Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan continues to disrupt boot.ini


  • This topic is locked This topic is locked
2 replies to this topic

#1 mr2mkii

mr2mkii

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 16 December 2009 - 10:18 PM

Hey all, Firstly I've learned allot just lurking around, TY!

The problem I'm experiencing deals with a "Trojan.Win32.Genome." Every other day it appears to corrupt my boot.ini, as I get a corrupt "hal.dll" message on startup. I fix it with bootcfg and fixboot. Upon windows load, my virus scanner detects and deletes it...yet it always comes back!
Best I can tell, this started happening when my wife joined facebook recently... I'm really at odds on how to truely find it's hidey place, and surgical strike! I'm sure you guys/gals can help! (Oh and Shield Deluxe 2009 is the real deal, not the known maleware version, and was only installed again after this started happening).

Here are the DDS & RootRepeal logs... I have OTM installed and ready! TY in advance!


DDS (Ver_09-12-01.01) - NTFSx86
Run by mr2mkii at 22:11:18.60 on Wed 12/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.962 [GMT -5:00]

AV: The Shield Deluxe 2009 *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\STK02N\STK02NM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\mr2mkii\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.briancrowell.com/Brian/music.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2009\SCIEPlgn.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFi~1.sys [2009-10-14 20992]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-10-31 110096]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-28 195344]
R2 AVP;The Shield Deluxe 2009;c:\program files\pcsecurityshield\the shield deluxe 2009\avp.exe [2008-10-8 221184]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2009-10-14 73216]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S3 AVC2310F;AVC-2310/AVC-2210 USB Loader;c:\windows\system32\drivers\avcuwfl.sys [2009-3-13 18580]
S3 AvcUWilo;Adaptec AVC-2210/2310 USB Device;c:\windows\system32\drivers\avcuwilo.sys [2009-3-13 50258]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-6-20 101520]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\j:\ntglm7x.sys --> j:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2009-12-17 02:25:00 0 d-----w- C:\KittyFix31448K
2009-12-17 02:12:14 0 d-----w- C:\KittyFix
2009-12-17 02:04:10 0 d-sha-r- C:\cmdcons
2009-12-17 02:03:19 98816 ----a-w- c:\windows\sed.exe
2009-12-17 02:03:19 77312 ----a-w- c:\windows\MBR.exe
2009-12-17 02:03:19 261632 ----a-w- c:\windows\PEV.exe
2009-12-17 02:03:19 161792 ----a-w- c:\windows\SWREG.exe
2009-12-09 22:51:13 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-09 22:51:13 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-09 22:50:38 8992 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-09 22:50:38 32288 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-09 22:50:38 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-09 22:50:38 1652 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-09 22:50:38 0 d-----w- c:\program files\PCSecurityShield
2009-12-09 22:50:38 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSecurityShield
2009-12-09 22:49:51 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSecurityShield Setup Files

==================== Find3M ====================


============= FINISH: 22:11:30.14 ===============

...here's the RootRepeal...

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/16 21:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\mr2mkii\LOCALS~1\Temp\catchme.sys
Address: 0xBA458000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7018000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA66C000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6180000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076370

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7074420

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70677a0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70760a0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076210

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076e70

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076940

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70777b0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70678a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067920

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076510

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70679b0

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067a60

#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067b10

#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067b90

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073fd0

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068590

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067bb0

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067c80

#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xb9d8a020

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067d60

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7075e90

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076ca0

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067e30

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067ee0

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077460

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067f90

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068040

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7074a00

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70680d0

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077760

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70682d0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077ae0

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70780a0

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068360

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072c20

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076b20

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068400

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077710

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70742e0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077300

#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068550

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70763d0

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x837e5860, TID: 1132]
Process: avp.exe (PID: 1156) Address: 0x0041fc48 Size: -

Object: Hidden Thread [ETHREAD: 0x836d5da8, TID: 1232]
Process: avp.exe (PID: 1156) Address: 0x77deb479 Size: -

Object: Hidden Thread [ETHREAD: 0x836bb730, TID: 1284]
Process: avp.exe (PID: 1156) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x837acda8, TID: 1420]
Process: avp.exe (PID: 1156) Address: 0x30484180 Size: -

Object: Hidden Thread [ETHREAD: 0x838bf888, TID: 1948]
Process: avp.exe (PID: 1156) Address: 0x316733b9 Size: -

Object: Hidden Thread [ETHREAD: 0x836ff528, TID: 188]
Process: avp.exe (PID: 1156) Address: 0x31451129 Size: -

Object: Hidden Thread [ETHREAD: 0x837b6da8, TID: 268]
Process: avp.exe (PID: 1156) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x831037f8, TID: 1868]
Process: avp.exe (PID: 1156) Address: 0x30bb20de Size: -

Object: Hidden Thread [ETHREAD: 0x82efd450, TID: 740]
Process: avp.exe (PID: 1156) Address: 0x7c92798d Size: -

Object: Hidden Thread [ETHREAD: 0x83088020, TID: 4040]
Process: avp.exe (PID: 1156) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x82ad6b98, TID: 2936]
Process: avp.exe (PID: 1156) Address: 0x7c929fae Size: -

Object: Hidden Thread [ETHREAD: 0x82a2f528, TID: 2812]
Process: avp.exe (PID: 1156) Address: 0x769c8831 Size: -

Object: Hidden Thread [ETHREAD: 0x830759f8, TID: 2056]
Process: avp.exe (PID: 1156) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x837b6970, TID: 2620]
Process: avp.exe (PID: 1156) Address: 0x77e76bf0 Size: -

Object: Hidden Thread [ETHREAD: 0x8276d890, TID: 540]
Process: avp.exe (PID: 1156) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x8286a2d8, TID: 3364]
Process: avp.exe (PID: 1156) Address: 0x77df9981 Size: -

Object: Hidden Thread [ETHREAD: 0x82c96268, TID: 3368]
Process: avp.exe (PID: 1156) Address: 0x781329e1 Size: -

Object: Hidden Thread [ETHREAD: 0x8391d2f0, TID: 3412]
Process: avp.exe (PID: 1156) Address: 0x7c910760 Size: -

Object: Hidden Thread [ETHREAD: 0x82773020, TID: 388]
Process: avp.exe (PID: 1156) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x83aaa020, TID: 1288]
Process: avp.exe (PID: 496) Address: 0x0041fc48 Size: -

Object: Hidden Thread [ETHREAD: 0x8312e020, TID: 3904]
Process: avp.exe (PID: 496) Address: 0x30484180 Size: -

Object: Hidden Thread [ETHREAD: 0x82d01898, TID: 1300]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x8297dc80, TID: 1776]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x8379b280, TID: 612]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x82936b30, TID: 700]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x82abf560, TID: 640]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x82d01560, TID: 3612]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x82923698, TID: 1476]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x82cc08c0, TID: 2188]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x829d6680, TID: 1584]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -

Object: Hidden Thread [ETHREAD: 0x829a45f0, TID: 2276]
Process: avp.exe (PID: 496) Address: 0x72d230e8 Size: -

Object: Hidden Thread [ETHREAD: 0x8295f698, TID: 2440]
Process: avp.exe (PID: 496) Address: 0x76b44dd6 Size: -

Object: Hidden Thread [ETHREAD: 0x829168b0, TID: 2136]
Process: avp.exe (PID: 496) Address: 0x7c92798d Size: -

Object: Hidden Code [ETHREAD: 0x83afd298]
Process: System Address: 0x83232000 Size: 87

Object: Hidden Code [ETHREAD: 0x83aff1f8]
Process: System Address: 0x83232000 Size: 87

Object: Hidden Code [ETHREAD: 0x83aeeda8]
Process: System Address: 0x831ff7e0 Size: 87

Object: Hidden Code [ETHREAD: 0x839205f8]
Process: System Address: 0x831ff7e0 Size: 87

Object: Hidden Code [ETHREAD: 0x83920b18]
Process: System Address: 0x832017d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x838a0da8]
Process: System Address: 0x832017d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x837882d0]
Process: System Address: 0x832017d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x8379f328]
Process: System Address: 0x831ff7e0 Size: 87

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70741b0

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7074ae0

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073c40

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072b30

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072bb0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072b70

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073b40

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077e80

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073bf0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70730c0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077cd0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077ed0

==EOF==

Attached Files


Edited by mr2mkii, 16 December 2009 - 11:42 PM.


BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:07:20 AM

Posted 29 December 2009 - 09:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:10:20 AM

Posted 07 January 2010 - 01:26 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact me or another staff member.

Everyone else please start a new topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users