Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Trojan---geting progressively worse


  • This topic is locked This topic is locked
15 replies to this topic

#1 nicnite

nicnite

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 27 November 2009 - 06:12 PM

Dear friends,

The other day I stupidly clicked on this link which purported to show a video of the LHC startup (how much of a nerd does THAT make me?):

Link removed

I was prompted for a Flash update which I stupidly assented to all the while thinking, "something's not quite right."

Soon after I noticed that google search result links in Firefox were being redirected to various commercial sites. I switched to Chrome which didn't have a problem at first but soon developed the same problem If I requested that the link open in a new tab there was initially no redirect, but now it opens multiple empty tabs as well as the link and sometimes crashes Chrome.

I was running AVG internet security (the pay version) at the time of the initial infection. Adaware, Malwarebytes etc. failed to find anything. I now have Kaspersky internet security installed and it has found nothing on the scan.

My Hijack This log is below and also attached. Any help will be greatly appreciated.

Nick

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:31 PM, on 11/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Elantech\ktp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tsnp2std.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\system32\tsnp2std.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7413 bytes

Attached Files


Edited by garmanma, 27 November 2009 - 06:36 PM.


BC AdBot (Login to Remove)

 


#2 nicnite

nicnite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 29 November 2009 - 11:08 PM

Have since been working on this a lot, following various advice. In case something's changed I've attached a new combofix log and SD report. Thanks for any help. The redirects continue to happen on almost all google links.

Nick

Attached Files



#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:20 PM

Posted 05 December 2009 - 07:22 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.Please perform the following scan:
  • Download DDS by sUBs from one of the following links.Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 nicnite

nicnite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 10 December 2009 - 02:17 AM

Dear Sempai,

I apologize for my slow reply. My computer's current symptoms are as follows:

1) Most google search links in Explorer, Firefox and Chrome get redirected to a variety of commercial sites or cause browser to crash.

2) If I select "open in new tab" or "open in new window" some links will open normally, others will cause chrome or firefox to crash.

3) Chrome and Firefox will sometimes open multiple empty tabs or will attempt to open webpages that don't exist or won't open.

4) Some other functions on computer seem to hang where they didn't before infection.

Thanks very much for your help!

Nick

DDS log as follows:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Just Nick at 1:06:36.57 on Thu 12/10/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1276 [GMT -6:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tsnp2std.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Elantech\ktp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\winhlp32.exe
C:\Documents and Settings\Just Nick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Just Nick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Just Nick\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [tsnp2std] c:\windows\system32\tsnp2std.exe
mRun: [KTPWare] c:\program files\elantech\ktp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-11-29 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-11-29 59664]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-25 315408]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2009-11-25 18816]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 echo1394;Onyx 400F service;c:\windows\system32\drivers\echo1394.sys [2007-5-16 59264]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-11-29 33552]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys --> c:\windows\system32\drivers\avgfwdx.sys [?]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\drivers\KORGUMDS.SYS [2005-12-19 21720]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8c.tmp --> c:\windows\system32\8C.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-01 07:50:46 32 ----a-w- c:\windows\system32\msvcsv60.dll
2009-11-30 06:58:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 06:58:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 06:58:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 05:51:21 0 d-----w- C:\thcbytes
2009-11-30 03:34:22 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-11-30 03:34:22 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-11-30 03:34:22 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-11-30 03:34:20 0 d-----w- c:\program files\ThreatFire
2009-11-30 03:34:20 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-30 02:35:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-30 02:11:26 0 d-sha-r- C:\cmdcons
2009-11-30 02:09:35 98816 ----a-w- c:\windows\sed.exe
2009-11-30 01:41:46 0 d-----w- c:\windows\ERUNT
2009-11-29 22:01:55 0 d-----w- C:\SDFix
2009-11-29 03:56:27 125929 ----a-w- c:\documents and settings\just nick\AdobeFnt10.lst
2009-11-26 22:59:05 0 d-----w- c:\program files\Trend Micro
2009-11-26 19:26:04 0 d-----w- c:\program files\Defraggler
2009-11-25 22:42:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-25 20:54:23 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-25 20:54:23 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-25 20:53:10 0 d-----w- c:\program files\Kaspersky Lab
2009-11-25 20:53:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-11-25 20:36:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-25 20:00:50 0 d-----w- C:\AVGTemp
2009-11-25 07:52:41 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-11-24 00:00:45 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-24 00:00:38 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 00:00:37 0 d-----w- c:\docume~1\justni~1\applic~1\SUPERAntiSpyware.com
2009-11-23 23:31:58 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 23:31:58 260608 ----a-w- c:\windows\PEV.exe
2009-11-23 23:31:58 161792 ----a-w- c:\windows\SWREG.exe
2009-11-23 22:13:39 0 d-----w- C:\stdtsa
2009-11-23 20:58:46 0 d-----w- c:\program files\Sophos
2009-11-22 18:01:29 0 d-----w- c:\program files\Paint.NET
2009-11-22 17:47:55 0 d-----w- c:\windows\system32\XPSViewer
2009-11-22 17:46:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-22 17:46:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-22 17:46:31 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-22 17:46:31 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-22 17:46:31 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-22 17:46:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-22 17:46:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-22 17:41:53 0 d-----w- c:\program files\MSXML 6.0
2009-11-22 17:40:06 0 d-----r- C:\AHCache
2009-11-22 17:29:04 0 d-----w- c:\program files\Pixia
2009-11-20 21:39:12 36 ----a-w- c:\windows\system32\??
2009-11-17 19:48:39 0 d-----w- c:\program files\TC Electronic

==================== Find3M ====================

2009-10-21 02:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-15 03:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-09-26 16:45:03 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-09-26 16:45:00 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-09-26 16:44:57 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2009-09-21 17:04:53 38660 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 1:09:03.98 ===============

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:20 AM

Posted 10 December 2009 - 07:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Let's see if we can find the culprit by running a couple of rootkit scans

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Then

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks :(
Posted Image
m0le is a proud member of UNITE

#6 nicnite

nicnite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 12 December 2009 - 06:22 PM

Dear M0le,

Thank you in advance for your help. I think it's very cool you and the others on this forum do this kind of work.

Since my last post, Kaspersky Internet Security identified and disinfected rootkit.win32.tdss.y This appears to have stopped the search link redirects. I'm not sure if I'm in the clear yet or not and will follow any of your recommendations.

Also, as of tomorrow morning I have to travel away from the problem computer for two weeks. I will be checking email from another computer. I apologize for this and will follow whatever recommendation you make regarding reposting/followup.

Below I've pasted the two requested reports.

Running from: C:\Documents and Settings\Just Nick\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Just Nick\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/12 16:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA806C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA73E7000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\just nick\local settings\temp\etilqs_ceq1w90amstytfzqxfgk
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\just nick\local settings\temp\etilqs_ilcn2q9t4smfb3dlazhq
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: d:\mbam-setup.exe
Status: Size mismatch (API: 4045528, Raw: 1006554516721351384)

Path: D:\Do˂uments
Status: Invisible to the Windows API!

Path: D:\stԿ20sasfx.exe
Status: Invisible to the Windows API!

Path: D:\WiԿ32kDiag.exe
Status: Invisible to the Windows API!

Path: D:\Documents
Status: Visible to the Windows API, but not on disk.

Path: D:\std20sasfx.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\Win32kDiag.exe
Status: Visible to the Windows API, but not on disk.

Path: d:\my pictures\cimg0113.jpg
Status: Size mismatch (API: 150401, Raw: 219831956811172737)

Path: D:\My Pictures\CI̍G0122.JPG
Status: Invisible to the Windows API!

Path: D:\My Pictures\H2O Soul Flyer 10_26_07.jp̯
Status: Invisible to the Windows API!

Path: D:\My Pictures\Picture 005.jpǡ
Status: Invisible to the Windows API!

Path: d:\my pictures\picture 010.jpg
Status: Allocation size mismatch (API: 720896, Raw: 135389463798546432)

Path: D:\My Pictures\stȮ lukes 7th grade.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\ThȮmbs.db
Status: Invisible to the Windows API!

Path: d:\my pictures\with triz.jpg
Status: Size mismatch (API: 4239, Raw: 157063037004550287)

Path: d:\my pictures\cimg0138.jpg
Status: Allocation size mismatch (API: 2916352, Raw: 36591746975301632)

Path: d:\my pictures\cimg0156.jpg
Status: Allocation size mismatch (API: 1900544, Raw: 161285161657106432)

Path: D:\My Pictures\for site 0Ƚ3.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk
Status: Invisible to the Windows API!

Path: D:\My Pictures\CIMG0122.JPG
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\for site 003.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\H2O Soul Flyer 10_26_07.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Nick
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Picture 005.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\st. lukes 7th grade.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Thumbs.db
Status: Visible to the Windows API, but not on disk.

Path: \\?\D:\Do˂uments\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\Do˂uments\TAJ
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\15 - Multiԟ
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\15 - Multis
Status: Visible to the Windows API, but not on disk.

Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_restore{1D1BDE28-ED91-46B0-8CA7-398282769602}
Status: Visible to the Windows API, but not on disk.

Path: D:\Loops\Acid60Content\StƏndard Collection
Status: Invisible to the Windows API!

Path: D:\Loops\Acid60Content\Standard Collection
Status: Visible to the Windows API, but not on disk.

Path: D:\Loops\Free_Loops_Special_2009\Prime Voops - Future House Drum Loops
Status: Invisible to the Windows API!

Path: D:\Loops\Free_Loops_Special_2009\Prime Loops - Vee Coombs Tech Funk Vol 2
Status: Invisible to the Windows API!

Path: D:\Loops\Free_Loops_Special_2009\Prime Loops - Future House Drum Loops
Status: Visible to the Windows API, but not on disk.

Path: D:\Loops\Free_Loops_Special_2009\Prime Loops - Lee Coombs Tech Funk Vol 2
Status: Visible to the Windows API, but not on disk.

Path: D:\Loops\Rhythm Station - WAV\Rimgroĺve 090
Status: Invisible to the Windows API!

Path: D:\Loops\Rhythm Station - WAV\Hoľ 113.9
Status: Invisible to the Windows API!

Path: D:\Loops\Rhythm Station - WAV\Hop 113.9
Status: Visible to the Windows API, but not on disk.

Path: D:\Loops\Rhythm Station - WAV\Rimgroove 090
Status: Visible to the Windows API, but not on disk.

Path: D:\Loops\Smokers Delight\A99_Snare_Loops_Only_Rex2
Status: Size mismatch (API: 0, Raw: 105553116266496000)

Path: D:\Loops\Smokers Delight\A85_JaǥzGtr_Chords
Status: Invisible to the Windows API!

Path: D:\Loops\Smokers Delight\A85_JazzGtr_Chords
Status: Visible to the Windows API, but not on disk.

Path: d:\my pictures\ca kids\inventory 024.jpg
Status: Size mismatch (API: 633866, Raw: 55732045389343754)

Path: D:\My Pictures\Cat and Mouse Convention\4118549751_e6765387d4_o.jp
Status: Invisible to the Windows API!

Path: D:\My Pictures\Cat and Mouse Convention\4118549751_e6765387d4_o.jpg
Status: Visible to the Windows API, but not on disk.

Path: d:\my pictures\girl activity\p1010518.jpg
Status: Allocation size mismatch (API: 131072, Raw: 68398419340820480)

Path: d:\my pictures\inventory\cimg0466.jpg
Status: Allocation size mismatch (API: 3047424, Raw: 97390341944934400)

Path: D:\My Pictures\Inventory\inentory 007.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\Inventory\Roe NT5 030.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\Inventory\inventory 007.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Inventory\Rode NT5 030.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Italy\Rome SummeƄ '09
Status: Invisible to the Windows API!

Path: D:\My Pictures\Italy\ThƄmbs.db
Status: Invisible to the Windows API!

Path: D:\My Pictures\Italy\Rome Summer '09
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Italy\Thumbs.db
Status: Visible to the Windows API, but not on disk.

Path: d:\my pictures\jack shiels vietnam pics\image107.jpg
Status: Size mismatch (API: 8234778, Raw: 9570149216397082)

Path: D:\My Pictures\Jack Shiels Vietnam pics\Im"ge116.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image125.j"g
Status: Invisible to the Windows API!

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image41.jp!
Status: Invisible to the Windows API!

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image4!.jpg
Status: Invisible to the Windows API!

Path: d:\my pictures\jack shiels vietnam pics\image251.jpg
Status: Size mismatch (API: 7584773, Raw: 8444249308904453)

Path: d:\my pictures\jack shiels vietnam pics\image234.jpg
Status: Size mismatch (API: 7548285, Raw: 7881299355446653)

Path: d:\my pictures\jack shiels vietnam pics\image156.jpg
Status: Allocation size mismatch (API: 8912896, Raw: 8444249310232576)

Path: D:\My Pictures\Jack Shiels Vietnam pics\Im&ge192.jpg
Status: Invisible to the Windows API!

Path: d:\my pictures\jack shiels vietnam pics\image138.jpg
Status: Allocation size mismatch (API: 9469952, Raw: 8162774334078976)

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image76.jp
Status: Invisible to the Windows API!

Path: d:\my pictures\jack shiels vietnam pics\image217.jpg
Status: Allocation size mismatch (API: 7962624, Raw: 7881299355860992)

Path: D:\My Pictures\Jack Shiels Vietnam pics\Imge225.jpg
Status: Invisible to the Windows API!

Path: d:\my pictures\jack shiels vietnam pics\image2.jpg
Status: Allocation size mismatch (API: 7503872, Raw: 8162774332112896)

Path: d:\my pictures\jack shiels vietnam pics\image183.jpg
Status: Allocation size mismatch (API: 8519680, Raw: 7881299356418048)

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image116.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image125.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image192.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image225.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image41.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image46.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Jack Shiels Vietnam pics\Image76.jpg
Status: Visible to the Windows API, but not on disk.

Path: d:\my pictures\judo\img_0963.jpg
Status: Size mismatch (API: 226982, Raw: 110901140824225446)

Path: D:\My Pictures\Judo\Tokon Classic 2009
Status: Invisible to the Windows API!

Path: D:\My Pictures\Judo\Tohkon Classic 2009
Status: Visible to the Windows API, but not on disk.

Path: d:\my pictures\kat victoria band\kat6.jpg
Status: Size mismatch (API: 175699, Raw: 16325548649393747)

Path: d:\my pictures\kat victoria band\singer 2b.jpg
Status: Allocation size mismatch (API: 196608, Raw: 16325548649414656)

Path: D:\My Pictures\Pictures\Frm marco 4.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\Pictures\From marco 4.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Soul People\WiǍh Estelle and Vaughn
Status: Invisible to the Windows API!

Path: D:\My Pictures\Soul People\with Julie DexǍer
Status: Invisible to the Windows API!

Path: d:\my pictures\soul people\p1010034.jpg
Status: Size mismatch (API: 654995, Raw: 117938015242419859)

Path: D:\My Pictures\Soul People\With Estelle and Vaughn
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Soul People\with Julie Dexter
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\The Chess Club\CIMG0472.JFG
Status: Invisible to the Windows API!

Path: d:\my pictures\the chess club\cimg0486.jpg
Status: Size mismatch (API: 5088419, Raw: 19703248374834339)

Path: d:\my pictures\the chess club\cimg0497.jpg
Status: Allocation size mismatch (API: 4390912, Raw: 18014398513872896)

Path: D:\My Pictures\The Chess Club\Thumbs@db
Status: Invisible to the Windows API!

Path: D:\My Pictures\The Chess Club\CIMG0472.JPG
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\The Chess Club\Thumbs.db
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Triz Sessions\n48348171895_1730654_81727^3.jpg
Status: Invisible to the Windows API!

Path: d:\my pictures\triz sessions\p3180514.jpg
Status: Size mismatch (API: 466357, Raw: 26458647811268021)

Path: D:\My Pictures\Triz Sessions\n48348171895_1730654_8172713.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Live with Obi\Bloom1.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\Live with Obi\Thmbs.db
Status: Invisible to the Windows API!

Path: D:\My Pictures\Live with Obi\Bloom10.jpg
Status: Visible to the Windows API, but not on disk.

Path: D:\My Pictures\Live with Obi\Thumbs.db
Status: Visible to the Windows API, but not on disk.

Path: \\?\D:\My Pictures\NiŒk\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\My Pictures\NiŒk\128280655-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128280681-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128280716-M.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128280716-O.jp
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128281285-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128281820-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128281849-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128283229-M.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128283229-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\128284059-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\133322667-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\133323067-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\224299438-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\224299964-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\224301562-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\224301848-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\224302154-M.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\224302380-O.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\CIMG0465.JPG
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\Jaffe Headshot.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\nick onstage original compessed.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\Nick with guitar.JPG
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\nickbylaura.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\nickinasuit.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\nickindiningroom.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\nickonstage.jpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\NiŒk\Thumbs.db
Status: Invisible to the Windows API!

Path: D:\My Pictures\Otchek\Range of Woodchuckjpg
Status: Invisible to the Windows API!

Path: D:\My Pictures\Otchek\Range of Woodchuck.jpg
Status: Visible to the Windows API, but not on disk.

Path: d:\my pictures\pa xmas 08\3145529263_91d30f8158_o.jpg
Status: Allocation size mismatch (API: 360448, Raw: 35747322042613760)

Path: \\?\D:\Do˂uments\TAJ\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\Do˂uments\TAJ\Conferences
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Items letter.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\4(1)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\4(2)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\4(3)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\4(4)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\5(1)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\5(2)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\5(3)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\5(4)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\6(1)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\6(2)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\6(3)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\6(4)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\7(1)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\7(2)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\7(3)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\7(4)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\8(1)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\8(2)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\8(3)
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\AFTA
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\AFTA Natl. initiative
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Archive
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Articles
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Artist Corps
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\ATA
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Book
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Bulk Ordering info.eml
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Bulk Sales TrackerϚxls
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Clippings
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Columbia
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Pre Hire
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Promotion
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Publishers
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Redesign
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Sections
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Strategy
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Submission Tracker.xls
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Supporters of TAJ
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\T&F
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ Address.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ letterhead.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ logo.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ Masthead Changes Effective issŞe 6(3).docx
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ Mission Statement.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ Order link.eml
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ Proof Checklist.docx
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ SmŞll Logo.png
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TAJ Sub Received Log .doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\TARP
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Teaching Artist Journal Submission guidelines.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Thumbs.db
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Use of TAJ for PD
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\VLA
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\vol 6 color
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Web
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\workingcorners_coverpage
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Yahoo Group
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~$ems ļetter.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~$sterLog.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~WRL0001.tmp
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~WRL0002.tmp
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~WRL0003.tmp
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~WRL0004.tmp
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~WRL0005.tmp
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\~WRL0006.tļp
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\MasterLog.doc
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\New Microsoft ffice Word Document (2).docx
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Office of Academic Research
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Operations
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Penland NC
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Permissions
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Perpich
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Personnel
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Possible bulk sales contacts from NR
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Contract
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Design
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Donors
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\EB correspondence
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\EB Files
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Erlbaum
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Expenses
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Google Group
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Graham
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\HTAJ 2009 Bind-In Cardńcopy.pdf
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\HTAJ--Gratis.xls
Status: Invisible to the Windows API!

Path: D:\Do˂uments\TAJ\Internet.lnk
Status: Invisible to the Windows API!

Path: \\?\D:\Do˂uments\Teaching\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\Do˂uments\Teaching\Masters Program
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Alternatives
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Australia
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\CAPE
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Chicago Reader Classifieds Jobs Social Services P-T Computer Clubhouse Assistant.htm
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Chicago Reader Classifieds Jobs Social Services ͈P-T Computer Clubhouse Assistant_files
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Cornerstone
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\CTC
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Curriculum Docs
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Deaf Students
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Digital Music Article
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Dolezal
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Kinzie
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Ma͈gy Stover
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Maud
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\MIENC
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Mississippi
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\NKO
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\notes for an FDP'er on student studios
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Street Levʃl Docs
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Tape Op
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\THE BOOK
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\UNC Conference
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Urban Gateways
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\Waters Students
Status: Invisible to the Windows API!

Path: D:\Do˂uments\Teaching\YMCA
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\22 Trombone ensembȶe
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\27ȶPercussion
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\13 Clarinet & BassţClarinet
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\13 Clarinet & Bass Clarinet
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\22 Trombone ensemble
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\01 - VSL Kontakt Orchestra\27 Percussion
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\02 - KSP Instruments\06 - Harmonizer
Status: Size mismatch (API: 0, Raw: 146366987889541120)

Path: D:\Kontakt 2 Library\04 - Electric Pianos\MK2 - Double Detune.nki
Status: Invisible to the Windows API!

Path: d:\kontakt 2 library\04 - electric pianos\mk 2 - honky tonk.nki
Status: Allocation size mismatch (API: 32768, Raw: 58828270132559872)

Path: D:\Kontakt 2 Library\04 - Electric Pianos\Stage E-Piano Cloud.nk
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\04 - Electric Pianos\MK 2 - Double Detune.nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\04 - Electric Pianos\Stage E-Piano Cloud.nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\Drawbar Organ Stutter).nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\House Ęrgan.nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Fonds+Quint (rls).nkĘ
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Ęoix Humaine 8' (rls).nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\RoĘk Organ (Amp'ed).nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\Drawbar Organ (Stutter).nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\House Organ.nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Fonds+Quint (rls).nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\NDB - Voix Humaine 8' (rls).nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\05 - Organs and Harpsichord\Rock Organ (Amp'ed).nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\06 - Acoustic Drums\VintagĤ Funk Kit+GM Perc.nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\06 - Acoustic Drums\Vintage Funk Kit+GM Perc.nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\07 - Electronic Drums\CD Kit 1 (Spacious).nkĝ
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\07 - Electronic Drums\CD Kit 1 (Spacious).nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\08 - Percussion\Orchestral Thuğder.nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\08 - Percussion\Orchestral Thunder.nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\09 - Guitars\Steel String.ni
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\09 - Guitars\Steel String.nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\10 - Basses\AcĠustic Bass (Cho).nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\10 - Basses\SemiAcou Bass (EFXĠ.nki
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\10 - Basses\Acoustic Bass (Cho).nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\10 - Basses\SemiAcou Bass (EFX).nki
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\11 - Synthesizers\03 AllȀSynth Leads.nkb
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\11 - Synthesizers\03 All Synth Leads.nkb
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\12 - Loops\Altereŗ States 2
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\12 - Loops\Altered States 2
Status: Visible to the Windows API, but not on disk.

Path: D:\Kontakt 2 Library\14 - Banks\11 - Al Synth Basses.nkb
Status: Invisible to the Windows API!

Path: d:\kontakt 2 library\14 - banks\13 - all surround instruments.nkb
Status: Allocation size mismatch (API: 32768, Raw: 58828270132559872)

Path: D:\Kontakt 2 Library\14 - Banks\11 - All Synth Basses.nkb
Status: Visible to the Windows API, but not on disk.

Path: \\?\D:\Kontakt 2 Library\15 - Multiԟ\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\Kontakt 2 Library\15 - Multiԟ\00 - Demo Multi
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\15 - Multiԟ\01 - Orchestra Multis
Status: Invisible to the Windows API!

Path: D:\Kontakt 2 Library\15 - Multiԟ\02 - Output Configurations
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\RP26
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\RP27
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rዮstore{1D1BDE28-ED91-46B0-8CA7-398282769602}\RP28
Status: Invisible to tSSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926558c

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265e0c

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266922

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266e94

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92660ee

#: 041 Function Name: NtCreateKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ec4a1c

#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266d6c

#: 044 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265192

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266c28

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926534e

#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266fc6

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268c08

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265aaa

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266cca

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92685fa

#: 063 Function Name: NtDeleteKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ec4c10

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ec4cb6

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266576

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92695ca

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264eca

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264f74

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266382

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926868c

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264412

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264424

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268cbc

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92650c0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266f36

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265e8e

#: 119 Function Name: NtOpenKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ec490c

#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9266e04

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265792

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268c32

#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9267068

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92656b6

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926501e

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264c46

#: 167 Function Name: NtQuerySection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268fd4

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264896

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268922

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264b0e

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92642b0

#: 194 Function Name: NtReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92673f2

#: 195 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92672b8

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926839a

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926be2c

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92694ac

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9264248

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa926665c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265cc8

#: 230 Function Name: NtSetInformationToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9267c4a

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268786

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9269114

#: 247 Function Name: NtSetValueKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ec4e52

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92691f8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9269320

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268526

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "TfSysMon.sys" at address 0xb9ec6b30

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9265860

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9268e8a

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92659ea

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276ca6

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276d70

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276dda

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276d0a

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92768ba

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276c72

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276aa8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276822

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276baa

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa927686e

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92769fa

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276950

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92769a4

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276b3a

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276a5a

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa9276772

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa92767c8

==EOF==

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:20 AM

Posted 12 December 2009 - 06:43 PM

The logs look good. TDSS is something which we should double check for.

If you are away for a few weeks then I will note that, I will occasionally bump the topic so I can check that you are still there.


Please run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then let's use another rootkit search

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#8 nicnite

nicnite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 13 December 2009 - 11:28 AM

Dear m0le,

Thanks very much for your reply. I have run Malaware Bytes and will run the other scan as soon as I return. Thank you for your help and patience.

Regards,
Nick

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:20 AM

Posted 16 December 2009 - 06:54 PM

Hi nicnite, just checking that you're still there :(
Posted Image
m0le is a proud member of UNITE

#10 nicnite

nicnite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 20 December 2009 - 12:08 PM

I'm still here m0le, thanks for checking. Again I apologize for this break in the middle of you helping me--I had to travel to take care of my father who is ill. I hope to be back at my computer at home (the one with the problem) shortly after New Year. If you need me to start again from scratch I understand completely, just let me know.

Thanks!
Nick

#11 nicnite

nicnite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 24 December 2009 - 09:09 PM

Still here, still away from home. :(

Thanks!
n

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:20 AM

Posted 25 December 2009 - 09:11 AM

Merry Christmas, nicnite :(
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:20 AM

Posted 31 December 2009 - 04:12 PM

Just checking in.

Happy New Year :(
Posted Image
m0le is a proud member of UNITE

#14 nicnite

nicnite
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 01 January 2010 - 11:05 AM

Thank you m0le, Merry Christmas and Happy New Year to you and yours.

I'm still away from home, and it's looking like another ten days or so--caring for my father who is ill. Just let me know if you want me to start from the bac'k of the queue--it's no problem.

Regards,
Nick

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:20 AM

Posted 03 January 2010 - 07:56 PM

No problem Nick, I will close it if I haven't heard anything by the 11th of January. :(
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users