Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: New Technique Recycles Exploit Chain to Keep Antivirus Silent

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

possible Vundo infection

Started by gregbgardt , Jan 03 2010 08:59 PM

This topic is locked

2 replies to this topic

#1 gregbgardt

Members
1 posts
OFFLINE

Local time:07:42 PM

Posted 03 January 2010 - 08:59 PM

Hi there,

My computer has been infected and I cleaned up majority of it. I know it had vundo in it but virus scans appear to not find it now. The problem seems intertwined into the system. I ran Vundofix and detected nothing. Every few hours or so, my antivirus detects about 10 .dll files that should be run.

I greatly appreciate any help you can provide.

Thank you!

Greg

DDS (Ver_09-12-01.01) - NTFSx86
Run by at 21:28:22.34 on Sun 01/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.447 [GMT -6:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\OWNERY~1.000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ownery~1.000\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smcwus~1.lnk - c:\program files\smc\smcwusb-g 802.11g wireless usb 2.0 adapter\SMCWGUTI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zdwlan~1.lnk - c:\program files\zydas technology corporation\zydas_802.11g_utility\ZDWlan.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262376183120
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: desotipaw - {73e582f3-b794-4286-81c1-acf2bd6e58a7} - No File
SSODL: tufevakat - {d0295aa0-a757-47f0-8db8-c3eb219e81b6} - No File
SSODL: nuziwelim - {e3e21031-b35b-4d28-b28a-edf616fcddf3} - No File
SSODL: miwejosik - {f6443c7d-7e6e-4a75-b4d1-b67ecb7c30c2} - No File
SSODL: jesokivub - {42a5b4de-14f6-4766-a64f-d31d8f63eada} - No File
SSODL: finuyerem - {668a86b0-b9c6-4d7c-9d18-7ef1c74aedbf} - No File
SSODL: gigutijen - {39d7e6c9-5590-4178-b27f-8c61ac34e65b} - No File
STS: {73e582f3-b794-4286-81c1-acf2bd6e58a7} - No File
STS: {d0295aa0-a757-47f0-8db8-c3eb219e81b6} - No File
STS: {e3e21031-b35b-4d28-b28a-edf616fcddf3} - No File
STS: {f6443c7d-7e6e-4a75-b4d1-b67ecb7c30c2} - No File
STS: {42a5b4de-14f6-4766-a64f-d31d8f63eada} - No File
STS: {668a86b0-b9c6-4d7c-9d18-7ef1c74aedbf} - No File
STS: {39d7e6c9-5590-4178-b27f-8c61ac34e65b} - No File
STS: gahurihor: {a2568040-51cf-49ef-b543-458003ac4022} -
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli kuwokilo.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-5-24 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-11-21 296976]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-5-25 303376]
R2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2004-9-7 10112]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-11-21 615344]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-11-21 615344]
R2 MSSQL$EMMSDE;SQL Server (EMMSDE);c:\program files\microsoft sql server\emmsde\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-8-17 98304]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2004-9-7 9216]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S1 dlxqprmd;dlxqprmd;\??\c:\windows\system32\drivers\dlxqprmd.sys --> c:\windows\system32\drivers\dlxqprmd.sys [?]
S1 jmiokhuc;jmiokhuc;\??\c:\windows\system32\drivers\jmiokhuc.sys --> c:\windows\system32\drivers\jmiokhuc.sys [?]
S1 largwxbk;largwxbk;\??\c:\windows\system32\drivers\largwxbk.sys --> c:\windows\system32\drivers\largwxbk.sys [?]
S1 nzfsihcn;nzfsihcn;\??\c:\windows\system32\drivers\nzfsihcn.sys --> c:\windows\system32\drivers\nzfsihcn.sys [?]
S2 VoicentGateway;Voicent Gateway;"c:\program files\voicent\gateway\bin\vgate.exe" -dtype=service --> c:\program files\voicent\gateway\bin\vgate.exe [?]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 B-Service;B-Service;c:\documents and settings\owner.your-d26ef63b94.000\application data\mikogo\B-Service.exe [2009-10-1 185640]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\HCW88tun.sys [2009-5-4 137793]
S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\HCW88vid.sys [2009-5-4 605572]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\HCW88bar.sys [2009-5-4 27524]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-10-6 23288]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-10-26 11520]
S3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2008-4-11 722432]
S4 EncompassServer;EncompassServer;c:\program files\encompass\EncompassServer.exe [2008-5-29 36864]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-01-03 22:55:27 0 d-sh--w- c:\documents and settings\owner.your-d26ef63b94.000\IECompatCache
2010-01-03 01:02:41 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-02 20:47:35 0 d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-01-02 20:44:06 0 d-----w- c:\windows\SQL9_KB970892_ENU
2010-01-02 20:42:50 0 d-sh--w- c:\documents and settings\owner.your-d26ef63b94.000\PrivacIE
2010-01-02 20:35:15 107912 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-02 08:35:54 0 d-----w- c:\windows\system32\scripting
2010-01-02 08:35:18 0 d-----w- c:\windows\l2schemas
2010-01-02 08:34:28 0 d-----w- c:\windows\system32\en
2010-01-02 08:34:28 0 d-----w- c:\windows\system32\bits
2010-01-02 07:08:48 0 d-----w- c:\windows\network diagnostic
2010-01-02 06:44:57 0 d-sh--w- c:\documents and settings\owner.your-d26ef63b94.000\IETldCache
2010-01-01 22:27:21 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-01 22:27:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-01 22:27:19 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-01 22:27:18 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-01 22:27:18 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-01 22:27:18 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-01 22:27:09 0 d-----w- c:\windows\ie8updates
2010-01-01 22:26:55 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-01 22:24:06 0 dc-h--w- c:\windows\ie8
2010-01-01 20:53:57 5888 ------w- c:\windows\system32\drivers\smbali.sys
2010-01-01 20:52:42 33792 ------w- c:\windows\system32\mmcperf.exe
2010-01-01 20:51:59 81920 ------w- c:\windows\system32\ieencode.dll
2010-01-01 20:16:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-01 20:07:12 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-01 20:07:12 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-01 20:00:40 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-31 00:05:16 3135 --sh--w- c:\windows\system32\sobipore.dll
2009-12-31 00:05:16 3121 --sh--w- c:\windows\system32\viliwesi.dll
2009-12-31 00:05:15 3131 --sh--w- c:\windows\system32\vetajume.dll
2009-12-30 23:46:33 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-12-30 02:05:50 0 d-----w- c:\program files\Marvell
2009-12-30 01:01:05 0 d-----w- c:\docume~1\ownery~1.000\applic~1\Webroot
2009-12-29 23:25:49 211228 ----a-w- c:\windows\hplj3380.hi1
2009-12-29 23:25:49 12520 ----a-w- c:\windows\hplj3380.bu1
2009-12-29 23:14:48 0 d-----w- C:\VundoFix Backups
2009-12-29 06:16:59 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-29 01:35:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Geek Squad
2009-12-29 01:35:20 262144 ---ha-w- c:\documents and settings\owner.your-d26ef63b94.000\ntuser.dat.LOG1
2009-12-29 01:35:20 0 ---ha-w- c:\documents and settings\owner.your-d26ef63b94.000\ntuser.dat.LOG2

==================== Find3M ====================

2009-12-30 02:11:56 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-11-22 00:09:01 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-22 00:09:01 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-21 23:22:07 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-11-21 22:29:53 74703 ----a-w- c:\windows\system32\mfc45.dll
2009-11-21 20:55:49 2098 --sh--w- c:\windows\system32\wojawiho.exe
2009-11-14 14:53:28 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-11-14 14:53:27 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-11-02 11:56:16 2098 --sh--w- c:\windows\system32\tamihifu.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 21:41:56.68 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/03 19:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAACBF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B31000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA731E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\owner.your-d26ef63b94.000\local settings\temp\~df874e.tmp
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: c:\program files\microsoft sql server\emmsde\mssql.1\mssql\log\log_116.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\report\report.rpt
Status: Allocation size mismatch (API: 704512, Raw: 679936)

Path: c:\documents and settings\all users\application data\microsoft\microsoft antimalware\support\mpwpptracing.bin
Status: Allocation size mismatch (API: 262144, Raw: 65536)

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb36e

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcba86

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcc60c

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafccb40

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcbd78

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca460

#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcca18

#: 044 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafc9d0a

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcc8d4

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb102

#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafccc72

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce40e

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb886

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcc976

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcaa20

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcacf8

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcc21c

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce980

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcae3a

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcaee4

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcc016

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcdea6

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca43c

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca44e

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb030

#: 114 Function Name: NtOpenEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafccbe2

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcbb08

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca604

#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafccab0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb56e

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce438

#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafccd14

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb492

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcaf8e

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcabb6

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca8bc

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce128

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcab34

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca0c2

#: 194 Function Name: NtReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcd09e

#: 195 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafccf64

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcdc30

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca224

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce860

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafc9ec4

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcc312

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb984

#: 230 Function Name: NtSetInformationToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcd5f2

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcdfa0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce4c2

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafca744

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce5a6

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafce6d2

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcddd2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb6ea

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb63c

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafcb7c8

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb32a

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb3ee

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb454

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb38a

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdaec4

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb242

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb0b2

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdae2c

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb17a

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdae78

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb004

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdaf5a

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdafae

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb10a

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdb064

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdad7c

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xaafdadd2

==EOF==

Attached Files

dds.txt 16.93KB 0 downloads
ark.txt 20.65KB 0 downloads

Edited by gregbgardt, 03 January 2010 - 10:47 PM.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 myrti

Sillyberry

Malware Study Hall Admin
33,779 posts
OFFLINE

Gender:Female
Location:At home
Local time:03:42 AM

Posted 11 January 2010 - 07:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Please download OTL from following mirror:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

Back to top

#3 myrti

Sillyberry

Malware Study Hall Admin
33,779 posts
OFFLINE

Gender:Female
Location:At home
Local time:03:42 AM

Posted 17 January 2010 - 02:09 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti