStatus
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c6e

#: 109 Function Name: NtGdiDvpGetVideoPortInputFormats
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c84

#: 110 Function Name: NtGdiDvpGetVideoPortLine
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934c9a

#: 111 Function Name: NtGdiDvpGetVideoPortOutputFormats
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934cb0

#: 112 Function Name: NtGdiDvpGetVideoPortConnectInfo
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934cc6

#: 113 Function Name: NtGdiDvpGetVideoSignalStatus
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934cdc

#: 114 Function Name: NtGdiDvpUpdateVideoPort
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934cf2

#: 115 Function Name: NtGdiDvpWaitForVideoPortSync
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934d08

#: 116 Function Name: NtGdiDvpAcquireNotification
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934d1e

#: 117 Function Name: NtGdiDvpReleaseNotification
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934d34

#: 118 Function Name: NtGdiDxgGenericThunk
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf934964

#: 119 Function Name: NtGdiDeleteClientObj
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8dc9fd

#: 120 Function Name: NtGdiDeleteColorSpace
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94b010

#: 121 Function Name: NtGdiDeleteColorTransform
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94c1e4

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80fb49

#: 123 Function Name: NtGdiDescribePixelFormat
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94a70e

#: 124 Function Name: NtGdiGetPerBandInfo
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8fb1f7

#: 125 Function Name: NtGdiDoBanding
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8fdf31

#: 126 Function Name: NtGdiDoPalette
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf83f08f

#: 127 Function Name: NtGdiDrawEscape
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94959e

#: 128 Function Name: NtGdiEllipse
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8d4403

#: 129 Function Name: NtGdiEnableEudc
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf896128

#: 130 Function Name: NtGdiEndDoc
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8fd8ad

#: 131 Function Name: NtGdiEndPage
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8fae83

#: 132 Function Name: NtGdiEndPath
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf90233c

#: 133 Function Name: NtGdiEnumFontChunk
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf88234e

#: 134 Function Name: NtGdiEnumFontClose
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8822cd

#: 135 Function Name: NtGdiEnumFontOpen
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf88195c

#: 136 Function Name: NtGdiEnumObjects
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8d1bf4

#: 137 Function Name: NtGdiEqualRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf939a2c

#: 138 Function Name: NtGdiEudcLoadUnloadLink
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9507bf

#: 139 Function Name: NtGdiExcludeClipRect
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf836258

#: 140 Function Name: NtGdiExtCreatePen
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8c9fad

#: 141 Function Name: NtGdiExtCreateRegion
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf83c3f0

#: 142 Function Name: NtGdiExtEscape
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf885b63

#: 143 Function Name: NtGdiExtFloodFill
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9515dd

#: 144 Function Name: NtGdiExtGetObjectW
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8242dc

#: 145 Function Name: NtGdiExtSelectClipRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80f30d

#: 146 Function Name: NtGdiExtTextOutW
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf82b821

#: 147 Function Name: NtGdiFillPath
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94873b

#: 148 Function Name: NtGdiFillRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8b95ee

#: 149 Function Name: NtGdiFlattenPath
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9486a0

#: 150 Function Name: NtGdiFlushUserBatch
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80c50d

#: 151 Function Name: NtGdiFlush
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80a3d1

#: 152 Function Name: NtGdiForceUFIMapping
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94a5ee

#: 153 Function Name: NtGdiFrameRgn
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf887a44

#: 154 Function Name: NtGdiFullscreenControl
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf93c709

#: 155 Function Name: NtGdiGetAndSetDCDword
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8c927e

#: 156 Function Name: NtGdiGetAppClipBox
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf816b24

#: 157 Function Name: NtGdiGetBitmapBits
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8b9ae1

#: 158 Function Name: NtGdiGetBitmapDimension
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf94a510

#: 159 Function Name: NtGdiGetBoundsRect
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8bee42

#: 160 Function Name: NtGdiGetCharABCWidthsW
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8ed84a

#: 161 Function Name: NtGdiGetCharacterPlacementW
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf948ca9

#: 162 Function Name: NtGdiGetCharSet
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf80f8d9

#: 163 Function Name: NtGdiGetCharWidthW
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8e3599

#: 164 Function Name: NtGdiGetCharWidthInfo
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf87dad6

#: 165 Function Name: NtGdiGetColorAdjustment
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf9498c0

#: 166 Function Name: NtGdiGetColorSpaceforBitmap
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf951e92

#: 167 Function Name: NtGdiGetDCDword
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf8245a9

#: 168 Function Name: NtGdiGetDCforBitmap
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf82e72f

#: 169 Function Name: NtGdiGetDCObject
Status: Hooked by "C:\WINDOWS\System32\win32k.sys" at address 0xbf824436

#: 170 Function Name: NtGdiGetDCPoint
Status: Hooked by "C:\WINDOWS==EOF==



-------------------------------------
Win32kDiag

Running from: E:\Web Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\clisslands\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB944338-v2\KB944338-v2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F5.tmp\ZAP1F5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58.tmp\ZAP58.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP62.tmp\ZAP62.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\ZAPD9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDD.tmp\ZAPDD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE0.tmp\ZAPE0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEB.tmp\ZAPEB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5599132effaee562760dce29f8ca8491\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system\IOSUBSYS\IOSUBSYS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\nso6.tmp\nso6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\CommonAppData\Sophos\Sophos Anti-Virus\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\SXS\SXS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\System\System

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinLH_IA64\WinLH_IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_AMD64\WinXP_AMD64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_i386\WinXP_i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_IA64\WinXP_IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1241770528\1241770528

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\vmware-temp\vmware-SYSTEM\vmware-SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!



--------------------------------------
CMD Output:
Volume in drive C has no label.
Volume Serial Number is 9464-E57A

Directory of C:\WINDOWS\$hf_mig$\KB968389\SP2QFE

06/02/2009 18:46 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\$hf_mig$\KB975467\SP2QFE

06/02/2009 18:46 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 00:56 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 00:56 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 00:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 00:12 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 00:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 00:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

14/04/2008 00:12 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

14/04/2008 00:12 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

14/04/2008 00:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

14/04/2008 00:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 00:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 00:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 00:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 00:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 00:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
17 File(s) 4,037,632 bytes
0 Dir(s) 667,471,872 bytes free








Cheers!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:47 AM

Posted 24 November 2009 - 11:37 AM

I see there is a serious rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:47 AM

Posted 24 November 2009 - 08:21 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/273758/rootkit-variant-found/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users