The problem I'm experiencing deals with a "Trojan.Win32.Genome." Every other day it appears to corrupt my boot.ini, as I get a corrupt "hal.dll" message on startup. I fix it with bootcfg and fixboot. Upon windows load, my virus scanner detects and deletes it...yet it always comes back!
Best I can tell, this started happening when my wife joined facebook recently... I'm really at odds on how to truely find it's hidey place, and surgical strike! I'm sure you guys/gals can help! (Oh and Shield Deluxe 2009 is the real deal, not the known maleware version, and was only installed again after this started happening).
Here are the DDS & RootRepeal logs... I have OTM installed and ready! TY in advance!
DDS (Ver_09-12-01.01) - NTFSx86
Run by mr2mkii at 22:11:18.60 on Wed 12/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.962 [GMT -5:00]
AV: The Shield Deluxe 2009 *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\STK02N\STK02NM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\mr2mkii\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.briancrowell.com/Brian/music.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2009\SCIEPlgn.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
============= SERVICES / DRIVERS ===============
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFi~1.sys [2009-10-14 20992]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-10-31 110096]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-28 195344]
R2 AVP;The Shield Deluxe 2009;c:\program files\pcsecurityshield\the shield deluxe 2009\avp.exe [2008-10-8 221184]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2009-10-14 73216]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S3 AVC2310F;AVC-2310/AVC-2210 USB Loader;c:\windows\system32\drivers\avcuwfl.sys [2009-3-13 18580]
S3 AvcUWilo;Adaptec AVC-2210/2310 USB Device;c:\windows\system32\drivers\avcuwilo.sys [2009-3-13 50258]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-6-20 101520]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\j:\ntglm7x.sys --> j:\NTGLM7X.sys [?]
=============== Created Last 30 ================
2009-12-17 02:25:00 0 d-----w- C:\KittyFix31448K
2009-12-17 02:12:14 0 d-----w- C:\KittyFix
2009-12-17 02:04:10 0 d-sha-r- C:\cmdcons
2009-12-17 02:03:19 98816 ----a-w- c:\windows\sed.exe
2009-12-17 02:03:19 77312 ----a-w- c:\windows\MBR.exe
2009-12-17 02:03:19 261632 ----a-w- c:\windows\PEV.exe
2009-12-17 02:03:19 161792 ----a-w- c:\windows\SWREG.exe
2009-12-09 22:51:13 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-09 22:51:13 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-09 22:50:38 8992 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-09 22:50:38 32288 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-09 22:50:38 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-09 22:50:38 1652 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-09 22:50:38 0 d-----w- c:\program files\PCSecurityShield
2009-12-09 22:50:38 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSecurityShield
2009-12-09 22:49:51 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSecurityShield Setup Files
==================== Find3M ====================
============= FINISH: 22:11:30.14 ===============
...here's the RootRepeal...
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/16 21:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\mr2mkii\LOCALS~1\Temp\catchme.sys
Address: 0xBA458000 Size: 31744 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7018000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EA000 Size: 8192 File Visible: No Signed: -
Status: -
Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA66C000 Size: 7872 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6180000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076370
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7074420
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70677a0
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70760a0
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076210
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076e70
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076940
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70777b0
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70678a0
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067920
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076510
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70679b0
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067a60
#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067b10
#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067b90
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073fd0
#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068590
#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067bb0
#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067c80
#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xb9d8a020
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067d60
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7075e90
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076ca0
#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067e30
#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067ee0
#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077460
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7067f90
#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068040
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7074a00
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70680d0
#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077760
#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70682d0
#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077ae0
#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70780a0
#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068360
#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072c20
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7076b20
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068400
#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077710
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70742e0
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077300
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7068550
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70763d0
Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x837e5860, TID: 1132]
Process: avp.exe (PID: 1156) Address: 0x0041fc48 Size: -
Object: Hidden Thread [ETHREAD: 0x836d5da8, TID: 1232]
Process: avp.exe (PID: 1156) Address: 0x77deb479 Size: -
Object: Hidden Thread [ETHREAD: 0x836bb730, TID: 1284]
Process: avp.exe (PID: 1156) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x837acda8, TID: 1420]
Process: avp.exe (PID: 1156) Address: 0x30484180 Size: -
Object: Hidden Thread [ETHREAD: 0x838bf888, TID: 1948]
Process: avp.exe (PID: 1156) Address: 0x316733b9 Size: -
Object: Hidden Thread [ETHREAD: 0x836ff528, TID: 188]
Process: avp.exe (PID: 1156) Address: 0x31451129 Size: -
Object: Hidden Thread [ETHREAD: 0x837b6da8, TID: 268]
Process: avp.exe (PID: 1156) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x831037f8, TID: 1868]
Process: avp.exe (PID: 1156) Address: 0x30bb20de Size: -
Object: Hidden Thread [ETHREAD: 0x82efd450, TID: 740]
Process: avp.exe (PID: 1156) Address: 0x7c92798d Size: -
Object: Hidden Thread [ETHREAD: 0x83088020, TID: 4040]
Process: avp.exe (PID: 1156) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x82ad6b98, TID: 2936]
Process: avp.exe (PID: 1156) Address: 0x7c929fae Size: -
Object: Hidden Thread [ETHREAD: 0x82a2f528, TID: 2812]
Process: avp.exe (PID: 1156) Address: 0x769c8831 Size: -
Object: Hidden Thread [ETHREAD: 0x830759f8, TID: 2056]
Process: avp.exe (PID: 1156) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x837b6970, TID: 2620]
Process: avp.exe (PID: 1156) Address: 0x77e76bf0 Size: -
Object: Hidden Thread [ETHREAD: 0x8276d890, TID: 540]
Process: avp.exe (PID: 1156) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x8286a2d8, TID: 3364]
Process: avp.exe (PID: 1156) Address: 0x77df9981 Size: -
Object: Hidden Thread [ETHREAD: 0x82c96268, TID: 3368]
Process: avp.exe (PID: 1156) Address: 0x781329e1 Size: -
Object: Hidden Thread [ETHREAD: 0x8391d2f0, TID: 3412]
Process: avp.exe (PID: 1156) Address: 0x7c910760 Size: -
Object: Hidden Thread [ETHREAD: 0x82773020, TID: 388]
Process: avp.exe (PID: 1156) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x83aaa020, TID: 1288]
Process: avp.exe (PID: 496) Address: 0x0041fc48 Size: -
Object: Hidden Thread [ETHREAD: 0x8312e020, TID: 3904]
Process: avp.exe (PID: 496) Address: 0x30484180 Size: -
Object: Hidden Thread [ETHREAD: 0x82d01898, TID: 1300]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x8297dc80, TID: 1776]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x8379b280, TID: 612]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x82936b30, TID: 700]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x82abf560, TID: 640]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x82d01560, TID: 3612]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x82923698, TID: 1476]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x82cc08c0, TID: 2188]
Process: avp.exe (PID: 496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x829d6680, TID: 1584]
Process: avp.exe (PID: 496) Address: 0x31441a47 Size: -
Object: Hidden Thread [ETHREAD: 0x829a45f0, TID: 2276]
Process: avp.exe (PID: 496) Address: 0x72d230e8 Size: -
Object: Hidden Thread [ETHREAD: 0x8295f698, TID: 2440]
Process: avp.exe (PID: 496) Address: 0x76b44dd6 Size: -
Object: Hidden Thread [ETHREAD: 0x829168b0, TID: 2136]
Process: avp.exe (PID: 496) Address: 0x7c92798d Size: -
Object: Hidden Code [ETHREAD: 0x83afd298]
Process: System Address: 0x83232000 Size: 87
Object: Hidden Code [ETHREAD: 0x83aff1f8]
Process: System Address: 0x83232000 Size: 87
Object: Hidden Code [ETHREAD: 0x83aeeda8]
Process: System Address: 0x831ff7e0 Size: 87
Object: Hidden Code [ETHREAD: 0x839205f8]
Process: System Address: 0x831ff7e0 Size: 87
Object: Hidden Code [ETHREAD: 0x83920b18]
Process: System Address: 0x832017d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x838a0da8]
Process: System Address: 0x832017d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x837882d0]
Process: System Address: 0x832017d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x8379f328]
Process: System Address: 0x831ff7e0 Size: 87
Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70741b0
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7074ae0
#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073c40
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072b30
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072bb0
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7072b70
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073b40
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077e80
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7073bf0
#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb70730c0
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077cd0
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb7077ed0
==EOF==
Attached Files
Edited by mr2mkii, 16 December 2009 - 11:42 PM.