Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I have a virus? Symptoms Listed,Internet, Themes, Windows Update


  • This topic is locked This topic is locked
3 replies to this topic

#1 Sacredify

Sacredify

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 30 January 2011 - 01:52 PM

Hello all,

Recently, my sister installed the fake antivirus "palladium pro" onto the system. Using a thread from this forum, I was able to remove it. However, I am still confused by a host of problems my computer seems to be experiencing...although nothing I've done seems to be able to fix it!

A list would probably be easiest, so:

1. The service, "Windows Audio" will NOT start automatically.
-I have set it to automatic. I have set it the dependencies to automatic.
-Seems to be "random" in the sense that sometimes it won't load, sometimes it will stop working in the middle of watching a movie, or playing a game, etc.

2. My browser will automatically and RANDOMLY connect me to random websites that I have never seen before.
-The firefox addon NO-SCRIPT is sort of helpful in the sense that all of the pages run scripts to re-direct me to google, or something else.

3. The theme for my computer, Windows XP style, is RANDOMLY changed to the WINDOWS CLASSIC style, without my input. Sometimes it is IMPOSSIBLE to change back, as in the settings the windows XP theme is not available anymore...it is not even on the list.
-I attempted removing the theme, but it will still change randomly.
-Sometimes I can change it back, sometimes it is unavailable.
-It will usually freeze up my computer to the point of manual restart.

4. I am unable to connect to the windows update website. It will return "unable to connect" or "connection was reset." every time.
-I do not have the service enabled, but this should not hinder my ability to connect to the website...should it?

5. Multiple instances of mshta.exe end up running and hog resources. I was wondering which service this is, to disable it. HTA files are unknown to me however, and I'm not sure if I use them.


Quite a list, eh? Anyways...

I have run the following programs:

Malwarebytes Anti Malware: Detected "Palladium Pro" as mentioned above, removed.
SuperAntiSpyware: Detected multiple trojan droppers, all removed.
Windows Defender: Nothing detected.
Rootrepeal: Attached logs.
Hijack This: Attached: Log.log

I really am fussed by this, and would appreciate any advice I can get. I have tried searching my problems here, but most are outdated and/or do not work.


Please note that no, I do not usually run active firewalls and/or online protection. I PRIDE myself on being a smart user, and have never had a problem like this before. I know this is probably not advised, but I am a gamer, and I find it is too much trouble for what it is worth. Not to sound a bit rude, but I have full confidence that this was my sister :| It isn't the first time she has installed viruses through limewire, or such.


Rootrepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2011/01/30 13:35
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA450A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB860A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xB8671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_PNP6148
Image Path: \Driver\PCI_PNP6148
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA0106000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xB85AC000 Size: 5248 File Visible: No Signed: -
Status: -

Name: sprw.sys
Image Path: sprw.sys
Address: 0xB7EB4000 Size: 995328 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RECYCLER\S-1-5-21-1390067357-1844823847-725345543-1003\Dc232.exe
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-1390067357-1844823847-725345543-1003\Dc233.tmp
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-1390067357-1844823847-725345543-1003\Dc234.log
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-1390067357-1844823847-725345543-1003\Dc235.bin
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-1390067357-1844823847-725345543-1003\Dc236.rtf
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-1390067357-1844823847-725345543-1003\Dc237.bin
Status: Invisible to the Windows API!

Path: C:\RECYCLER\S-1-5-21-1390067357-1844823847-725345543-1003\Dc238.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\CurseClient.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\CurseClient.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\CurseClient.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\CurseClient.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Microsoft.Windows.Shell.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Microsoft.Windows.Shell.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Win32Interop.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Win32Interop.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Curse.CurseClient.WowStead.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Curse.CurseClient.WowStead.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Curse.CurseClient.Logitech.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\Curse.CurseClient.Logitech.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\zlib.net.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\zlib.net.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\GammaJul.LgLcd.Wpf.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\GammaJul.LgLcd.Wpf.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\GammaJul.LgLcd.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\manifests\GammaJul.LgLcd.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\XCEERO~1.CDF
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\XCEERO~1.MAN
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\XCEEGR~1.CDF
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\XCEEGR~1.MAN
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\XCEERO~1.CDF
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\XCEERO~1.MAN
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\XCEEGR~1.CDF
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Apps\2.0\XB0N4WHL.YV4\GT3E6A7T.WOC\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\XCEEGR~1.MAN
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\My Documents\Downloads\Music\Immediate Music\Immediate Music & World of Warcraft Soundtracks\World of Warcraft - Wrath of the Lich King Soundtrack\18 - Russell Brower, Derek Duke & Glenn Stafford - Totems Of The Grizzlemaw.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\01\159-{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}-v1-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v159-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\12\14-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v12-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v14-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\13\13-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v13-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v13-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\14\14-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v14-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v14-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\15\15-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v15-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v15-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\16\16-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v16-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v16-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\17\17-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v17-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v17-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\18\17-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v18-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v17-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\19\15-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v19-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v15-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\20\16-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v20-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v16-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\21\21-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v21-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v21-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\22\22-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v22-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v22-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\23\23-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v23-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v23-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\24\24-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v24-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v24-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\25\25-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v25-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v25-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\26\26-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v26-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v26-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\27\27-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v27-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v27-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\28\28-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v28-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v28-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\29\29-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v29-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v29-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\30\30-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v30-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v30-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\31\31-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v31-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v31-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\32\32-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v32-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v32-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\33\33-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v33-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v33-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\andrew_tea94@hotmail.com\DFSR\Staging\CS{2F4F5E9D-3541-5277-C349-8571CA8C5ACA}\34\34-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v34-{1F05D11F-3784-40BE-92E0-ABAF948F0445}-v34-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\01\162-{924BBB7F-2681-BCC2-1839-8367D1A860C2}-v1-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v162-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\63\163-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v163-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v163-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\64\164-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v164-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v164-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\65\165-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v165-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v165-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\66\166-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v166-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v166-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\67\167-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v167-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v167-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\68\168-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v168-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v168-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\69\169-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v169-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v169-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\70\170-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v170-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v170-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\71\171-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v171-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v171-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\72\172-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v172-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v172-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\73\173-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v173-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v173-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Messenger\humboughner@msn.com\SharingMetadata\justinmancini@hotmail.com\DFSR\Staging\CS{924BBB7F-2681-BCC2-1839-8367D1A860C2}\74\174-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v174-{AA80021C-D2D9-423B-BC18-FCE3C367C0FF}-v174-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuguyx4.4yx\gogn5xdh.anp\1\s\ttdvnexlht0hltmd1frzafk25kyaf2p15jrvbspxkfsnieurp5aaabfa\f\roar.config:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Silverlight\is\cwuSSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa45402a0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453e34e

#: 041 Function Name: NtCreateKey
Status: Hooked by "sprw.sys" at address 0xb7eb50e0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453ffd0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4540140

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4540e10

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa45408ae

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa45417d0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4540450

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sprw.sys" at address 0xb7ecdda4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sprw.sys" at address 0xb7ece132

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453dea0

#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xb7c87030

#: 119 Function Name: NtOpenKey
Status: Hooked by "sprw.sys" at address 0xb7eb50c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453fdc0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4540c3e

#: 160 Function Name: NtQueryKey
Status: Hooked by "sprw.sys" at address 0xb7ece20a

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4541436

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sprw.sys" at address 0xb7ece08a

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453e930

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4541740

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4541b00

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa45420c0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453caf0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4540a90

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sprw.sys" at address 0xb7ece29c

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa45416f0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453e1b0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xa45fb620

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4540310

Stealth Objects
-------------------
Object: Hidden Handle [Index: 2076, Type: Event]
Process: svchost.exe (PID: 1948) Address: 0x88df7d78 Address: -

Object: Hidden Handle [Index: 2896, Type: File]
Process: svchost.exe (PID: 1948) Address: 0x88dc1870 Address: -

Object: Hidden Handle [Index: 4036, Type: Event]
Process: svchost.exe (PID: 1948) Address: 0x88e252a8 Address: -

Object: Hidden Handle [Index: 4168, Type: Thread]
Process: svchost.exe (PID: 1948) Address: 0x88dc23e0 Address: -

Object: Hidden Handle [Index: 4276, Type: Timer]
Process: svchost.exe (PID: 1948) Address: 0x89138640 Address: -

Object: Hidden Handle [Index: 4464, Type: Thread]
Process: svchost.exe (PID: 1948) Address: 0x88dc23e0 Address: -

Object: Hidden Handle [Index: 8184, Type: File]
Process: svchost.exe (PID: 1948) Address: 0x88e53808 Address: -

Object: Hidden Handle [Index: 8884, Type: File]
Process: svchost.exe (PID: 1948) Address: 0x88e1ece0 Address: -

Object: Hidden Handle [Index: 9236, Type: Semaphore]
Process: svchost.exe (PID: 1948) Address: 0x88f1c0a8 Address: -

Object: Hidden Handle [Index: 9560, Type: Event]
Process: svchost.exe (PID: 1948) Address: 0x88e13750 Address: -

Object: Hidden Handle [Index: 9568, Type: Event]
Process: svchost.exe (PID: 1948) Address: 0x88eaf2a0 Address: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8b57d1f8 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8a2e0500 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8b57f1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a60b1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a60b1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a60b1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a60b1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a60b1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a60b1f8 Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a60b1f8 Address: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_CREATE]
Process: System Address: 0x8a4df1f8 Address: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_CLOSE]
Process: System Address: 0x8a4df1f8 Address: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4df1f8 Address: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4df1f8 Address: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_POWER]
Process: System Address: 0x8a4df1f8 Address: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4df1f8 Address: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_PNP]
Process: System Address: 0x8a4df1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a51b1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8b5231f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a38c500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a38c500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a38c500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a38c500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a38c500 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a38c500 Address: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_CREATE]
Process: System Address: 0x8b57e1f8 Address: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_CLOSE]
Process: System Address: 0x8b57e1f8 Address: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b57e1f8 Address: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b57e1f8 Address: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_POWER]
Process: System Address: 0x8b57e1f8 Address: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b57e1f8 Address: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_PNP]
Process: System Address: 0x8b57e1f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a5241f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a5241f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5241f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5241f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a5241f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5241f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a5241f8 Address: 121

Object: Hidden Code [Driver: VClone, IRP_MJ_CREATE]
Process: System Address: 0x8a47a500 Address: 121

Object: Hidden Code [Driver: VClone, IRP_MJ_CLOSE]
Process: System Address: 0x8a47a500 Address: 121

Object: Hidden Code [Driver: VClone, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a47a500 Address: 121

Object: Hidden Code [Driver: VClone, IRP_MJ_POWER]
Process: System Address: 0x8a47a500 Address: 121

Object: Hidden Code [Driver: VClone, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a47a500 Address: 121

Object: Hidden Code [Driver: VClone, IRP_MJ_PNP]
Process: System Address: 0x8a47a500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a387500 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CREATE]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CLOSE]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_READ]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CLEANUP]
Process: System Address: 0x8a2ba368 Address: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_PNP]
Process: System Address: 0x8a2ba368 Address: 121

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453e080

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453ea10

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453db10

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453ca00

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453ca80

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453ca40

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453da10

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4541ea0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453dac0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa453cf90

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4541cf0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa4541ef0

==EOF==




Hijackthis:


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:10:42 PM, on 1/30/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Documents and Settings\Michael\My Documents\Files i find Irrelevent\rootrepeal\RootRepeal.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O2 - BHO: VirtualCamera IEMenu Class - {0246A1A7-820A-469A-85A7-7B7F01EB808C} - C:\Program Files\VirtualCamera\VirtualCameraMenu.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuze.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1390067357-1844823847-725345543-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'David')
O4 - HKUS\S-1-5-21-1390067357-1844823847-725345543-1007\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messeng

Attached Files


Edited by Sacredify, 30 January 2011 - 08:32 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 AM

Posted 03 February 2011 - 11:21 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 AM

Posted 06 February 2011 - 01:10 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 AM

Posted 09 February 2011 - 09:15 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users