Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google redirecting problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 yawnoc88

yawnoc88

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:38 AM

Posted 21 December 2009 - 03:58 PM

Hi,

I'm having a similar problem to a lot of people; links I click on in Google are redirected to other sites, some nasty ones that my AVG blocks and some just advertising. When I first open an IE browser another one (usually Party Poker or something) immediately comes up too. I've had a bad few days with my PC, had a lot of viruses and I'm not sure what I did to let it happen! I think I've got all of them but this. I had a blue screen error a couple of days ago and have also been unable to boot up in safe mode - it just crashes. I'm not sure if it's because of this problem. I have AVG and MalwareBytes, tried a bunch of other anti-viruses - Parentologic, Panda, Spyware Doctor etc, and they found nothing. Everything is coming up clean at the moment but I'm still getting this problem.

Here is my DDS log. The RootRepeal scan is running veerry slowly but I can follow with it later if it's required. Thanks for any help/advice :(


DDS (Ver_09-12-01.01) - NTFSx86
Run by Acer at 20:08:40.73 on 21/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.714 [GMT 0:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:WINDOWSSYSTEM32Ati2evxx.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:WINDOWSExplorer.EXE
svchost.exe
svchost.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSsystem32spoolsv.exe
c:program filescommon fileslogishrdlvmvfmLVPrcSrv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:AcerEmpowering TechnologyadmServ.exe
C:Program FilesAVGAVG9avgam.exe
C:Program FilesAVGAVG9avgnsx.exe
C:Program FilesBonjourmDNSResponder.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k hpdevmgmt
C:Program FilesJavajre6binjqs.exe
C:WINDOWSSystem32svchost.exe -k HPZ12
C:WINDOWSSystem32svchost.exe -k HPZ12
C:Program FilesIntelWirelessBinRegSrvc.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32UTSCSI.EXE
C:Program FilesCommon FilesParetoLogicPLASplasservice.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesCommon FilesLogiShrdLComMgrCommunications_Helper.exe
C:Program FilesLogitechQuickCam10QuickCam10.exe
C:Program FilesATI TechnologiesATI.ACECLI.EXE
C:WINDOWSRTHDCPL.EXE
C:Program FilesCommon FilesLogiShrdLComMgrLVComSX.exe
C:AcerEmpowering Technologyadmtray.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesiTunesiTunesHelper.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:Program FilesParetoLogicAnti-Virus PLUSPareto_AV.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesHpDigital Imagingbinhpqtra08.exe
C:Program FilesCommon FilesSonic SharedCineTray.exe
C:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
C:Program FilesiPodbiniPodService.exe
C:DOCUME~1AcerLOCALS~1TempRtkBtMnt.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:Program FilesHPDigital Imagingbinhpqbam08.exe
C:Program FilesHPDigital Imagingbinhpqgpc01.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsAcerDesktopdds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:program fileshpdigital imagingsmart web printinghpswp_printenhancer.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:program filesstumbleuponStumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:program filesrealrealplayerrpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.4.4525.1752swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:program filesstumbleuponStumbleUponIEBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg9toolbarIEToolbar.dll
TB: {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] c:windowssystem32ctfmon.exe
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LogitechCommunicationsManager] "c:program filescommon fileslogishrdlcommgrCommunications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:program fileslogitechquickcam10QuickCam10.exe" /hide
mRun: [ATICCC] "c:program filesati technologiesati.aceCLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ADMTray.exe] "c:acerempowering technologyadmtray.exe"
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [hpqSRMon] c:program fileshpdigital imagingbinhpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
mRun: [ParetoLogic Anti-Virus PLUS] "c:program filesparetologicanti-virus plusPareto_AV.lnk" -NM -hidesplash
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupsonicc~1.lnk - c:program filescommon filessonic sharedCineTray.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~3office11EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office11REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
LSP: c:windowssystem32INetHTTPFilter.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:windowssystem32curslib.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:windowssystem32driversavgrkx86.sys [2009-12-18 161800]
R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-11-20 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-12-18 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-12-18 28424]
R1 AvgTdiX;AVG Network Redirector;c:windowssystem32driversavgtdix.sys [2009-12-18 360584]
R1 KLIF;KLIF;c:windowssystem32driversklif.sys [2009-12-20 186128]
R2 avg9wd;AVG WatchDog;c:program filesavgavg9avgwdsvc.exe [2009-12-18 285392]
R2 AWService;AdminWorks Agent X6;c:acerempowering technologyadmServ.exe [2005-10-24 1314816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-9-24 1184912]
R2 ZeppelinService;plasservice;c:program filescommon filesparetologicplasplasservice.exe [2009-2-18 587216]
R3 lv321av;Logitech USB PC Camera (VC0321);c:windowssystem32driverslv321av.sys [2009-1-6 847392]
S0 vyoyztwg;vyoyztwg;c:windowssystem32driversvtlcjcas.sys --> c:windowssystem32driversvtlcjcas.sys [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:windowssystem32driversADM8511.SYS [2009-1-6 20160]
S3 NPF;NetGroup Packet Filter Driver;c:windowssystem32driversnpf.sys [2009-1-7 32512]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:program filesstumbleuponStumbleUponUpdateService.exe [2009-12-8 120232]

=============== Created Last 30 ================

2009-12-20 15:01:11 64556 --sha-w- c:windowssystem32driversfidbox.idx
2009-12-20 15:01:11 5001504 --sha-w- c:windowssystem32driversfidbox.dat
2009-12-20 15:01:11 3668 --sha-w- c:windowssystem32driversfidbox2.idx
2009-12-20 15:01:11 32032 --sha-w- c:windowssystem32driversfidbox2.dat
2009-12-20 15:00:57 1365 ----a-w- C:rollback.ini
2009-12-20 14:01:42 0 d-----w- c:program filesParetoLogic
2009-12-20 14:01:42 0 d-----w- c:docume~1alluse~1applic~1ParetoLogic Anti-Virus PLUS
2009-12-20 14:01:42 0 d-----w- c:docume~1alluse~1applic~1ParetoLogic
2009-12-19 02:02:48 0 d-----w- c:program filescommon filesParetoLogic
2009-12-18 23:07:57 105088 ----a-w- c:windowssystem32driversav5flt.sys
2009-12-18 16:07:12 0 ----a-w- c:documents and settingsacerčŁčŁ
2009-12-18 15:43:39 0 d--h--w- C:$AVG
2009-12-18 15:43:22 12464 ----a-w- c:windowssystem32avgrsstx.dll
2009-12-18 15:43:21 161800 ----a-w- c:windowssystem32driversavgrkx86.sys
2009-12-18 15:43:20 360584 ----a-w- c:windowssystem32driversavgtdix.sys
2009-12-18 15:43:12 333192 ----a-w- c:windowssystem32driversavgldx86.sys
2009-12-18 15:43:02 0 d-----w- c:windowssystem32driversAvg
2009-12-18 15:42:25 0 d-----w- c:docume~1alluse~1applic~1avg9
2009-12-17 22:40:46 0 d-----w- c:docume~1acerapplic~1Malwarebytes
2009-12-17 22:40:33 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-17 22:40:31 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-12-17 22:40:30 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-12-17 22:40:30 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-12-16 22:47:22 8627 ----a-w- c:documents and settingsacerPAV_FOG.OPC
2009-12-16 22:46:29 8627 ----a-w- c:windowssystem32PAV_FOG.OPC
2009-12-16 22:36:44 0 ----a-w- c:documents and settingsacerč╦č╦
2009-12-16 20:35:51 0 d-----w- c:docume~1alluse~1applic~1Backup
2009-12-16 20:35:24 446464 ----a-w- c:windowssystem32HHActiveX.dll
2009-12-16 20:35:05 197888 ----a-w- c:windowssystem32driversneti1634.sys
2009-12-16 20:05:48 151 ----a-w- c:windowsAvDetected.ini
2009-12-16 18:39:01 0 d-----w- C:AVGTemp
2009-12-16 18:35:57 0 d-----w- c:docume~1alluse~1applic~1AVG Security Toolbar
2009-12-16 17:49:34 23040 ----a-w- c:windowssystem32psapi.dll
2009-12-15 23:25:35 0 d-----w- c:docume~1alluse~1applic~1Norton
2009-12-15 23:25:01 0 d-----w- c:docume~1alluse~1applic~1NortonInstaller
2009-12-15 22:59:16 0 ----a-w- c:documents and settingsacerč╗č╗
2009-12-15 22:25:59 361600 ----a-w- c:windowssystem32driversOLD2CF.tmp
2009-12-15 22:25:58 0 d-sh--w- c:docume~1acerapplic~1SystemProc
2009-12-15 22:25:22 361600 ----a-w- c:windowssystem32driversTCPIP.SYS.ORIGINAL
2009-12-13 01:41:06 32496 ---ha-w- c:windowssystem32mlfcache.dat

==================== Find3M ====================

2009-12-19 15:28:29 96512 ----a-w- c:windowssystem32driversatapi.sys
2009-11-20 19:10:47 93360 ----a-w- c:windowssystem32driversSBREDrv.sys
2009-11-20 19:10:43 15880 ----a-w- c:windowssystem32lsdelete.exe
2009-10-29 07:45:38 916480 ----a-w- c:windowssystem32wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:windowssystem32oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:windowssystem32rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:windowssystem32raschap.dll

============= FINISH: 20:10:32.04 ===============

RootRepeal report if required ...


ROOTREPEAL ę AD, 2007-2009
==================================================
Scan Start Time: 2009/12/21 20:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xA2978000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:$avg$chjwb92638e5-61d3-4a81-a7f3-8849b8c82f2a
Status: Size mismatch (API: 809788, Raw: 707436)

Path: c:$avg$chjwda56eef0-b769-426a-b8d9-45c9160d424a
Status: Size mismatch (API: 821536, Raw: 769408)

Path: c:windowstempb614873a-eab6-4fdb-bed1-94c99dfac860.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:windowstempc5cc7c90-9e88-4eac-a32b-b75c3f0e6b66.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:windowstempa461fbf0-36a3-4d74-81ff-403f6e0ba7ab.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:windowstemp555fd0fc-70de-46cb-8f95-bffd81eac428.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:documents and settingsacerlocal settingstemp~df92b.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: c:documents and settingsacerlocal settingsapplication datamicrosoftinternet explorerrecoveryactive{7b14c084-ee6b-11de-b2d8-001302184982}.dat
Status: Size mismatch (API: 323584, Raw: 286208)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06da00

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba91887e

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06d730

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06d8a0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06e340

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06df90

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06ec60

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06db60

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06bf80

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06d520

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06e170

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06e910

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06ec10

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06ef90

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06f560

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06ac40

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba918bfe

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06ebc0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06c2f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06e760

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06da20

Stealth Objects
-------------------
Object: Hidden Handle [Index: 672, Type: Event]
Process: ScanningProcess.exe (PID: 4564) Address: 0x87c4d3e0 Size: -

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06c1c0

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06bbe0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06abc0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06ac00

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06bae0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06f340

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06bb90

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06b080

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06f180

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:WINDOWSSystem32DRIVERSklif.sys" at address 0xad06f390

==EOF==

Merged posts. ~ OB

Edited by Orange Blossom, 29 December 2009 - 08:31 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:38 AM

Posted 03 January 2010 - 03:16 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:38 AM

Posted 14 January 2010 - 09:33 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users