Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTOSKRNL-HOOK Generic Rootkit.d!Rootkit


  • This topic is locked This topic is locked
40 replies to this topic

#1 PonchyRCA

PonchyRCA

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 28 August 2009 - 07:44 PM

Initially got a System Security virus that was removed using Malwarebytes. Subsequently got several other virus all removed with Malwarebytes. Got a variety of BSOD's. Right now appear to have everything cleaned except a root kit since McAfee consistently reports a NTOSKRNL-HOOK Generic Rootkit.d!Rootkit that it consistently says removed but is actually not removed. Also Malwarebytes reports a \\?\globalroot\systemroot\ssytem32\geyekrlcbmkryv.dll (Trojan.TDSS) that it reports removed but is not actually removed. I suspect these are related. Also cannot start in Safe Mode right now. Additionally when running RootRepeal I got the following message "Could Not Read Boot Sector. Try Adjusting the Disk Acess Level in the Options Dialog." I tried with several different settings and got the same message. I also got the following message on RootRepeal "Could Not Read Sstem Registry! Please Contact the Author!" The details showed Unrecognized Partition Type 6 (0x6)!.
See DDS.txt, ark.txt files below and Attach.txt attached.
Thanks for your help.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Elaine at 18:27:20.10 on Fri 08/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1839 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Documents and Settings\Elaine\Application Data\U3\0000187FC5719D1C\LaunchPad.exe
C:\Documents and Settings\Elaine\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?regwiz=file://c:\program%20files\mcafee.com\agent\mcregwiz.exe&systempopup=true&affid=105-57&dtag=42WB881
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe,
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim6\aim.exe" /d locale=en-US
uRun: [Mp3Detective]
uRun: [Aim6]
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [<NO NAME>]
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatchTray11.exe"
mRun: [CPMonitor] "c:\program files\roxio creator 2009\5.0\CPMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Mp3Detective]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: swupdate.dll , ,c:\windows\system32\mukakuhe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\mukakuhe.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214024]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-11 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-11-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-11-11 144704]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2008-12-30 433732]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-11-11 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-11 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-11-11 40552]
S0 ldfc15f;ldfc15f;\SystemRoot\\SystemRoot\System32\drivers\ldfc15f.sys --> \SystemRoot\\SystemRoot\System32\drivers\ldfc15f.sys [?]
S1 7b7aefb7.sys;7b7aefb7.sys;\??\c:\windows\system32\drivers\7b7aefb7.sys --> c:\windows\system32\drivers\7b7aefb7.sys [?]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\roxio creator 2009\digital home 11\RoxioUpnpService11.exe [2008-8-14 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [2008-8-14 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [2008-8-14 170480]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-11-11 34216]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [2008-8-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [2008-8-14 1124848]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2005-8-17 57344]
UnknownUnknown xffpw;xffpw; [x]

=============== Created Last 30 ================

2009-08-28 07:58 61,440 a------- c:\windows\system32\drivers\dqiwa.sys
2009-08-21 08:04 22 a------- C:\stinger.opt
2009-08-21 06:19 7,680 a--sh--- c:\windows\Thumbs.db
2009-08-21 06:15 4,129,799 a------- C:\stinger.com
2009-08-17 21:53 146,432 a------- c:\windows\regedit.com
2009-08-11 11:23 213,024 a------- c:\windows\system32\drivers\str.sys
2009-08-11 11:23 73,984 a------- c:\windows\system32\drivers\ojlcadpdxwqr.sys
2009-08-10 13:13 4 a------- c:\windows\system32\bincd32.dat
2009-08-10 12:16 9 a------- c:\windows\system32\bennuar.old
2009-08-10 12:16 36 a------- c:\windows\system32\sysnet.dat
2009-08-10 12:16 64 a------- c:\windows\ppp4.dat
2009-08-10 12:16 3 a------- c:\windows\ppp3.dat
2009-08-10 12:16 65,536 a------- c:\windows\system32\desot.exe
2009-08-10 12:16 89 a------- c:\windows\system32\sonhelp.htm
2009-08-08 13:22 <DIR> --d----- c:\windows\pss
2009-08-08 13:15 45,344 a------- c:\windows\system32\drivers\ldfc15f.sys
2009-08-08 13:12 61,440 a------- c:\windows\system32\drivers\vdizqfmd.sys
2009-08-08 13:09 78,336 a--sh--- c:\windows\system32\swupdate.dll
2009-08-08 12:29 <DIR> --d----- c:\program files\WinPcap
2009-08-08 11:08 197 a------- c:\windows\system32\MRT.INI

==================== Find3M ====================

2009-08-10 03:35 34 a------- c:\documents and settings\elaine\jagex_runescape_preferences.dat
2009-08-08 13:12 9,836 a------- c:\program files\cftlmrwd.txt
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-06-29 17:19 22,328 a------- c:\docume~1\elaine\applic~1\PnkBstrK.sys

============= FINISH: 18:29:47.03 ===============

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/28 18:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000A61
Image Path: 00000A61
Address: 0x8A4B7000 Size: 41219 File Visible: No Signed: No
Status: -

Name: 00000A61
Image Path: 00000A61
Address: 0xB3D73000 Size: 73984 File Visible: No Signed: No
Status: Hidden from the Windows API!

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: Yes
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xB4609000 Size: 15200 File Visible: - Signed: No
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB68C3000 Size: 138496 File Visible: - Signed: Yes
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xBA2D8000 Size: 35840 File Visible: - Signed: Yes
Status: -

Name: ASCTRM.SYS
Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Address: 0xBA652000 Size: 7488 File Visible: - Signed: No
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 96512 File Visible: - Signed: Yes
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF04E000 Size: 204800 File Visible: - Signed: Yes
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 245760 File Visible: - Signed: Yes
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB9650000 Size: 1073152 File Visible: - Signed: Yes
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF0B2000 Size: 2297856 File Visible: - Signed: Yes
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF080000 Size: 204800 File Visible: - Signed: Yes
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF2E3000 Size: 610304 File Visible: - Signed: Yes
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: Yes
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA6EF000 Size: 3072 File Visible: - Signed: Yes
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA620000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB3E5E000 Size: 63744 File Visible: - Signed: Yes
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA2F8000 Size: 62976 File Visible: - Signed: Yes
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0F8000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0E8000 Size: 36352 File Visible: - Signed: Yes
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA258000 Size: 61440 File Visible: - Signed: Yes
Status: -

Name: DSproct.sys
Image Path: C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
Address: 0xBA5B6000 Size: 4736 File Visible: - Signed: No
Status: -

Name: dsunidrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
Address: 0xBA660000 Size: 5376 File Visible: - Signed: Yes
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB67DD000 Size: 98304 File Visible: No Signed: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA642000 Size: 8192 File Visible: No Signed: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xBA590000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: Yes
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA698000 Size: 4096 File Visible: - Signed: Yes
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xB9360000 Size: 155648 File Visible: - Signed: Yes
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB69C8000 Size: 143744 File Visible: - Signed: Yes
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA208000 Size: 44544 File Visible: - Signed: Yes
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9F11000 Size: 129792 File Visible: - Signed: Yes
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA61C000 Size: 7936 File Visible: - Signed: Yes
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F49000 Size: 125056 File Visible: - Signed: Yes
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: Yes
Status: -

Name: HCWBT8XX.sys
Image Path: C:\WINDOWS\system32\drivers\HCWBT8XX.sys
Address: 0xB9583000 Size: 446464 File Visible: - Signed: No
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB9614000 Size: 163840 File Visible: - Signed: Yes
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xB916C000 Size: 36864 File Visible: - Signed: Yes
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBA4A0000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBA5A4000 Size: 10368 File Visible: - Signed: Yes
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xB9386000 Size: 680704 File Visible: - Signed: Yes
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xB942D000 Size: 1042432 File Visible: - Signed: Yes
Status: -

Name: HSFHWBS2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Address: 0xB952C000 Size: 212224 File Visible: - Signed: Yes
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB38FD000 Size: 264832 File Visible: - Signed: Yes
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA570000 Size: 8576 File Visible: - Signed: Yes
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA2E8000 Size: 42112 File Visible: - Signed: Yes
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA2A8000 Size: 36352 File Visible: - Signed: Yes
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xBA278000 Size: 32896 File Visible: - Signed: Yes
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB69B5000 Size: 75264 File Visible: - Signed: Yes
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: Yes
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA430000 Size: 24576 File Visible: - Signed: Yes
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB9756000 Size: 14592 File Visible: - Signed: Yes
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA1CFB000 Size: 172416 File Visible: - Signed: Yes
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB9560000 Size: 143360 File Visible: - Signed: Yes
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9EFA000 Size: 92288 File Visible: - Signed: Yes
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xB40D6000 Size: 9920 File Visible: - Signed: Yes
Status: -

Name: mfeavfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys
Address: 0xB3B81000 Size: 73152 File Visible: - Signed: Yes
Status: -

Name: mfebopk.sys
Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys
Address: 0xBA370000 Size: 28544 File Visible: - Signed: Yes
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xB67F5000 Size: 207296 File Visible: - Signed: Yes
Status: -

Name: mfesmfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys
Address: 0xB39AE000 Size: 33824 File Visible: - Signed: Yes
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA624000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA3F0000 Size: 30080 File Visible: - Signed: Yes
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xB976A000 Size: 16128 File Visible: - Signed: Yes
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA440000 Size: 23040 File Visible: - Signed: Yes
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB9DDA000 Size: 12160 File Visible: - Signed: Yes
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: Yes
Status: -

Name: Mpfp.sys
Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys
Address: 0xB6935000 Size: 159744 File Visible: - Signed: Yes
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB4350000 Size: 180608 File Visible: - Signed: Yes
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB6828000 Size: 455296 File Visible: - Signed: Yes
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA478000 Size: 19072 File Visible: - Signed: Yes
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA128000 Size: 35072 File Visible: - Signed: Yes
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB9DBA000 Size: 15488 File Visible: - Signed: Yes
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9E13000 Size: 105344 File Visible: - Signed: Yes
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9E2D000 Size: 182656 File Visible: - Signed: Yes
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB9DC6000 Size: 10112 File Visible: - Signed: Yes
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB4605000 Size: 14592 File Visible: - Signed: Yes
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB9349000 Size: 91520 File Visible: - Signed: Yes
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA198000 Size: 40576 File Visible: - Signed: Yes
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA1C8000 Size: 34688 File Visible: - Signed: Yes
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB68E5000 Size: 162816 File Visible: - Signed: Yes
Status: -

Name: npf.sys
Image Path: C:\WINDOWS\system32\drivers\npf.sys
Address: 0xBA380000 Size: 27392 File Visible: - Signed: Yes
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA488000 Size: 30848 File Visible: - Signed: Yes
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9E5A000 Size: 574976 File Visible: - Signed: Yes
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA6F1000 Size: 2944 File Visible: - Signed: Yes
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xBA450000 Size: 17152 File Visible: - Signed: No
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: Yes
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: Yes
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: Yes
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB708C000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9338000 Size: 69120 File Visible: - Signed: Yes
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA410000 Size: 17792 File Visible: - Signed: Yes
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA108000 Size: 37376 File Visible: - Signed: Yes
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB7084000 Size: 8832 File Visible: - Signed: Yes
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA308000 Size: 51328 File Visible: - Signed: Yes
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA318000 Size: 41472 File Visible: - Signed: Yes
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA0D8000 Size: 48384 File Visible: - Signed: Yes
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA420000 Size: 16512 File Visible: - Signed: Yes
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB6898000 Size: 175744 File Visible: - Signed: Yes
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA626000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA2C8000 Size: 57600 File Visible: - Signed: Yes
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA1DB6000 Size: 49152 File Visible: No Signed: No
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB41E6000 Size: 333952 File Visible: - Signed: Yes
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB70B0000 Size: 180096 File Visible: - Signed: Yes
Status: -

Name: STREAM.SYS
Image Path: C:\WINDOWS\system32\drivers\STREAM.SYS
Address: 0xBA2B8000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5F0000 Size: 4352 File Visible: - Signed: Yes
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB3D13000 Size: 60800 File Visible: - Signed: Yes
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB695C000 Size: 361600 File Visible: - Signed: Yes
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA400000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA138000 Size: 40704 File Visible: - Signed: Yes
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB919C000 Size: 384768 File Visible: - Signed: Yes
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5FE000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA3E0000 Size: 30208 File Visible: - Signed: Yes
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA1E8000 Size: 59520 File Visible: - Signed: Yes
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB95F0000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xBA470000 Size: 25856 File Visible: - Signed: Yes
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xB334D000 Size: 26368 File Visible: - Signed: Yes
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA3D8000 Size: 20608 File Visible: - Signed: Yes
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA4A8000 Size: 20992 File Visible: - Signed: Yes
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB963C000 Size: 81920 File Visible: - Signed: Yes
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: Yes
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xB90DC000 Size: 34560 File Visible: - Signed: Yes
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA490000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB3ACC000 Size: 83072 File Visible: - Signed: Yes
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: Yes
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: Yes
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xB706C000 Size: 12032 File Visible: - Signed: Yes
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xB9EE7000 Size: 77568 File Visible: - Signed: Yes
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Processes
-------------------
PathSystem
PID: 4 Status: -

PathC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PID: 556 Status: -

PathC:\WINDOWS\system32\smss.exe
PID: 568 Status: -

PathC:\WINDOWS\system32\csrss.exe
PID: 608 Status: -

PathC:\WINDOWS\system32\winlogon.exe
PID: 632 Status: -

PathC:\WINDOWS\system32\services.exe
PID: 680 Status: -

PathC:\WINDOWS\system32\lsass.exe
PID: 700 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 816 Status: -

PathC:\WINDOWS\system32\ati2evxx.exe
PID: 888 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 908 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1044 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1112 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1152 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1276 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1308 Status: -

PathC:\WINDOWS\system32\spoolsv.exe
PID: 1392 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1472 Status: -

PathC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PID: 1504 Status: -

PathC:\Program Files\Java\jre6\bin\jqs.exe
PID: 1568 Status: -

PathC:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PID: 1600 Status: -

PathC:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
PID: 1720 Status: -

PathC:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
PID: 1764 Status: -

PathC:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
PID: 1840 Status: -

PathC:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
PID: 1920 Status: -

PathC:\Program Files\McAfee\MSK\msksrver.exe
PID: 1992 Status: -

PathC:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
PID: 2416 Status: -

PathC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
PID: 2480 Status: -

PathC:\WINDOWS\system32\notepad.exe
PID: 2492 Status: -

PathC:\Program Files\McAfee\MPF\MpfSrv.exe
PID: 2720 Status: -

PathC:\WINDOWS\explorer.exe
PID: 2780 Status: -

PathC:\WINDOWS\system32\PRISMSVR.exe
PID: 2788 Status: -

PathC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
PID: 3044 Status: -

PathC:\Program Files\Real\RealPlayer\realplay.exe
PID: 3124 Status: -

PathC:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PID: 3200 Status: -

PathC:\Program Files\McAfee.com\Agent\mcagent.exe
PID: 3208 Status: -

PathC:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PID: 3240 Status: -

PathC:\Documents and Settings\Elaine\Application Data\U3\0000187FC5719D1C\LaunchPad.exe
PID: 3252 Status: -

PathC:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PID: 3276 Status: -

PathC:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe
PID: 3340 Status: -

PathC:\Program Files\QuickTime\QTTask.exe
PID: 3364 Status: -

PathC:\Program Files\Java\jre6\bin\jusched.exe
PID: 3424 Status: -

PathC:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
PID: 3452 Status: -

PathC:\Program Files\DellSupport\DSAgnt.exe
PID: 3524 Status: -

PathC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 3536 Status: -

PathC:\WINDOWS\system32\ctfmon.exe
PID: 3556 Status: -

PathC:\Program Files\WinTV\Ir.exe
PID: 3640 Status: -

PathC:\Program Files\Digital Line Detect\DLG.exe
PID: 3648 Status: -

PathC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PID: 3664 Status: -

PathC:\Program Files\Dell Wireless\PRISMCFG.exe
PID: 3712 Status: -

PathC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
PID: 3844 Status: -

PathC:\Documents and Settings\Elaine\Desktop\RootRepeal.exe
PID: 5796 Status: -

PathC:\WINDOWS\system32\notepad.exe
PID: 6100 Status: -

ServiceTable Hooked [0x8a4d8d38]!

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: NStealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x8a42cda8, TID: 1136]
Process: svchost.exe (PID: 908) Address: 0x00e41f3c Size: -

Object: Hidden Module [Name: geyekrexwrpoma.dll]
Process: svchost.exe (PID: 908) Address: 0x00670000 Size: 53248

Object: Hidden Module [Name: geyekrlcbmkryv.dll]
Process: svchost.exe (PID: 908) Address: 0x10000000 Size: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8add8ad0 Size: 1332

Object: Hidden Code [Driver: Mup, IRP_MJ_CREATE]
Process: System Address: 0x8add8ad0 Size: 1332

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_CREATE]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_CLOSE]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_READ]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_WRITE]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_QUERY_EA]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_SET_EA]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_CLEANUP]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_POWER]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: MPFPȄ扏煓ȁఄ扏济olec, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8addb740 Size: 1715

Object: Hidden Code [Driver: RAW, IRP_MJ_CREATE]
Process: System Address: 0x8add8ad0 Size: 1332

Object: Hidden Code [Driver: FltMgr, IRP_MJ_CREATE]
Process: System Address: 0x8add8ad0 Size: 1332

Hidden Services
-------------------
Shadow SSDT
-------------------
#: 000 Function Name: NtGdiAbortDoc
Status: Not hooked

#: 001 Function Name: NtGdiAbortPath
Status: Not hooked

#: 002 Function Name: NtGdiAddFontResourceW
Status: Not hooked

#: 003 Function Name: NtGdiAddRemoteFontToDC
Status: Not hooked

#: 004 Function Name: NtGdiAddFontMemResourceEx
Status: Not hooked

#: 005 Function Name: NtGdiRemoveMergeFont
Status: Not hooked

#: 006 Function Name: NtGdiAddRemoteMMInstanceToDC
Status: Not hooked

#: 007 Function Name: NtGdiAlphaBlend
Status: Not hooked

#: 008 Function Name: NtGdiAngleArc
Status: Not hooked

#: 009 Function Name: NtGdiAnyLinkedFonts
Status: Not hooked

#: 010 Function Name: NtGdiFontIsLinked
Status: Not hooked

#: 011 Function Name: NtGdiArcInternal
Status: Not hooked

#: 012 Function Name: NtGdiBeginPath
Status: Not hooked

#: 013 Function Name: NtGdiBitBlt
Status: Not hooked

#: 014 Function Name: NtGdiCancelDC
Status: Not hooked

#: 015 Function Name: NtGdiCheckBitmapBits
Status: Not hooked

#: 016 Function Name: NtGdiCloseFigure
Status: Not hooked

#: 017 Function Name: NtGdiClearBitmapAttributes
Status: Not hooked

#: 018 Function Name: NtGdiClearBrushAttributes
Status: Not hooked

#: 019 Function Name: NtGdiColorCorrectPalette
Status: Not hooked

#: 020 Function Name: NtGdiCombineRgn
Status: Not hooked

#: 021 Function Name: NtGdiCombineTransform
Status: Not hooked

#: 022 Function Name: NtGdiComputeXformCoefficients
Status: Not hooked

#: 023 Function Name: NtGdiConsoleTextOut
Status: Not hooked

#: 024 Function Name: NtGdiConvertMetafileRect
Status: Not hooked

#: 025 Function Name: NtGdiCreateBitmap
Status: Not hooked

#: 026 Function Name: NtGdiCreateClientObj
Status: Not hooked

#: 027 Function Name: NtGdiCreateColorSpace
Status: Not hooked

#: 028 Function Name: NtGdiCreateColorTransform
Status: Not hooked

#: 029 Function Name: NtGdiCreateCompatibleBitmap
Status: Not hooked

#: 030 Function Name: NtGdiCreateCompatibleDC
Status: Not hooked

#: 031 Function Name: NtGdiCreateDIBBrush
Status: Not hooked

#: 032 Function Name: NtGdiCreateDIBitmapInternal
Status: Not hooked

#: 033 Function Name: NtGdiCreateDIBSection
Status: Not hooked

#: 034 Function Name: NtGdiCreateEllipticRgn
Status: Not hooked

#: 035 Function Name: NtGdiCreateHalftonePalette
Status: Not hooked

#: 036 Function Name: NtGdiCreateHatchBrushInternal
Status: Not hooked

#: 037 Function Name: NtGdiCreateMetafileDC
Status: Not hooked

#: 038 Function Name: NtGdiCreatePaletteInternal
Status: Not hooked

#: 039 Function Name: NtGdiCreatePatternBrushInternal
Status: Not hooked

#: 040 Function Name: NtGdiCreatePen
Status: Not hooked

#: 041 Function Name: NtGdiCreateRectRgn
Status: Not hooked

#: 042 Function Name: NtGdiCreateRoundRectRgn
Status: Not hooked

#: 043 Function Name: NtGdiCreateServerMetaFile
Status: Not hooked

#: 044 Function Name: NtGdiCreateSolidBrush
Status: Not hooked

#: 045 Function Name: NtGdiD3dContextCreate
Status: Not hooked

#: 046 Function Name: NtGdiD3dContextDestroy
Status: Not hooked

#: 047 Function Name: NtGdiD3dContextDestroyAll
Status: Not hooked

#: 048 Function Name: NtGdiD3dValidateTextureStageState
Status: Not hooked

#: 049 Function Name: NtGdiD3dDrawPrimitives2
Status: Not hooked

#: 050 Function Name: NtGdiDdGetDriverState
Status: Not hooked

#: 051 Function Name: NtGdiDdAddAttachedSurface
Status: Not hooked

#: 052 Function Name: NtGdiDdAlphaBlt
Status: Not hooked

#: 053 Function Name: NtGdiDdAttachSurface
Status: Not hooked

#: 054 Function Name: NtGdiDdBeginMoCompFrame
Status: Not hooked

#: 055 Function Name: NtGdiDdBlt
Status: Not hooked

#: 056 Function Name: NtGdiDdCanCreateSurface
Status: Not hooked

#: 057 Function Name: NtGdiDdCanCreateD3DBuffer
Status: Not hooked

#: 058 Function Name: NtGdiDdColorControl
Status: Not hooked

#: 059 Function Name: NtGdiDdCreateDirectDrawObject
Status: Not hooked

#: 060 Function Name: NtGdiDdCreateSurface
Status: Not hooked

#: 061 Function Name: NtGdiDdCreateD3DBuffer
Status: Not hooked

#: 062 Function Name: NtGdiDdCreateMoComp
Status: Not hooked

#: 063 Function Name: NtGdiDdCreateSurfaceObject
Status: Not hooked

#: 064 Function Name: NtGdiDdDeleteDirectDrawObject
Status: Not hooked

#: 065 Function Name: NtGdiDdDeleteSurfaceObject
Status: Not hooked

#: 066 Function Name: NtGdiDdDestroyMoComp
Status: Not hooked

#: 067 Function Name: NtGdiDdDestroySurface
Status: Not hooked

#: 068 Function Name: NtGdiDdDestroyD3DBuffer
Status: Not hooked

#: 069 Function Name: NtGdiDdEndMoCompFrame
Status: Not hooked

#: 070 Function Name: NtGdiDdFlip
Status: Not hooked

#: 071 Function Name: NtGdiDdFlipToGDISurface
Status: Not hooked

#: 072 Function Name: NtGdiDdGetAvailDriverMemory
Status: Not hooked

#: 073 Function Name: NtGdiDdGetBltStatus
Status: Not hooked

#: 074 Function Name: NtGdiDdGetDC
Status: Not hooked

#: 075 Function Name: NtGdiDdGetDriverInfo
Status: Not hooked

#: 076 Function Name: NtGdiDdGetDxHandle
Status: Not hooked

#: 077 Function Name: NtGdiDdGetFlipStatus
Status: Not hooked

#: 078 Function Name: NtGdiDdGetInternalMoCompInfo
Status: Not hooked

#: 079 Function Name: NtGdiDdGetMoCompBuffInfo
Status: Not hooked

#: 080 Function Name: NtGdiDdGetMoCompGuids
Status: Not hooked

#: 081 Function Name: NtGdiDdGetMoCompFormats
Status: Not hooked

#: 082 Function Name: NtGdiDdGetScanLine
Status: Not hooked

#: 083 Function Name: NtGdiDdLock
Status: Not hooked

#: 084 Function Name: NtGdiDdLockD3D
Status: Not hooked

#: 085 Function Name: NtGdiDdQueryDirectDrawObject
Status: Not hooked

#: 086 Function Name: NtGdiDdQueryMoCompStatus
Status: Not hooked

#: 087 Function Name: NtGdiDdReenableDirectDrawObject
Status: Not hooked

#: 088 Function Name: NtGdiDdReleaseDC
Status: Not hooked

#: 089 Function Name: NtGdiDdRenderMoComp
Status: Not hooked

#: 090 Function Name: NtGdiDdResetVisrgn
Status: Not hooked

#: 091 Function Name: NtGdiDdSetColorKey
Status: Not hooked

#: 092 Function Name: NtGdiDdSetExclusiveMode
Status: Not hooked

#: 093 Function Name: NtGdiDdSetGammaRamp
Status: Not hooked

#: 094 Function Name: NtGdiDdCreateSurfaceEx
Status: Not hooked

#: 095 Function Name: NtGdiDdSetOverlayPosition
Status: Not hooked

#: 096 Function Name: NtGdiDdUnattachSurface
Status: Not hooked

#: 097 Function Name: NtGdiDdUnlock
Status: Not hooked

#: 098 Function Name: NtGdiDdUnlockD3D
Status: Not hooked

#: 099 Function Name: NtGdiDdUpdateOverlay
Status: Not hooked

#: 100 Function Name: NtGdiDdWaitForVerticalBlank
Status: Not hooked

#: 101 Function Name: NtGdiDvpCanCreateVideoPort
Status: Not hooked

#: 102 Function Name: NtGdiDvpColorControl
Status: Not hooked

#: 103 Function Name: NtGdiDvpCreateVideoPort
Status: Not hooked

#: 104 Function Name: NtGdiDvpDestroyVideoPort
Status: Not hooked

#: 105 Function Name: NtGdiDvpFlipVideoPort
Status: Not hooked

#: 106 Function Name: NtGdiDvpGetVideoPortBandwidth
Status: Not hooked

#: 107 Function Name: NtGdiDvpGetVideoPortField
Status: Not hooked

#: 108 Function Name: NtGdiDvpGetVideoPortFlipStatus
Status: Not hooked

#: 109 Function Name: NtGdiDvpGetVideoPortInputFormats
Status: Not hooked

#: 110 Function Name: NtGdiDvpGetVideoPortLine
Status: Not hooked

#: 111 Function Name: NtGdiDvpGetVideoPortOutputFormats
Status: Not hooked

#: 112 Function Name: NtGdiDvpGetVideoPortConnectInfo
Status: Not hooked

#: 113 Function Name: NtGdiDvpGetVideoSignalStatus
Status: Not hooked

#: 114 Function Name: NtGdiDvpUpdateVideoPort
Status: Not hooked

#: 115 Function Name: NtGdiDvpWaitForVideoPortSync
Status: Not hooked

#: 116 Function Name: NtGdiDvpAcquireNotification
Status: Not hooked

#: 117 Function Name: NtGdiDvpReleaseNotification
Status: Not hooked

#: 118 Function Name: NtGdiDxgGenericThunk
Status: Not hooked

#: 119 Function Name: NtGdiDeleteClientObj
Status: Not hooked

#: 120 Function Name: NtGdiDeleteColorSpace
Status: Not hooked

#: 121 Function Name: NtGdiDeleteColorTransform
Status: Not hooked

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Not hooked

#: 123 Function Name: NtGdiDescribePixelFormat
Status: Not hooked

#: 124 Function Name: NtGdiGetPerBandInfo
Status: Not hooked

#: 125 Function Name: NtGdiDoBanding
Status: Not hooked

#: 126 Function Name: NtGdiDoPalette
Status: Not hooked

#: 127 Function Name: NtGdiDrawEscape
Status: Not hooked

#: 128 Function Name: NtGdiEllipse
Status: Not hooked

#: 129 Function Name: NtGdiEnableEudc
Status: Not hooked

#: 130 Function Name: NtGdiEndDoc
Status: Not hooked

#: 131 Function Name: NtGdiEndPage
Status: Not hooked

#: 132 Function Name: NtGdiEndPath
Status: Not hooked

#: 133 Function Name: NtGdiEnumFontChunk
Status: Not hooked

#: 134 Function Name: NtGdiEnumFontClose
Status: Not hooked

#: 135 Function Name: NtGdiEnumFontOpen
Status: Not hooked

#: 136 Function Name: NtGdiEnumObjects
Status: Not hooked

#: 137 Function Name: NtGdiEqualRgn
Status: Not hooked

#: 138 Function Name: NtGdiEudcLoadUnloadLink
Status: Not hooked

#: 139 Function Name: NtGdiExcludeClipRect
Status: Not hooked

#: 140 Function Name: NtGdiExtCreatePen
Status: Not hooked

#: 141 Function Name: NtGdiExtCreateRegion
Status: Not hooked

#: 142 Function Name: NtGdiExtEscape
Status: Not hooked

#: 143 Function Name: NtGdiExtFloodFill
Status: Not hooked

#: 144 Function Name: NtGdiExtGetObjectW
Status: Not hooked

#: 145 Function Name: NtGdiExtSelectClipRgn
Status: Not hooked

#: 146 Function Name: NtGdiExtTextOutW
Status: Not hooked

#: 147 Function Name: NtGdiFillPath
Status: Not hooked

#: 148 Function Name: NtGdiFillRgn
Status: Not hooked

#: 149 Function Name: NtGdiFlattenPath
Status: Not hooked

#: 150 Function Name: NtGdiFlushUserBatch
Status: Not hooked

#: 151 Function Name: NtGdiFlush
Status: Not hooked

#: 152 Function Name: NtGdiForceUFIMapping
Status: Not hooked

#: 153 Function Name: NtGdiFrameRgn
Status: Not hooked

#: 154 Function Name: NtGdiFullscreenControl
Status: Not hooked

#: 155 Function Name: NtGdiGetAndSetDCDword
Status: Not hooked

#: 156 Function Name: NtGdiGetAppClipBox
Status: Not hooked

#: 157 Function Name: NtGdiGetBitmapBits
Status: Not hooked

#: 158 Function Name: NtGdiGetBitmapDimension
Status: Not hooked

#: 159 Function Name: NtGdiGetBoundsRect
Status: Not hooked

#: 160 Function Name: NtGdiGetCharABCWidthsW
Status: Not hooked

#: 161 Function Name: NtGdiGetCharacterPlacementW
Status: Not hooked

#: 162 Function Name: NtGdiGetCharSet
Status: Not hooked

#: 163 Function Name: NtGdiGetCharWidthW
Status: Not hooked

#: 164 Function Name: NtGdiGetCharWidthInfo
Status: Not hooked

#: 165 Function Name: NtGdiGetColorAdjustment
Status: Not hooked

#: 166 Function Name: NtGdiGetColorSpaceforBitmap
Status: Not hooked

#: 167 Function Name: NtGdiGetDCDword
Status: Not hooked

#: 168 Function Name: NtGdiGetDCforBitmap
Status: Not hooked

#: 169 Function Name: NtGdiGetDCObject
Status: Not hooked

#: 170 Function Name: NtGdiGetDCPoint
Status: Not hooked

#: 171 Function Name: NtGdiGetDeviceCaps
Status: Not hooked

#: 172 Function Name: NtGdiGetDeviceGammaRamp
Status: Not hooked

#: 173 Function Name: NtGdiGetDeviceCapsAll
Status: Not hooked

#: 174 Function Name: NtGdiGetDIBitsInternal
Status: Not hooked

#: 175 Function Name: NtGdiGetETM
Status: Not hooked

#: 176 Function Name: NtGdiGetEudcTimeStampEx
Status: Not hooked

#: 177 Function Name: NtGdiGetFontData
Status: Not hooked

#: 178 Function Name: NtGdiGetFontResourceInfoInternalW
Status: Not hooked

#: 179 Function Name: NtGdiGetGlyphIndicesW
Status: Not hooked

#: 180 Function Name: NtGdiGetGlyphIndicesWInternal
Status: Not hooked

#: 181 Function Name: NtGdiGetGlyphOutline
Status: Not hooked

#: 182 Function Name: NtGdiGetKerningPairs
Status: Not hooked

#: 183 Function Name: NtGdiGetLinkedUFIs
Status: Not hooked

#: 184 Function Name: NtGdiGetMiterLimit
Status: Not hooked

#: 185 Function Name: NtGdiGetMonitorID
Status: Not hooked

#: 186 Function Name: NtGdiGetNearestColor
Status: Not hooked

#: 187 Function Name: NtGdiGetNearestPaletteIndex
Status: Not hooked

#: 188 Function Name: NtGdiGetObjectBitmapHandle
Status: Not hooked

#: 189 Function Name: NtGdiGetOutlineTextMetricsInternalW
Status: Not hooked

#: 190 Function Name: NtGdiGetPath
Status: Not hooked

#: 191 Function Name: NtGdiGetPixel
Status: Not hooked

#: 192 Function Name: NtGdiGetRandomRgn
Status: Not hooked

#: 193 Function Name: NtGdiGetRasterizerCaps
Status: Not hooked

#: 194 Function Name: NtGdiGetRealizationInfo
Status: Not hooked

#: 195 Function Name: NtGdiGetRegionData
Status: Not hooked

#: 196 Function Name: NtGdiGetRgnBox
Status: Not hooked

#: 197 Function Name: NtGdiGetServerMetaFileBits
Status: Not hooked

#: 198 Function Name: NtGdiGetSpoolMessage
Status: Not hooked

#: 199 Function Name: NtGdiGetStats
Status: Not hooked

#: 200 Function Name: NtGdiGetStockObject
Status: Not hooked

#: 201 Function Name: NtGdiGetStringBitmapW
Status: Not hooked

#: 202 Function Name: NtGdiGetSystemPaletteUse
Status: Not hooked

#: 203 Function Name: NtGdiGetTextCharsetInfo
Status: Not hooked

#: 204 Function Name: NtGdiGetTextExtent
Status: Not hooked

#: 205 Function Name: NtGdiGetTextExtentExW
Status: Not hooked

#: 206 Function Name: NtGdiGetTextFaceW
Status: Not hooked

#: 207 Function Name: NtGdiGetTextMetricsW
Status: Not hooked

#: 208 Function Name: NtGdiGetTransform
Status: Not hooked

#: 209 Function Name: NtGdiGetUFI
Status: Not hooked

#: 210 Function Name: NtGdiGetEmbUFI
Status: Not hooked

#: 211 Function Name: NtGdiGetUFIPathname
Status: Not hooked

#: 212 Function Name: NtGdiGetEmbedFonts
Status: Not hooked

#: 213 Function Name: NtGdiChangeGhostFont
Status: Not hooked

#: 214 Function Name: NtGdiAddEmbFontToDC
Status: Not hooked

#: 215 Function Name: NtGdiGetFontUnicodeRanges
Status: Not hooked

#: 216 Function Name: NtGdiGetWidthTable
Status: Not hooked

#: 217 Function Name: NtGdiGradientFill
Status: Not hooked

#: 218 Function Name: NtGdiHfontCreate
Status: Not hooked

#: 219 Function Name: NtGdiIcmBrushInfo
Status: Not hooked

#: 220 Function Name: NtGdiInit
Status: Not hooked

#: 221 Function Name: NtGdiInitSpool
Status: Not hooked

#: 222 Function Name: NtGdiIntersectClipRect
Status: Not hooked

#: 223 Function Name: NtGdiInvertRgn
Status: Not hooked

#: 224 Function Name: NtGdiLineTo
Status: Not hooked

#: 225 Function Name: NtGdiMakeFontDir
Status: Not hooked

#: 226 Function Name: NtGdiMakeInfoDC
Status: Not hooked

#: 227 Function Name: NtGdiMaskBlt
Status: Not hooked

#: 228 Function Name: NtGdiModifyWorldTransform
Status: Not hooked

#: 229 Function Name: NtGdiMonoBitmap
Status: Not hooked

#: 230 Function Name: NtGdiMoveTo
Status: Not hooked

#: 231 Function Name: NtGdiOffsetClipRgn
Status: Not hooked

#: 232 Function Name: NtGdiOffsetRgn
Status: Not hooked

#: 233 Function Name: NtGdiOpenDCW
Status: Not hooked

#: 234 Function Name: NtGdiPatBlt
Status: Not hooked

#: 235 Function Name: NtGdiPolyPatBlt
Status: Not hooked

#: 236 Function Name: NtGdiPathToRegion
Status: Not hooked

#: 237 Function Name: NtGdiPlgBlt
Status: Not hooked

#: 238 Function Name: NtGdiPolyDraw
Status: Not hooked

#: 239 Function Name: NtGdiPolyPolyDraw
Status: Not hooked

#: 240 Function Name: NtGdiPolyTextOutW
Status: Not hooked

#: 241 Function Name: NtGdiPtInRegion
Status: Not hooked

#: 242 Function Name: NtGdiPtVisible
Status: Not hooked

#: 243 Function Name: NtGdiQueryFonts
Status: Not hooked

#: 244 Function Name: NtGdiQueryFontAssocInfo
Status: Not hooked

#: 245 Function Name: NtGdiRectangle
Status: Not hooked

#: 246 Function Name: NtGdiRectInRegion
Status: Not hooked

#: 247 Function Name: NtGdiRectVisible
Status: Not hooked

#: 248 Function Name: NtGdiRemoveFontResourceW
Status: Not hooked

#: 249 Function Name: NtGdiRemoveFontMemResourceEx
Status: Not hooked

#: 250 Function Name: NtGdiResetDC
Status: Not hooked

#: 251 Function Name: NtGdiResizePalette
Status: Not hooked

#: 252 Function Name: NtGdiRestoreDC
Status: Not hooked

#: 253 Function Name: NtGdiRoundRect
Status: Not hooked

#: 254 Function Name: NtGdiSaveDC
Status: Not hooked

#: 255 Function Name: NtGdiScaleViewportExtEx
Status: Not hooked

#: 256 Function Name: NtGdiScaleWindowExtEx
Status: Not hooked

#: 257 Function Name: NtGdiSelectBitmap
Status: Not hooked

#: 258 Function Name: NtGdiSelectBrush
Status: Not hooked

#: 259 Function Name: NtGdiSelectClipPath
Status: Not hooked

#: 260 Function Name: NtGdiSelectFont
Status: Not hooked

#: 261 Function Name: NtGdiSelectPen
Status: Not hooked

#: 262 Function Name: NtGdiSetBitmapAttributes
Status: Not hooked

#: 263 Function Name: NtGdiSetBitmapBits
Status: Not hooked

#: 264 Function Name: NtGdiSetBitmapDimension
Status: Not hooked

#: 265 Function Name: NtGdiSetBoundsRect
Status: Not hooked

#: 266 Function Name: NtGdiSetBrushAttributes
Status: Not hooked

#: 267 Function Name: NtGdiSetBrushOrg
Status: Not hooked

#: 268 Function Name: NtGdiSetColorAdjustment
Status: Not hooked

#: 269 Function Name: NtGdiSetColorSpace
Status: Not hooked

#: 270 Function Name: NtGdiSetDeviceGammaRamp
Status: Not hooked

#: 271 Function Name: NtGdiSetDIBitsToDeviceInternal
Status: Not hooked

#: 272 Function Name: NtGdiSetFontEnumeration
Status: Not hooked

#: 273 Function Name: NtGdiSetFontXform
Status: Not hooked

#: 274 Function Name: NtGdiSetIcmMode
Status: Not hooked

#: 275 Function Name: NtGdiSetLinkedUFIs
Status: Not hooked

#: 276 Function Name: NtGdiSetMagicColors
Status: Not hooked

#: 277 Function Name: NtGdiSetMetaRgn
Status: Not hooked

#: 278 Function Name: NtGdiSetMiterLimit
Status: Not hooked

#: 279 Function Name: NtGdiGetDeviceWidth
Status: Not hooked

#: 280 Function Name: NtGdiMirrorWindowOrg
Status: Not hooked

#: 281 Function Name: NtGdiSetLayout
Status: Not hooked

#: 282 Function Name: NtGdiSetPixel
Status: Not hooked

#: 283 Function Name: NtGdiSetPixelFormat
Status: Not hooked

#: 284 Function Name: NtGdiSetRectRgn
Status: Not hooked

#: 285 Function Name: NtGdiSetSystemPaletteUse
Status: Not hooked

#: 286 Function Name: NtGdiSetTextJustification
Status: Not hooked

#: 287 Function Name: NtGdiSetupPublicCFONT
Status: Not hooked

#: 288 Function Name: NtGdiSetVirtualResolution
Status: Not hooked

#: 289 Function Name: NtGdiSetSizeDevice
Status: Not hooked

#: 290 Function Name: NtGdiStartDoc
Status: Not hooked

#: 291 Function Name: NtGdiStartPage
Status: Not hooked

#: 292 Function Name: NtGdiStretchBlt
Status: Not hooked

#: 293 Function Name: NtGdiStretchDIBitsInternal
Status: Not hooked

#: 294 Function Name: NtGdiStrokeAndFillPath
Status: Not hooked

#: 295 Function Name: NtGdiStrokePath
Status: Not hooked

#: 296 Function Name: NtGdiSwapBuffers
Status: Not hooked

#: 297 Function Name: NtGdiTransformPoints
Status: Not hooked

#: 298 Function Name: NtGdiTransparentBlt
Status: Not hooked

#: 299 Function Name: NtGdiUnloadPrinterDriver
Status: Not hooked

#: 300 Function Name: NtGdiUnmapMemFont
Status: Not hooked

#: 301 Function Name: NtGdiUnrealizeObject
Status: Not hooked

#: 302 Function Name: NtGdiUpdateColors
Status: Not hooked

#: 303 Function Name: NtGdiWidenPath
Status: Not hooked

#: 304 Function Name: NtUserActivateKeyboardLayout
Status: Not hooked

#: 305 Function Name: NtUserAlterWindowStyle
Status: Not hooked

#: 306 Function Name: NtUserAssociateInputContext
Status: Not hooked

#: 307 Function Name: NtUserAttachThreadInput
Status: Not hooked

#: 308 Function Name: NtUserBeginPaint
Status: Not hooked

#: 309 Function Name: NtUserBitBltSysBmp
Status: Not hooked

#: 310 Function Name: NtUserBlockInput
Status: Not hooked

#: 311 Function Name: NtUserBuildHimcList
Status: Not hooked

#: 312 Function Name: NtUserBuildHwndList
Status: Not hooked

#: 313 Function Name: NtUserBuildNameList
Status: Not hooked

#: 314 Function Name: NtUserBuildPropList
Status: Not hooked

#: 315 Function Name: NtUserCallHwnd
Status: Not hooked

#: 316 Function Name: NtUserCallHwndLock
Status: Not hooked

#: 317 Function Name: NtUserCallHwndOpt
Status: Not hooked

#: 318 Function Name: NtUserCallHwndParam
Status: Not hooked

#: 319 Function Name: NtUserCallHwndParamLock
Status: Not hooked

#: 320 Function Name: NtUserCallMsgFilter
Status: Not hooked

#: 321 Function Name: NtUserCallNextHookEx
Status: Not hooked

#: 322 Function Name: NtUserCallNoParam
Status: Not hooked

#: 323 Function Name: NtUserCallOneParam
Status: Not hooked

#: 324 Function Name: NtUserCallTwoParam
Status: Not hooked

#: 325 Function Name: NtUserChangeClipboardChain
Status: Not hooked

#: 326 Function Name: NtUserChangeDisplaySettings
Status: Not hooked

#: 327 Function Name: NtUserCheckImeHotKey
Status: Not hooked

#: 328 Function Name: NtUserCheckMenuItem
Status: Not hooked

#: 329 Function Name: NtUserChildWindowFromPointEx
Status: Not hooked

#: 330 Function Name: NtUserClipCursor
Status: Not hooked

#: 331 Function Name: NtUserCloseClipboard
Status: Not hooked

#: 332 Function Name: NtUserCloseDesktop
Status: Not hooked

#: 333 Function Name: NtUserCloseWindowStation
Status: Not hooked

#: 334 Function Name: NtUserConsoleControl
Status: Not hooked

#: 335 Function Name: NtUserConvertMemHandle
Status: Not hooked

#: 336 Function Name: NtUserCopyAcceleratorTable
Status: Not hooked

#: 337 Function Name: NtUserCountClipboardFormats
Status: Not hooked

#: 338 Function Name: NtUserCreateAcceleratorTable
Status: Not hooked

#: 339 Function Name: NtUserCreateCaret
Status: Not hooked

#: 340 Function Name: NtUserCreateDesktop
Status: Not hooked

#: 341 Function Name: NtUserCreateInputContext
Status: Not hooked

#: 342 Function Name: NtUserCreateLocalMemHandle
Status: Not hooked

#: 343 Function Name: NtUserCreateWindowEx
Status: Not hooked

#: 344 Function Name: NtUserCreateWindowStation
Status: Not hooked

#: 345 Function Name: NtUserDdeGetQualityOfService
Status: Not hooked

#: 346 Function Name: NtUserDdeInitialize
Status: Not hooked

#: 347 Function Name: NtUserDdeSetQualityOfService
Status: Not hooked

#: 348 Function Name: NtUserDeferWindowPos
Status: Not hooked

#: 349 Function Name: NtUserDefSetText
Status: Not hooked

#: 350 Function Name: NtUserDeleteMenu
Status: Not hooked

#: 351 Function Name: NtUserDestroyAcceleratorTable
Status: Not hooked

#: 352 Function Name: NtUserDestroyCursor
Status: Not hooked

#: 353 Function Name: NtUserDestroyInputContext
Status: Not hooked

#: 354 Function Name: NtUserDestroyMenu
Status: Not hooked

#: 355 Function Name: NtUserDestroyWindow
Status: Not hooked

#: 356 Function Name: NtUserDisableThreadIme
Status: Not hooked

#: 357 Function Name: NtUserDispatchMessage
Status: Not hooked

#: 358 Function Name: NtUserDragDetect
Status: Not hooked

#: 359 Function Name: NtUserDragObject
Status: Not hooked

#: 360 Function Name: NtUserDrawAnimatedRects
Status: Not hooked

#: 361 Function Name: NtUserDrawCaption
Status: Not hooked

#: 362 Function Name: NtUserDrawCaptionTemp
Status: Not hooked

#: 363 Function Name: NtUserDrawIconEx
Status: Not hooked

#: 364 Function Name: NtUserDrawMenuBarTemp
Status: Not hooked

#: 365 Function Name: NtUserEmptyClipboard
Status: Not hooked

#: 366 Function Name: NtUserEnableMenuItem
Status: Not hooked

#: 367 Function Name: NtUserEnableScrollBar
Status: Not hooked

#: 368 Function Name: NtUserEndDeferWindowPosEx
Status: Not hooked

#: 369 Function Name: NtUserEndMenu
Status: Not hooked

#: 370 Function Name: NtUserEndPaint
Status: Not hooked

#: 371 Function Name: NtUserEnumDisplayDevices
Status: Not hooked

#: 372 Function Name: NtUserEnumDisplayMonitors
Status: Not hooked

#: 373 Function Name: NtUserEnumDisplaySettings
Status: Not hooked

#: 374 Function Name: NtUserEvent
Status: Not hooked

#: 375 Function Name: NtUserExcludeUpdateRgn
Status: Not hooked

#: 376 Function Name: NtUserFillWindow
Status: Not hooked

#: 377 Function Name: NtUserFindExistingCursorIcon
Status: Not hooked

#: 378 Function Name: NtUserFindWindowEx
Status: Not hooked

#: 379 Function Name: NtUserFlashWindowEx
Status: Not hooked

#: 380 Function Name: NtUserGetAltTabInfo
Status: Not hooked

#: 381 Function Name: NtUserGetAncestor
Status: Not hooked

#: 382 Function Name: NtUserGetAppImeLevel
Status: Not hooked

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Not hooked

#: 384 Function Name: NtUserGetAtomName
Status: Not hooked

#: 385 Function Name: NtUserGetCaretBlinkTime
Status: Not hooked

#: 386 Function Name: NtUserGetCaretPos
Status: Not hooked

#: 387 Function Name: NtUserGetClassInfo
Status: Not hooked

#: 388 Function Name: NtUserGetClassName
Status: Not hooked

#: 389 Function Name: NtUserGetClipboardData
Status: Not hooked

#: 390 Function Name: NtUserGetClipboardFormatName
Status: Not hooked

#: 391 Function Name: NtUserGetClipboardOwner
Status: Not hooked

#: 392 Function Name: NtUserGetClipboardSequenceNumber
Status: Not hooked

#: 393 Function Name: NtUserGetClipboardViewer
Status: Not hooked

#: 394 Function Name: NtUserGetClipCursor
Status: Not hooked

#: 395 Function Name: NtUserGetComboBoxInfo
Status: Not hooked

#: 396 Function Name: NtUserGetControlBrush
Status: Not hooked

#: 397 Function Name: NtUserGetControlColor
Status: Not hooked

#: 398 Function Name: NtUserGetCPD
Status: Not hooked

#: 399 Function Name: NtUserGetCursorFrameInfo
Status: Not hooked

#: 400 Function Name: NtUserGetCursorInfo
Status: Not hooked

#: 401 Function Name: NtUserGetDC
Status: Not hooked

#: 402 Function Name: NtUserGetDCEx
Status: Not hooked

#: 403 Function Name: NtUserGetDoubleClickTime
Status: Not hooked

#: 404 Function Name: NtUserGetForegroundWindow
Status: Not hooked

#: 405 Function Name: NtUserGetGuiResources
Status: Not hooked

#: 406 Function Name: NtUserGetGUIThreadInfo
Status: Not hooked

#: 407 Function Name: NtUserGetIconInfo
Status: Not hooked

#: 408 Function Name: NtUserGetIconSize
Status: Not hooked

#: 409 Function Name: NtUserGetImeHotKey
Status: Not hooked

#: 410 Function Name: NtUserGetImeInfoEx
Status: Not hooked

#: 411 Function Name: NtUserGetInternalWindowPos
Status: Not hooked

#: 412 Function Name: NtUserGetKeyboardLayoutList
Status: Not hooked

#: 413 Function Name: NtUserGetKeyboardLayoutName
Status: Not hooked

#: 414 Function Name: NtUserGetKeyboardState
Status: Not hooked

#: 415 Function Name: NtUserGetKeyNameText
Status: Not hooked

#: 416 Function Name: NtUserGetKeyState
Status: Not hooked

#: 417 Function Name: NtUserGetListBoxInfo
Status: Not hooked

#: 418 Function Name: NtUserGetMenuBarInfo
Status: Not hooked

#: 419 Function Name: NtUserGetMenuIndex
Status: Not hooked

#: 420 Function Name: NtUserGetMenuItemRect
Status: Not hooked

#: 421 Function Name: NtUserGetMessage
Status: Not hooked

#: 422 Function Name: NtUserGetMouseMovePointsEx
Status: Not hooked

#: 423 Function Name: NtUserGetObjectInformation
Status: Not hooked

#: 424 Function Name: NtUserGetOpenClipboardWindow
Status: Not hooked

#: 425 Function Name: NtUserGetPriorityClipboardFormat
Status: Not hooked

#: 426 Function Name: NtUserGetProcessWindowStation
Status: Not hooked

#: 427 Function Name: NtUserGetRawInputBuffer
Status: Not hooked

#: 428 Function Name: NtUserGetRawInputData
Status: Not hooked

#: 429 Function Name: NtUserGetRawInputDeviceInfo
Status: Not hooked

#: 430 Function Name: NtUserGetRawInputDeviceList
Status: Not hooked

#: 431 Function Name: NtUserGetRegisteredRawInputDevices
Status: Not hooked

#: 432 Function Name: NtUserGetScrollBarInfo
Status: Not hooked

#: 433 Function Name: NtUserGetSystemMenu
Status: Not hooked

#: 43==EOF==

Attached Files


Edited by PonchyRCA, 29 August 2009 - 09:06 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:34 AM

Posted 04 September 2009 - 04:18 PM

Hello PonchyRCA,

Has your McAfee SecurityCenter (Antivirus) expired? :(

Lets try running RootRepeal a different way.
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the box beside Drivers area (leave the others unchecked).
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Post those logs back in your next reply.

Edited by SifuMike, 04 September 2009 - 04:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 PonchyRCA

PonchyRCA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 06 September 2009 - 08:51 PM

First, thanks very much for your help. Sorry I havent' gotten back to you earlier. We took off for a couple of days to visit family.

Anyway, my McAfee account is still current, however, I had the affected machine disconnected from the internet so the status was showing out of date. I am communicating on a clean machine for these messages and using a USB drive to copy logs and so forth.

In either case I disabled McAfee Security Center and ran Root Repeal.

I got the same error messages "Could Not Read Boot Sector. Try Adjusting the Disk Acess Level in the Options Dialog." I tried with several different settings and still got the same message. The error occurred 4 times before the program actually started running before I could select the "Report" tab. Then the error message displayed 3 more times while the scan was in progress. I also got the following message at the end of RootRepeal "Could Not Read System Registry! Please Contact the Author!" The details again showed Unrecognized Partition Type 6 (0x6)!.

Anyway below is the results of this scan.
Again, Thanks for your help.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/06 20:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000B7B
Image Path: 00000B7B
Address: 0x8A4C3000 Size: 41219 File Visible: No Signed: No
Status: -

Name: 00000B7B
Image Path: 00000B7B
Address: 0xB3E14000 Size: 73984 File Visible: No Signed: No
Status: Hidden from the Windows API!

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: Yes
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xB48C8000 Size: 15200 File Visible: - Signed: No
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB6C92000 Size: 138496 File Visible: - Signed: Yes
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xBA2D8000 Size: 35840 File Visible: - Signed: Yes
Status: -

Name: ASCTRM.SYS
Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Address: 0xBA60C000 Size: 7488 File Visible: - Signed: No
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 96512 File Visible: - Signed: Yes
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF04E000 Size: 204800 File Visible: - Signed: Yes
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 245760 File Visible: - Signed: Yes
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB98AF000 Size: 1073152 File Visible: - Signed: Yes
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF0B2000 Size: 2297856 File Visible: - Signed: Yes
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF080000 Size: 204800 File Visible: - Signed: Yes
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF2E3000 Size: 610304 File Visible: - Signed: Yes
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: Yes
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA795000 Size: 3072 File Visible: - Signed: Yes
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA61A000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB3E47000 Size: 63744 File Visible: - Signed: Yes
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA2F8000 Size: 62976 File Visible: - Signed: Yes
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0F8000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0E8000 Size: 36352 File Visible: - Signed: Yes
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA238000 Size: 61440 File Visible: - Signed: Yes
Status: -

Name: DSproct.sys
Image Path: C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
Address: 0xBA638000 Size: 4736 File Visible: - Signed: No
Status: -

Name: dsunidrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
Address: 0xBA60E000 Size: 5376 File Visible: - Signed: Yes
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6BAC000 Size: 98304 File Visible: No Signed: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F4000 Size: 8192 File Visible: No Signed: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB6E07000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: Yes
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA6B2000 Size: 4096 File Visible: - Signed: Yes
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xB95BF000 Size: 155648 File Visible: - Signed: Yes
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB6D97000 Size: 143744 File Visible: - Signed: Yes
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA1F8000 Size: 44544 File Visible: - Signed: Yes
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9F11000 Size: 129792 File Visible: - Signed: Yes
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA616000 Size: 7936 File Visible: - Signed: Yes
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F49000 Size: 125056 File Visible: - Signed: Yes
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: Yes
Status: -

Name: HCWBT8XX.sys
Image Path: C:\WINDOWS\system32\drivers\HCWBT8XX.sys
Address: 0xB97E2000 Size: 446464 File Visible: - Signed: No
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB9873000 Size: 163840 File Visible: - Signed: Yes
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xB93CB000 Size: 36864 File Visible: - Signed: Yes
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBA4A8000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB9DD6000 Size: 10368 File Visible: - Signed: Yes
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xB95E5000 Size: 680704 File Visible: - Signed: Yes
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xB968C000 Size: 1042432 File Visible: - Signed: Yes
Status: -

Name: HSFHWBS2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Address: 0xB978B000 Size: 212224 File Visible: - Signed: Yes
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB3A79000 Size: 264832 File Visible: - Signed: Yes
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA580000 Size: 8576 File Visible: - Signed: Yes
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA2E8000 Size: 42112 File Visible: - Signed: Yes
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA2A8000 Size: 36352 File Visible: - Signed: Yes
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xB935B000 Size: 32896 File Visible: - Signed: Yes
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB6D84000 Size: 75264 File Visible: - Signed: Yes
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: Yes
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA420000 Size: 24576 File Visible: - Signed: Yes
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xBA574000 Size: 14592 File Visible: - Signed: Yes
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB3706000 Size: 172416 File Visible: - Signed: Yes
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB97BF000 Size: 143360 File Visible: - Signed: Yes
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9EFA000 Size: 92288 File Visible: - Signed: Yes
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xB44A5000 Size: 9920 File Visible: - Signed: Yes
Status: -

Name: mfeavfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys
Address: 0xB3DDA000 Size: 73152 File Visible: - Signed: Yes
Status: -

Name: mfebopk.sys
Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys
Address: 0xBA378000 Size: 28544 File Visible: - Signed: Yes
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xB6BC4000 Size: 207296 File Visible: - Signed: Yes
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA61C000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA3E0000 Size: 30080 File Visible: - Signed: Yes
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xB99C1000 Size: 16128 File Visible: - Signed: Yes
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA430000 Size: 23040 File Visible: - Signed: Yes
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB9DCE000 Size: 12160 File Visible: - Signed: Yes
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: Yes
Status: -

Name: Mpfp.sys
Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys
Address: 0xB6D04000 Size: 159744 File Visible: - Signed: Yes
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB471F000 Size: 180608 File Visible: - Signed: Yes
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB6BF7000 Size: 455296 File Visible: - Signed: Yes
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA478000 Size: 19072 File Visible: - Signed: Yes
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA128000 Size: 35072 File Visible: - Signed: Yes
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA554000 Size: 15488 File Visible: - Signed: Yes
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9E13000 Size: 105344 File Visible: - Signed: Yes
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9E2D000 Size: 182656 File Visible: - Signed: Yes
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB9DBA000 Size: 10112 File Visible: - Signed: Yes
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB48C0000 Size: 14592 File Visible: - Signed: Yes
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB95A8000 Size: 91520 File Visible: - Signed: Yes
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA188000 Size: 40576 File Visible: - Signed: Yes
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xB934B000 Size: 34688 File Visible: - Signed: Yes
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB6CB4000 Size: 162816 File Visible: - Signed: Yes
Status: -

Name: npf.sys
Image Path: C:\WINDOWS\system32\drivers\npf.sys
Address: 0xBA448000 Size: 27392 File Visible: - Signed: Yes
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA488000 Size: 30848 File Visible: - Signed: Yes
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9E5A000 Size: 574976 File Visible: - Signed: Yes
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA79E000 Size: 2944 File Visible: - Signed: Yes
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xBA440000 Size: 17152 File Visible: - Signed: No
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: Yes
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: Yes
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: Yes
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB72EB000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9597000 Size: 69120 File Visible: - Signed: Yes
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA400000 Size: 17792 File Visible: - Signed: Yes
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA108000 Size: 37376 File Visible: - Signed: Yes
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBA55C000 Size: 8832 File Visible: - Signed: Yes
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA308000 Size: 51328 File Visible: - Signed: Yes
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA318000 Size: 41472 File Visible: - Signed: Yes
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA0D8000 Size: 48384 File Visible: - Signed: Yes
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA410000 Size: 16512 File Visible: - Signed: Yes
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB6C67000 Size: 175744 File Visible: - Signed: Yes
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA61E000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA2C8000 Size: 57600 File Visible: - Signed: Yes
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2FE6000 Size: 49152 File Visible: No Signed: No
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB45B5000 Size: 333952 File Visible: - Signed: Yes
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB730F000 Size: 180096 File Visible: - Signed: Yes
Status: -

Name: STREAM.SYS
Image Path: C:\WINDOWS\system32\drivers\STREAM.SYS
Address: 0xBA2B8000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5EC000 Size: 4352 File Visible: - Signed: Yes
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB42A5000 Size: 60800 File Visible: - Signed: Yes
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB6D2B000 Size: 361600 File Visible: - Signed: Yes
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA3F0000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA138000 Size: 40704 File Visible: - Signed: Yes
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB93FB000 Size: 384768 File Visible: - Signed: Yes
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5FC000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA3D8000 Size: 30208 File Visible: - Signed: Yes
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA298000 Size: 59520 File Visible: - Signed: Yes
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB984F000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xBA468000 Size: 25856 File Visible: - Signed: Yes
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xBA480000 Size: 26368 File Visible: - Signed: Yes
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA3D0000 Size: 20608 File Visible: - Signed: Yes
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA4B0000 Size: 20992 File Visible: - Signed: Yes
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB989B000 Size: 81920 File Visible: - Signed: Yes
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: Yes
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xB936B000 Size: 34560 File Visible: - Signed: Yes
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA498000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB4230000 Size: 83072 File Visible: - Signed: Yes
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: Yes
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: Yes
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: Yes
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xBA56C000 Size: 12032 File Visible: - Signed: Yes
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xB9EE7000 Size: 77568 File Visible: - Signed: Yes
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Processes
-------------------
PathSystem
PID: 4 Status: -

PathC:\WINDOWS\system32\smss.exe
PID: 568 Status: -

PathC:\WINDOWS\system32\csrss.exe
PID: 608 Status: -

PathC:\WINDOWS\system32\winlogon.exe
PID: 632 Status: -

PathC:\WINDOWS\system32\services.exe
PID: 680 Status: -

PathC:\WINDOWS\system32\lsass.exe
PID: 704 Status: -

PathC:\WINDOWS\system32\ati2evxx.exe
PID: 876 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 896 Status: -

PathC:\Program Files\McAfee\MPF\MpfSrv.exe
PID: 948 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1036 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1108 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1148 Status: -

PathC:\Documents and Settings\Elaine\Application Data\U3\0000187FC5719D1C\LaunchPad.exe
PID: 1240 Status: -

PathC:\WINDOWS\explorer.exe
PID: 1244 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1252 Status: -

PathC:\WINDOWS\system32\PRISMSVR.exe
PID: 1260 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1304 Status: -

PathC:\WINDOWS\system32\spoolsv.exe
PID: 1388 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1472 Status: -

PathC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PID: 1504 Status: -

PathC:\Program Files\Java\jre6\bin\jqs.exe
PID: 1568 Status: -

PathC:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PID: 1600 Status: -

PathC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PID: 1684 Status: -

PathC:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
PID: 1724 Status: -

PathC:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
PID: 1760 Status: -

PathC:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
PID: 1844 Status: -

PathC:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
PID: 1924 Status: -

PathC:\Program Files\McAfee\MSK\msksrver.exe
PID: 2012 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 2052 Status: -

PathC:\PROGRA~1\McAfee.com\Agent\mcagent.exe
PID: 2564 Status: -

PathC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
PID: 3056 Status: -

PathC:\Program Files\Real\RealPlayer\realplay.exe
PID: 3124 Status: -

PathC:\Documents and Settings\Elaine\Desktop\RootRepeal.exe
PID: 3144 Status: -

PathC:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PID: 3256 Status: -

PathC:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PID: 3300 Status: -

PathC:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PID: 3312 Status: -

PathC:\Program Files\Roxio Creator 2009\5.0\CPMonitor.exe
PID: 3332 Status: -

PathC:\Program Files\QuickTime\QTTask.exe
PID: 3344 Status: -

PathC:\Program Files\Java\jre6\bin\jusched.exe
PID: 3376 Status: -

PathC:\Program Files\DellSupport\DSAgnt.exe
PID: 3408 Status: -

PathC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 3416 Status: -

PathC:\WINDOWS\system32\ctfmon.exe
PID: 3428 Status: -

PathC:\Program Files\WinTV\Ir.exe
PID: 3484 Status: -

PathC:\Program Files\Digital Line Detect\DLG.exe
PID: 3496 Status: -

PathC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PID: 3512 Status: -

PathC:\Program Files\Dell Wireless\PRISMCFG.exe
PID: 3544 Status: -

PathC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
PID: 3724 Status: -

ServiceTable Hooked [0x8808fd18]!

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "<unknown>" at address 0x8ae334a0

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 FunctStealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x8809bda8, TID: 2256]
Process: svchost.exe (PID: 896) Address: 0x00e41f3c Size: -

Object: Hidden Module [Name: geyekrexwrpoma.dll]
Process: svchost.exe (PID: 896) Address: 0x007b0000 Size: 53248

Object: Hidden Module [Name: geyekrlcbmkryv.dll]
Process: svchost.exe (PID: 896) Address: 0x10000000 Size: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8ae2ead0 Size: 1332

Object: Hidden Code [Driver: Mup, IRP_MJ_CREATE]
Process: System Address: 0x8ae2ead0 Size: 1332

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_READ]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_WRITE]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_SET_EA]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_POWER]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: MPFP؄ఇ䵃慖, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ae31740 Size: 1715

Object: Hidden Code [Driver: RAW, IRP_MJ_CREATE]
Process: System Address: 0x8ae2ead0 Size: 1332

Object: Hidden Code [Driver: FltMgr, IRP_MJ_CREATE]
Process: System Address: 0x8ae2ead0 Size: 1332

Hidden Services
-------------------
Shadow SSDT
-------------------
#: 000 Function Name: NtGdiAbortDoc
Status: Not hooked

#: 001 Function Name: NtGdiAbortPath
Status: Not hooked

#: 002 Function Name: NtGdiAddFontResourceW
Status: Not hooked

#: 003 Function Name: NtGdiAddRemoteFontToDC
Status: Not hooked

#: 004 Function Name: NtGdiAddFontMemResourceEx
Status: Not hooked

#: 005 Function Name: NtGdiRemoveMergeFont
Status: Not hooked

#: 006 Function Name: NtGdiAddRemoteMMInstanceToDC
Status: Not hooked

#: 007 Function Name: NtGdiAlphaBlend
Status: Not hooked

#: 008 Function Name: NtGdiAngleArc
Status: Not hooked

#: 009 Function Name: NtGdiAnyLinkedFonts
Status: Not hooked

#: 010 Function Name: NtGdiFontIsLinked
Status: Not hooked

#: 011 Function Name: NtGdiArcInternal
Status: Not hooked

#: 012 Function Name: NtGdiBeginPath
Status: Not hooked

#: 013 Function Name: NtGdiBitBlt
Status: Not hooked

#: 014 Function Name: NtGdiCancelDC
Status: Not hooked

#: 015 Function Name: NtGdiCheckBitmapBits
Status: Not hooked

#: 016 Function Name: NtGdiCloseFigure
Status: Not hooked

#: 017 Function Name: NtGdiClearBitmapAttributes
Status: Not hooked

#: 018 Function Name: NtGdiClearBrushAttributes
Status: Not hooked

#: 019 Function Name: NtGdiColorCorrectPalette
Status: Not hooked

#: 020 Function Name: NtGdiCombineRgn
Status: Not hooked

#: 021 Function Name: NtGdiCombineTransform
Status: Not hooked

#: 022 Function Name: NtGdiComputeXformCoefficients
Status: Not hooked

#: 023 Function Name: NtGdiConsoleTextOut
Status: Not hooked

#: 024 Function Name: NtGdiConvertMetafileRect
Status: Not hooked

#: 025 Function Name: NtGdiCreateBitmap
Status: Not hooked

#: 026 Function Name: NtGdiCreateClientObj
Status: Not hooked

#: 027 Function Name: NtGdiCreateColorSpace
Status: Not hooked

#: 028 Function Name: NtGdiCreateColorTransform
Status: Not hooked

#: 029 Function Name: NtGdiCreateCompatibleBitmap
Status: Not hooked

#: 030 Function Name: NtGdiCreateCompatibleDC
Status: Not hooked

#: 031 Function Name: NtGdiCreateDIBBrush
Status: Not hooked

#: 032 Function Name: NtGdiCreateDIBitmapInternal
Status: Not hooked

#: 033 Function Name: NtGdiCreateDIBSection
Status: Not hooked

#: 034 Function Name: NtGdiCreateEllipticRgn
Status: Not hooked

#: 035 Function Name: NtGdiCreateHalftonePalette
Status: Not hooked

#: 036 Function Name: NtGdiCreateHatchBrushInternal
Status: Not hooked

#: 037 Function Name: NtGdiCreateMetafileDC
Status: Not hooked

#: 038 Function Name: NtGdiCreatePaletteInternal
Status: Not hooked

#: 039 Function Name: NtGdiCreatePatternBrushInternal
Status: Not hooked

#: 040 Function Name: NtGdiCreatePen
Status: Not hooked

#: 041 Function Name: NtGdiCreateRectRgn
Status: Not hooked

#: 042 Function Name: NtGdiCreateRoundRectRgn
Status: Not hooked

#: 043 Function Name: NtGdiCreateServerMetaFile
Status: Not hooked

#: 044 Function Name: NtGdiCreateSolidBrush
Status: Not hooked

#: 045 Function Name: NtGdiD3dContextCreate
Status: Not hooked

#: 046 Function Name: NtGdiD3dContextDestroy
Status: Not hooked

#: 047 Function Name: NtGdiD3dContextDestroyAll
Status: Not hooked

#: 048 Function Name: NtGdiD3dValidateTextureStageState
Status: Not hooked

#: 049 Function Name: NtGdiD3dDrawPrimitives2
Status: Not hooked

#: 050 Function Name: NtGdiDdGetDriverState
Status: Not hooked

#: 051 Function Name: NtGdiDdAddAttachedSurface
Status: Not hooked

#: 052 Function Name: NtGdiDdAlphaBlt
Status: Not hooked

#: 053 Function Name: NtGdiDdAttachSurface
Status: Not hooked

#: 054 Function Name: NtGdiDdBeginMoCompFrame
Status: Not hooked

#: 055 Function Name: NtGdiDdBlt
Status: Not hooked

#: 056 Function Name: NtGdiDdCanCreateSurface
Status: Not hooked

#: 057 Function Name: NtGdiDdCanCreateD3DBuffer
Status: Not hooked

#: 058 Function Name: NtGdiDdColorControl
Status: Not hooked

#: 059 Function Name: NtGdiDdCreateDirectDrawObject
Status: Not hooked

#: 060 Function Name: NtGdiDdCreateSurface
Status: Not hooked

#: 061 Function Name: NtGdiDdCreateD3DBuffer
Status: Not hooked

#: 062 Function Name: NtGdiDdCreateMoComp
Status: Not hooked

#: 063 Function Name: NtGdiDdCreateSurfaceObject
Status: Not hooked

#: 064 Function Name: NtGdiDdDeleteDirectDrawObject
Status: Not hooked

#: 065 Function Name: NtGdiDdDeleteSurfaceObject
Status: Not hooked

#: 066 Function Name: NtGdiDdDestroyMoComp
Status: Not hooked

#: 067 Function Name: NtGdiDdDestroySurface
Status: Not hooked

#: 068 Function Name: NtGdiDdDestroyD3DBuffer
Status: Not hooked

#: 069 Function Name: NtGdiDdEndMoCompFrame
Status: Not hooked

#: 070 Function Name: NtGdiDdFlip
Status: Not hooked

#: 071 Function Name: NtGdiDdFlipToGDISurface
Status: Not hooked

#: 072 Function Name: NtGdiDdGetAvailDriverMemory
Status: Not hooked

#: 073 Function Name: NtGdiDdGetBltStatus
Status: Not hooked

#: 074 Function Name: NtGdiDdGetDC
Status: Not hooked

#: 075 Function Name: NtGdiDdGetDriverInfo
Status: Not hooked

#: 076 Function Name: NtGdiDdGetDxHandle
Status: Not hooked

#: 077 Function Name: NtGdiDdGetFlipStatus
Status: Not hooked

#: 078 Function Name: NtGdiDdGetInternalMoCompInfo
Status: Not hooked

#: 079 Function Name: NtGdiDdGetMoCompBuffInfo
Status: Not hooked

#: 080 Function Name: NtGdiDdGetMoCompGuids
Status: Not hooked

#: 081 Function Name: NtGdiDdGetMoCompFormats
Status: Not hooked

#: 082 Function Name: NtGdiDdGetScanLine
Status: Not hooked

#: 083 Function Name: NtGdiDdLock
Status: Not hooked

#: 084 Function Name: NtGdiDdLockD3D
Status: Not hooked

#: 085 Function Name: NtGdiDdQueryDirectDrawObject
Status: Not hooked

#: 086 Function Name: NtGdiDdQueryMoCompStatus
Status: Not hooked

#: 087 Function Name: NtGdiDdReenableDirectDrawObject
Status: Not hooked

#: 088 Function Name: NtGdiDdReleaseDC
Status: Not hooked

#: 089 Function Name: NtGdiDdRenderMoComp
Status: Not hooked

#: 090 Function Name: NtGdiDdResetVisrgn
Status: Not hooked

#: 091 Function Name: NtGdiDdSetColorKey
Status: Not hooked

#: 092 Function Name: NtGdiDdSetExclusiveMode
Status: Not hooked

#: 093 Function Name: NtGdiDdSetGammaRamp
Status: Not hooked

#: 094 Function Name: NtGdiDdCreateSurfaceEx
Status: Not hooked

#: 095 Function Name: NtGdiDdSetOverlayPosition
Status: Not hooked

#: 096 Function Name: NtGdiDdUnattachSurface
Status: Not hooked

#: 097 Function Name: NtGdiDdUnlock
Status: Not hooked

#: 098 Function Name: NtGdiDdUnlockD3D
Status: Not hooked

#: 099 Function Name: NtGdiDdUpdateOverlay
Status: Not hooked

#: 100 Function Name: NtGdiDdWaitForVerticalBlank
Status: Not hooked

#: 101 Function Name: NtGdiDvpCanCreateVideoPort
Status: Not hooked

#: 102 Function Name: NtGdiDvpColorControl
Status: Not hooked

#: 103 Function Name: NtGdiDvpCreateVideoPort
Status: Not hooked

#: 104 Function Name: NtGdiDvpDestroyVideoPort
Status: Not hooked

#: 105 Function Name: NtGdiDvpFlipVideoPort
Status: Not hooked

#: 106 Function Name: NtGdiDvpGetVideoPortBandwidth
Status: Not hooked

#: 107 Function Name: NtGdiDvpGetVideoPortField
Status: Not hooked

#: 108 Function Name: NtGdiDvpGetVideoPortFlipStatus
Status: Not hooked

#: 109 Function Name: NtGdiDvpGetVideoPortInputFormats
Status: Not hooked

#: 110 Function Name: NtGdiDvpGetVideoPortLine
Status: Not hooked

#: 111 Function Name: NtGdiDvpGetVideoPortOutputFormats
Status: Not hooked

#: 112 Function Name: NtGdiDvpGetVideoPortConnectInfo
Status: Not hooked

#: 113 Function Name: NtGdiDvpGetVideoSignalStatus
Status: Not hooked

#: 114 Function Name: NtGdiDvpUpdateVideoPort
Status: Not hooked

#: 115 Function Name: NtGdiDvpWaitForVideoPortSync
Status: Not hooked

#: 116 Function Name: NtGdiDvpAcquireNotification
Status: Not hooked

#: 117 Function Name: NtGdiDvpReleaseNotification
Status: Not hooked

#: 118 Function Name: NtGdiDxgGenericThunk
Status: Not hooked

#: 119 Function Name: NtGdiDeleteClientObj
Status: Not hooked

#: 120 Function Name: NtGdiDeleteColorSpace
Status: Not hooked

#: 121 Function Name: NtGdiDeleteColorTransform
Status: Not hooked

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Not hooked

#: 123 Function Name: NtGdiDescribePixelFormat
Status: Not hooked

#: 124 Function Name: NtGdiGetPerBandInfo
Status: Not hooked

#: 125 Function Name: NtGdiDoBanding
Status: Not hooked

#: 126 Function Name: NtGdiDoPalette
Status: Not hooked

#: 127 Function Name: NtGdiDrawEscape
Status: Not hooked

#: 128 Function Name: NtGdiEllipse
Status: Not hooked

#: 129 Function Name: NtGdiEnableEudc
Status: Not hooked

#: 130 Function Name: NtGdiEndDoc
Status: Not hooked

#: 131 Function Name: NtGdiEndPage
Status: Not hooked

#: 132 Function Name: NtGdiEndPath
Status: Not hooked

#: 133 Function Name: NtGdiEnumFontChunk
Status: Not hooked

#: 134 Function Name: NtGdiEnumFontClose
Status: Not hooked

#: 135 Function Name: NtGdiEnumFontOpen
Status: Not hooked

#: 136 Function Name: NtGdiEnumObjects
Status: Not hooked

#: 137 Function Name: NtGdiEqualRgn
Status: Not hooked

#: 138 Function Name: NtGdiEudcLoadUnloadLink
Status: Not hooked

#: 139 Function Name: NtGdiExcludeClipRect
Status: Not hooked

#: 140 Function Name: NtGdiExtCreatePen
Status: Not hooked

#: 141 Function Name: NtGdiExtCreateRegion
Status: Not hooked

#: 142 Function Name: NtGdiExtEscape
Status: Not hooked

#: 143 Function Name: NtGdiExtFloodFill
Status: Not hooked

#: 144 Function Name: NtGdiExtGetObjectW
Status: Not hooked

#: 145 Function Name: NtGdiExtSelectClipRgn
Status: Not hooked

#: 146 Function Name: NtGdiExtTextOutW
Status: Not hooked

#: 147 Function Name: NtGdiFillPath
Status: Not hooked

#: 148 Function Name: NtGdiFillRgn
Status: Not hooked

#: 149 Function Name: NtGdiFlattenPath
Status: Not hooked

#: 150 Function Name: NtGdiFlushUserBatch
Status: Not hooked

#: 151 Function Name: NtGdiFlush
Status: Not hooked

#: 152 Function Name: NtGdiForceUFIMapping
Status: Not hooked

#: 153 Function Name: NtGdiFrameRgn
Status: Not hooked

#: 154 Function Name: NtGdiFullscreenControl
Status: Not hooked

#: 155 Function Name: NtGdiGetAndSetDCDword
Status: Not hooked

#: 156 Function Name: NtGdiGetAppClipBox
Status: Not hooked

#: 157 Function Name: NtGdiGetBitmapBits
Status: Not hooked

#: 158 Function Name: NtGdiGetBitmapDimension
Status: Not hooked

#: 159 Function Name: NtGdiGetBoundsRect
Status: Not hooked

#: 160 Function Name: NtGdiGetCharABCWidthsW
Status: Not hooked

#: 161 Function Name: NtGdiGetCharacterPlacementW
Status: Not hooked

#: 162 Function Name: NtGdiGetCharSet
Status: Not hooked

#: 163 Function Name: NtGdiGetCharWidthW
Status: Not hooked

#: 164 Function Name: NtGdiGetCharWidthInfo
Status: Not hooked

#: 165 Function Name: NtGdiGetColorAdjustment
Status: Not hooked

#: 166 Function Name: NtGdiGetColorSpaceforBitmap
Status: Not hooked

#: 167 Function Name: NtGdiGetDCDword
Status: Not hooked

#: 168 Function Name: NtGdiGetDCforBitmap
Status: Not hooked

#: 169 Function Name: NtGdiGetDCObject
Status: Not hooked

#: 170 Function Name: NtGdiGetDCPoint
Status: Not hooked

#: 171 Function Name: NtGdiGetDeviceCaps
Status: Not hooked

#: 172 Function Name: NtGdiGetDeviceGammaRamp
Status: Not hooked

#: 173 Function Name: NtGdiGetDeviceCapsAll
Status: Not hooked

#: 174 Function Name: NtGdiGetDIBitsInternal
Status: Not hooked

#: 175 Function Name: NtGdiGetETM
Status: Not hooked

#: 176 Function Name: NtGdiGetEudcTimeStampEx
Status: Not hooked

#: 177 Function Name: NtGdiGetFontData
Status: Not hooked

#: 178 Function Name: NtGdiGetFontResourceInfoInternalW
Status: Not hooked

#: 179 Function Name: NtGdiGetGlyphIndicesW
Status: Not hooked

#: 180 Function Name: NtGdiGetGlyphIndicesWInternal
Status: Not hooked

#: 181 Function Name: NtGdiGetGlyphOutline
Status: Not hooked

#: 182 Function Name: NtGdiGetKerningPairs
Status: Not hooked

#: 183 Function Name: NtGdiGetLinkedUFIs
Status: Not hooked

#: 184 Function Name: NtGdiGetMiterLimit
Status: Not hooked

#: 185 Function Name: NtGdiGetMonitorID
Status: Not hooked

#: 186 Function Name: NtGdiGetNearestColor
Status: Not hooked

#: 187 Function Name: NtGdiGetNearestPaletteIndex
Status: Not hooked

#: 188 Function Name: NtGdiGetObjectBitmapHandle
Status: Not hooked

#: 189 Function Name: NtGdiGetOutlineTextMetricsInternalW
Status: Not hooked

#: 190 Function Name: NtGdiGetPath
Status: Not hooked

#: 191 Function Name: NtGdiGetPixel
Status: Not hooked

#: 192 Function Name: NtGdiGetRandomRgn
Status: Not hooked

#: 193 Function Name: NtGdiGetRasterizerCaps
Status: Not hooked

#: 194 Function Name: NtGdiGetRealizationInfo
Status: Not hooked

#: 195 Function Name: NtGdiGetRegionData
Status: Not hooked

#: 196 Function Name: NtGdiGetRgnBox
Status: Not hooked

#: 197 Function Name: NtGdiGetServerMetaFileBits
Status: Not hooked

#: 198 Function Name: NtGdiGetSpoolMessage
Status: Not hooked

#: 199 Function Name: NtGdiGetStats
Status: Not hooked

#: 200 Function Name: NtGdiGetStockObject
Status: Not hooked

#: 201 Function Name: NtGdiGetStringBitmapW
Status: Not hooked

#: 202 Function Name: NtGdiGetSystemPaletteUse
Status: Not hooked

#: 203 Function Name: NtGdiGetTextCharsetInfo
Status: Not hooked

#: 204 Function Name: NtGdiGetTextExtent
Status: Not hooked

#: 205 Function Name: NtGdiGetTextExtentExW
Status: Not hooked

#: 206 Function Name: NtGdiGetTextFaceW
Status: Not hooked

#: 207 Function Name: NtGdiGetTextMetricsW
Status: Not hooked

#: 208 Function Name: NtGdiGetTransform
Status: Not hooked

#: 209 Function Name: NtGdiGetUFI
Status: Not hooked

#: 210 Function Name: NtGdiGetEmbUFI
Status: Not hooked

#: 211 Function Name: NtGdiGetUFIPathname
Status: Not hooked

#: 212 Function Name: NtGdiGetEmbedFonts
Status: Not hooked

#: 213 Function Name: NtGdiChangeGhostFont
Status: Not hooked

#: 214 Function Name: NtGdiAddEmbFontToDC
Status: Not hooked

#: 215 Function Name: NtGdiGetFontUnicodeRanges
Status: Not hooked

#: 216 Function Name: NtGdiGetWidthTable
Status: Not hooked

#: 217 Function Name: NtGdiGradientFill
Status: Not hooked

#: 218 Function Name: NtGdiHfontCreate
Status: Not hooked

#: 219 Function Name: NtGdiIcmBrushInfo
Status: Not hooked

#: 220 Function Name: NtGdiInit
Status: Not hooked

#: 221 Function Name: NtGdiInitSpool
Status: Not hooked

#: 222 Function Name: NtGdiIntersectClipRect
Status: Not hooked

#: 223 Function Name: NtGdiInvertRgn
Status: Not hooked

#: 224 Function Name: NtGdiLineTo
Status: Not hooked

#: 225 Function Name: NtGdiMakeFontDir
Status: Not hooked

#: 226 Function Name: NtGdiMakeInfoDC
Status: Not hooked

#: 227 Function Name: NtGdiMaskBlt
Status: Not hooked

#: 228 Function Name: NtGdiModifyWorldTransform
Status: Not hooked

#: 229 Function Name: NtGdiMonoBitmap
Status: Not hooked

#: 230 Function Name: NtGdiMoveTo
Status: Not hooked

#: 231 Function Name: NtGdiOffsetClipRgn
Status: Not hooked

#: 232 Function Name: NtGdiOffsetRgn
Status: Not hooked

#: 233 Function Name: NtGdiOpenDCW
Status: Not hooked

#: 234 Function Name: NtGdiPatBlt
Status: Not hooked

#: 235 Function Name: NtGdiPolyPatBlt
Status: Not hooked

#: 236 Function Name: NtGdiPathToRegion
Status: Not hooked

#: 237 Function Name: NtGdiPlgBlt
Status: Not hooked

#: 238 Function Name: NtGdiPolyDraw
Status: Not hooked

#: 239 Function Name: NtGdiPolyPolyDraw
Status: Not hooked

#: 240 Function Name: NtGdiPolyTextOutW
Status: Not hooked

#: 241 Function Name: NtGdiPtInRegion
Status: Not hooked

#: 242 Function Name: NtGdiPtVisible
Status: Not hooked

#: 243 Function Name: NtGdiQueryFonts
Status: Not hooked

#: 244 Function Name: NtGdiQueryFontAssocInfo
Status: Not hooked

#: 245 Function Name: NtGdiRectangle
Status: Not hooked

#: 246 Function Name: NtGdiRectInRegion
Status: Not hooked

#: 247 Function Name: NtGdiRectVisible
Status: Not hooked

#: 248 Function Name: NtGdiRemoveFontResourceW
Status: Not hooked

#: 249 Function Name: NtGdiRemoveFontMemResourceEx
Status: Not hooked

#: 250 Function Name: NtGdiResetDC
Status: Not hooked

#: 251 Function Name: NtGdiResizePalette
Status: Not hooked

#: 252 Function Name: NtGdiRestoreDC
Status: Not hooked

#: 253 Function Name: NtGdiRoundRect
Status: Not hooked

#: 254 Function Name: NtGdiSaveDC
Status: Not hooked

#: 255 Function Name: NtGdiScaleViewportExtEx
Status: Not hooked

#: 256 Function Name: NtGdiScaleWindowExtEx
Status: Not hooked

#: 257 Function Name: NtGdiSelectBitmap
Status: Not hooked

#: 258 Function Name: NtGdiSelectBrush
Status: Not hooked

#: 259 Function Name: NtGdiSelectClipPath
Status: Not hooked

#: 260 Function Name: NtGdiSelectFont
Status: Not hooked

#: 261 Function Name: NtGdiSelectPen
Status: Not hooked

#: 262 Function Name: NtGdiSetBitmapAttributes
Status: Not hooked

#: 263 Function Name: NtGdiSetBitmapBits
Status: Not hooked

#: 264 Function Name: NtGdiSetBitmapDimension
Status: Not hooked

#: 265 Function Name: NtGdiSetBoundsRect
Status: Not hooked

#: 266 Function Name: NtGdiSetBrushAttributes
Status: Not hooked

#: 267 Function Name: NtGdiSetBrushOrg
Status: Not hooked

#: 268 Function Name: NtGdiSetColorAdjustment
Status: Not hooked

#: 269 Function Name: NtGdiSetColorSpace
Status: Not hooked

#: 270 Function Name: NtGdiSetDeviceGammaRamp
Status: Not hooked

#: 271 Function Name: NtGdiSetDIBitsToDeviceInternal
Status: Not hooked

#: 272 Function Name: NtGdiSetFontEnumeration
Status: Not hooked

#: 273 Function Name: NtGdiSetFontXform
Status: Not hooked

#: 274 Function Name: NtGdiSetIcmMode
Status: Not hooked

#: 275 Function Name: NtGdiSetLinkedUFIs
Status: Not hooked

#: 276 Function Name: NtGdiSetMagicColors
Status: Not hooked

#: 277 Function Name: NtGdiSetMetaRgn
Status: Not hooked

#: 278 Function Name: NtGdiSetMiterLimit
Status: Not hooked

#: 279 Function Name: NtGdiGetDeviceWidth
Status: Not hooked

#: 280 Function Name: NtGdiMirrorWindowOrg
Status: Not hooked

#: 281 Function Name: NtGdiSetLayout
Status: Not hooked

#: 282 Function Name: NtGdiSetPixel
Status: Not hooked

#: 283 Function Name: NtGdiSetPixelFormat
Status: Not hooked

#: 284 Function Name: NtGdiSetRectRgn
Status: Not hooked

#: 285 Function Name: NtGdiSetSystemPaletteUse
Status: Not hooked

#: 286 Function Name: NtGdiSetTextJustification
Status: Not hooked

#: 287 Function Name: NtGdiSetupPublicCFONT
Status: Not hooked

#: 288 Function Name: NtGdiSetVirtualResolution
Status: Not hooked

#: 289 Function Name: NtGdiSetSizeDevice
Status: Not hooked

#: 290 Function Name: NtGdiStartDoc
Status: Not hooked

#: 291 Function Name: NtGdiStartPage
Status: Not hooked

#: 292 Function Name: NtGdiStretchBlt
Status: Not hooked

#: 293 Function Name: NtGdiStretchDIBitsInternal
Status: Not hooked

#: 294 Function Name: NtGdiStrokeAndFillPath
Status: Not hooked

#: 295 Function Name: NtGdiStrokePath
Status: Not hooked

#: 296 Function Name: NtGdiSwapBuffers
Status: Not hooked

#: 297 Function Name: NtGdiTransformPoints
Status: Not hooked

#: 298 Function Name: NtGdiTransparentBlt
Status: Not hooked

#: 299 Function Name: NtGdiUnloadPrinterDriver
Status: Not hooked

#: 300 Function Name: NtGdiUnmapMemFont
Status: Not hooked

#: 301 Function Name: NtGdiUnrealizeObject
Status: Not hooked

#: 302 Function Name: NtGdiUpdateColors
Status: Not hooked

#: 303 Function Name: NtGdiWidenPath
Status: Not hooked

#: 304 Function Name: NtUserActivateKeyboardLayout
Status: Not hooked

#: 305 Function Name: NtUserAlterWindowStyle
Status: Not hooked

#: 306 Function Name: NtUserAssociateInputContext
Status: Not hooked

#: 307 Function Name: NtUserAttachThreadInput
Status: Not hooked

#: 308 Function Name: NtUserBeginPaint
Status: Not hooked

#: 309 Function Name: NtUserBitBltSysBmp
Status: Not hooked

#: 310 Function Name: NtUserBlockInput
Status: Not hooked

#: 311 Function Name: NtUserBuildHimcList
Status: Not hooked

#: 312 Function Name: NtUserBuildHwndList
Status: Not hooked

#: 313 Function Name: NtUserBuildNameList
Status: Not hooked

#: 314 Function Name: NtUserBuildPropList
Status: Not hooked

#: 315 Function Name: NtUserCallHwnd
Status: Not hooked

#: 316 Function Name: NtUserCallHwndLock
Status: Not hooked

#: 317 Function Name: NtUserCallHwndOpt
Status: Not hooked

#: 318 Function Name: NtUserCallHwndParam
Status: Not hooked

#: 319 Function Name: NtUserCallHwndParamLock
Status: Not hooked

#: 320 Function Name: NtUserCallMsgFilter
Status: Not hooked

#: 321 Function Name: NtUserCallNextHookEx
Status: Not hooked

#: 322 Function Name: NtUserCallNoParam
Status: Not hooked

#: 323 Function Name: NtUserCallOneParam
Status: Not hooked

#: 324 Function Name: NtUserCallTwoParam
Status: Not hooked

#: 325 Function Name: NtUserChangeClipboardChain
Status: Not hooked

#: 326 Function Name: NtUserChangeDisplaySettings
Status: Not hooked

#: 327 Function Name: NtUserCheckImeHotKey
Status: Not hooked

#: 328 Function Name: NtUserCheckMenuItem
Status: Not hooked

#: 329 Function Name: NtUserChildWindowFromPointEx
Status: Not hooked

#: 330 Function Name: NtUserClipCursor
Status: Not hooked

#: 331 Function Name: NtUserCloseClipboard
Status: Not hooked

#: 332 Function Name: NtUserCloseDesktop
Status: Not hooked

#: 333 Function Name: NtUserCloseWindowStation
Status: Not hooked

#: 334 Function Name: NtUserConsoleControl
Status: Not hooked

#: 335 Function Name: NtUserConvertMemHandle
Status: Not hooked

#: 336 Function Name: NtUserCopyAcceleratorTable
Status: Not hooked

#: 337 Function Name: NtUserCountClipboardFormats
Status: Not hooked

#: 338 Function Name: NtUserCreateAcceleratorTable
Status: Not hooked

#: 339 Function Name: NtUserCreateCaret
Status: Not hooked

#: 340 Function Name: NtUserCreateDesktop
Status: Not hooked

#: 341 Function Name: NtUserCreateInputContext
Status: Not hooked

#: 342 Function Name: NtUserCreateLocalMemHandle
Status: Not hooked

#: 343 Function Name: NtUserCreateWindowEx
Status: Not hooked

#: 344 Function Name: NtUserCreateWindowStation
Status: Not hooked

#: 345 Function Name: NtUserDdeGetQualityOfService
Status: Not hooked

#: 346 Function Name: NtUserDdeInitialize
Status: Not hooked

#: 347 Function Name: NtUserDdeSetQualityOfService
Status: Not hooked

#: 348 Function Name: NtUserDeferWindowPos
Status: Not hooked

#: 349 Function Name: NtUserDefSetText
Status: Not hooked

#: 350 Function Name: NtUserDeleteMenu
Status: Not hooked

#: 351 Function Name: NtUserDestroyAcceleratorTable
Status: Not hooked

#: 352 Function Name: NtUserDestroyCursor
Status: Not hooked

#: 353 Function Name: NtUserDestroyInputContext
Status: Not hooked

#: 354 Function Name: NtUserDestroyMenu
Status: Not hooked

#: 355 Function Name: NtUserDestroyWindow
Status: Not hooked

#: 356 Function Name: NtUserDisableThreadIme
Status: Not hooked

#: 357 Function Name: NtUserDispatchMessage
Status: Not hooked

#: 358 Function Name: NtUserDragDetect
Status: Not hooked

#: 359 Function Name: NtUserDragObject
Status: Not hooked

#: 360 Function Name: NtUserDrawAnimatedRects
Status: Not hooked

#: 361 Function Name: NtUserDrawCaption
Status: Not hooked

#: 362 Function Name: NtUserDrawCaptionTemp
Status: Not hooked

#: 363 Function Name: NtUserDrawIconEx
Status: Not hooked

#: 364 Function Name: NtUserDrawMenuBarTemp
Status: Not hooked

#: 365 Function Name: NtUserEmptyClipboard
Status: Not hooked

#: 366 Function Name: NtUserEnableMenuItem
Status: Not hooked

#: 367 Function Name: NtUserEnableScrollBar
Status: Not hooked

#: 368 Function Name: NtUserEndDeferWindowPosEx
Status: Not hooked

#: 369 Function Name: NtUserEndMenu
Status: Not hooked

#: 370 Function Name: NtUserEndPaint
Status: Not hooked

#: 371 Function Name: NtUserEnumDisplayDevices
Status: Not hooked

#: 372 Function Name: NtUserEnumDisplayMonitors
Status: Not hooked

#: 373 Function Name: NtUserEnumDisplaySettings
Status: Not hooked

#: 374 Function Name: NtUserEvent
Status: Not hooked

#: 375 Function Name: NtUserExcludeUpdateRgn
Status: Not hooked

#: 376 Function Name: NtUserFillWindow
Status: Not hooked

#: 377 Function Name: NtUserFindExistingCursorIcon
Status: Not hooked

#: 378 Function Name: NtUserFindWindowEx
Status: Not hooked

#: 379 Function Name: NtUserFlashWindowEx
Status: Not hooked

#: 380 Function Name: NtUserGetAltTabInfo
Status: Not hooked

#: 381 Function Name: NtUserGetAncestor
Status: Not hooked

#: 382 Function Name: NtUserGetAppImeLevel
Status: Not hooked

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Not hooked

#: 384 Function Name: NtUserGetAtomName
Status: Not hooked

#: 385 Function Name: NtUserGetCaretBlinkTime
Status: Not hooked

#: 386 Function Name: NtUserGetCaretPos
Status: Not hooked

#: 387 Function Name: NtUserGetClassInfo
Status: Not hooked

#: 388 Function Name: NtUserGetClassName
Status: Not hooked

#: 389 Function Name: NtUserGetClipboardData
Status: Not hooked

#: 390 Function Name: NtUserGetClipboardFormatName
Status: Not hooked

#: 391 Function Name: NtUserGetClipboardOwner
Status: Not hooked

#: 392 Function Name: NtUserGetClipboardSequenceNumber
Status: Not hooked

#: 393 Function Name: NtUserGetClipboardViewer
Status: Not hooked

#: 394 Function Name: NtUserGetClipCursor
Status: Not hooked

#: 395 Function Name: NtUserGetComboBoxInfo
Status: Not hooked

#: 396 Function Name: NtUserGetControlBrush
Status: Not hooked

#: 397 Function Name: NtUserGetControlColor
Status: Not hooked

#: 398 Function Name: NtUserGetCPD
Status: Not hooked

#: 399 Function Name: NtUserGetCursorFrameInfo
Status: Not hooked

#: 400 Function Name: NtUserGetCursorInfo
Status: Not hooked

#: 401 Function Name: NtUserGetDC
Status: Not hooked

#: 402 Function Name: NtUserGetDCEx
Status: Not hooked

#: 403 Function Name: NtUserGetDoubleClickTime
Status: Not hooked

#: 404 Function Name: NtUserGetForegroundWindow
Status: Not hooked

#: 405 Function Name: NtUserGetGuiResources
Status: Not hooked

#: 406 Function Name: NtUserGetGUIThreadInfo
Status: Not hooked

#: 407 Function Name: NtUserGetIconInfo
Status: Not hooked

#: 408 Function Name: NtUserGetIconSize
Status: Not hooked

#: 409 Function Name: NtUserGetImeHotKey
Status: Not hooked

#: 410 Function Name: NtUserGetImeInfoEx
Status: Not hooked

#: 411 Function Name: NtUserGetInternalWindowPos
Status: Not hooked

#: 412 Function Name: NtUserGetKeyboardLayoutList
Status: Not hooked

#: 413 Function Name: NtUserGetKeyboardLayoutName
Status: Not hooked

#: 414 Function Name: NtUserGetKeyboardState
Status: Not hooked

#: 415 Function Name: NtUserGetKeyNameText
Status: Not hooked

#: 416 Function Name: NtUserGetKeyState
Status: Not hooked

#: 417 Function Name: NtUserGetListBoxInfo
Status: Not hooked

#: 418 Function Name: NtUserGetMenuBarInfo
Status: Not hooked

#: 419 Function Name: NtUserGetMenuIndex
Status: Not hooked

#: 420 Function Name: NtUserGetMenuItemRect
Status: Not hooked

#: 421 Function Name: NtUserGetMessage
Status: Not hooked

#: 422 Function Name: NtUserGetMouseMovePointsEx
Status: Not hooked

#: 423 Function Name: NtUserGetObjectInformation
Status: Not hooked

#: 424 Function Name: NtUserGetOpenClipboardWindow
Status: Not hooked

#: 425 Function Name: NtUserGetPriorityClipboardFormat
Status: Not hooked

#: 426 Function Name: NtUserGetProcessWindowStation
Status: Not hooked

#: 427 Function Name: NtUserGetRawInputBuffer
Status: Not hooked

#: 428 Function Name: NtUserGetRawInputData
Status: Not hooked

#: 429 Function Name: NtUserGetRawInputDeviceInfo
Status: Not hooked

#: 430 Function Name: NtUserGetRawInputDeviceList
Status: Not hooked

#: 431 Function Name: NtUserGetRegisteredRawInputDevices
Status: Not hooked

#: 432 Function Name: NtUserGetScrollBarInfo
Status: Not hooked

#: 433 Function Name: NtUserGetSystemMenu
Status: Not hooked

#: 434 Function Name: NtUserGetThreadDesktop
Status: Not hooked

#: 435 Function Name: NtUserGetThreadState
Status: Not hooked

#: 436 Function Name: NtUserGetTitleBarInfo
Status: Not hooked

#: 437 Function Name==EOF==

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:34 AM

Posted 06 September 2009 - 10:20 PM

Hi PonchyRCA,
  • Please download mbr.exe from the following link and save it to your desktop: http://www2.gmer.net/mbr/mbr.exe
  • Double click mbr.exe to run it. You will see a very flash of a "dos" box then disappears. This is normal.
  • The tool creates a log (mbr.log) on your desktop. Copy and paste the content of that log to your reply.
****************

You have a rootkit so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee Security Center before running ComboFix, as they will prevent it from running.

To Disable McAfeee Security Center
Posted Image


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 06 September 2009 - 10:52 PM.
added scan

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 PonchyRCA

PonchyRCA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 September 2009 - 06:29 PM

Hi,
Below are the mbr.log and ComboFix log.

After completing ComboFix while I was still connected to the Internet since I needed to connection to install Recovery Console and McAfee was disabled. I quickly enabled McAfee and it immediately went into update mode. While McAfee was in update mode I was hit by "Windows Police Pro". After several attempts to stop the most apparent processes unsuccessfully I disconnected from the internet and shut down the machine. Looking on a clean machine at the Windows Police Pro removal guide I was able to start the infected machine up and get into Task Manager and stop the processes "Windows Police Pro.exe" and "scvhast.exe" or "scvhasts.exe (can't remember exactly which since I was working fast. Took several attempts but was finally able to stop the processes.

I then attempted to run mbam.exe but got and error message "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them." I tried FixExe.reg which did not change the result.

I was able to go into Add/Remove Programs and remove "Windows Police Pro" and while I was there I saw an entry for "Windows Antivirus Pro" which I also removed. I then removed any files that were left from the directories shown in the removal guide and then emptied the recycle bin. I checked the registry and did not find the entry shown in the removal guide.

I again tried mbam.exe and got the same error.

Also, I got the following error messages while ComboFix was running.
PEV.cfxxe Encountered a problem and needs to close. With a choice to send an error report. I did not send an error report.
The system cannont find the file temp04.
catchme.cfxxe dll initialization failed.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found

ComboFix 09-09-06.06 - Elaine 09/07/2009 12:11.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2134 [GMT -5:00]
Running from: c:\documents and settings\Elaine\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Common\_helper.sig
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Installer\11de5a7.msi
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\regedit.com
c:\windows\run.log
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\desot.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACiwmigppbshbpjweag.sys
c:\windows\system32\Drivers\vdizqfmd.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\UAClftawuyvblfwavnde.dll
c:\windows\system32\UACqnfucbaebiiondowk.dat
c:\windows\system32\UACsdrjstdvpvtindowp.db
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\drivers\str.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 17:30 . 2009-09-07 17:30 213024 ------w- c:\windows\system32\drivers\str.sys
2009-08-21 11:15 . 2009-08-20 17:59 4129799 ----a-w- C:\stinger.com
2009-08-11 16:23 . 2009-08-11 16:23 73984 ----a-w- c:\windows\system32\drivers\ojlcadpdxwqr.sys
2009-08-08 18:15 . 2009-08-09 00:53 45344 ----a-w- c:\windows\system32\drivers\ldfc15f.sys
2009-08-08 18:09 . 2009-08-11 16:04 78336 --sha-w- c:\windows\system32\swupdate.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 17:06 . 2009-01-04 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-07 16:34 . 2009-03-11 02:17 -------- d-----w- c:\documents and settings\Elaine\Application Data\U3
2009-08-11 23:59 . 2008-11-11 20:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-10 08:35 . 2008-11-11 21:31 34 ----a-w- c:\documents and settings\Elaine\jagex_runescape_preferences.dat
2009-08-09 15:32 . 2005-08-17 16:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-09 15:31 . 2005-08-17 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-09 01:11 . 2009-06-29 22:20 -------- d-----w- c:\documents and settings\Elaine\Application Data\id Software
2009-08-09 01:10 . 2009-06-28 18:46 -------- d-----w- c:\program files\NCH Software
2009-08-09 01:09 . 2009-07-07 23:10 -------- d-----w- c:\program files\Pando Networks
2009-08-09 01:05 . 2009-07-07 22:45 -------- d-----w- c:\program files\GamersFirst
2009-08-09 01:03 . 2009-06-01 18:23 -------- d-----w- c:\program files\PopCap Games
2009-08-09 01:01 . 2005-08-17 16:40 -------- d-----w- c:\program files\Java
2009-08-08 18:12 . 2009-08-08 18:12 9836 ----a-w- c:\program files\cftlmrwd.txt
2009-08-08 16:57 . 2009-03-11 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 23:18 . 2009-08-06 23:18 -------- d-----w- c:\documents and settings\Marc\Application Data\Malwarebytes
2009-08-03 18:36 . 2009-03-11 02:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-03-11 02:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 10:23 . 2009-01-11 04:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 22:08 . 2009-01-11 04:50 -------- d-----w- c:\documents and settings\Elaine\Application Data\LimeWire
2009-07-10 13:45 . 2008-11-11 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-10 12:28 . 2008-11-11 19:53 -------- d-----w- c:\program files\McAfee
2009-07-10 04:00 . 2009-07-10 03:58 -------- d-----w- c:\program files\AIM6
2009-06-29 22:19 . 2009-06-29 22:15 22328 ----a-w- c:\documents and settings\Elaine\Application Data\PnkBstrK.sys
2009-06-25 05:00 . 2009-01-04 00:25 839696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-17 26112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe" [2008-08-10 80368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2008-12-30 102455]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-17 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2005-8-17 917611]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/11/2008 2:58 PM 206096]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [12/30/2008 9:32 PM 433732]
S0 ldfc15f;ldfc15f;\SystemRoot\\SystemRoot\System32\drivers\ldfc15f.sys --> \SystemRoot\\SystemRoot\System32\drivers\ldfc15f.sys [?]
S1 7b7aefb7.sys;7b7aefb7.sys;\??\c:\windows\System32\drivers\7b7aefb7.sys --> c:\windows\System32\drivers\7b7aefb7.sys [?]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 1:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 1:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 1:24 AM 170480]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 1:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [8/14/2008 1:23 AM 1124848]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/17/2005 11:41 AM 57344]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-11 15:53]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-11 15:53]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim - c:\program files\AIM6\aim.exe
HKCU-Run-Mp3Detective - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-Mp3Detective - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso9/setexp.asp?regwiz=file://c:\program%20files\mcafee.com\agent\mcregwiz.exe&systempopup=true&affid=105-57&dtag=42WB881
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
geyekrlcbmkryv.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrlcbmkryv.dll
c:\windows\system32\PRISMAPI.dll

- - - - - - - > 'explorer.exe'(7692)
geyekrlcbmkryv.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrlcbmkryv.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\PRISMSVR.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-09-07 12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 17:39

Pre-Run: 57,605,115,904 bytes free
Post-Run: 57,470,046,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
211 --- E O F --- 2009-09-07 17:34

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:34 AM

Posted 07 September 2009 - 07:39 PM

Hi PonchyRCA,


Please refrain from making any changes to your system (updating, installing, removing, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


You need to disable your McAfee Security Center before running ComboFix, as they will prevent it from running.

To Disable McAfeee Security Center
Posted Image


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\drivers\ojlcadpdxwqr.sys
c:\windows\system32\drivers\ldfc15f.sys
c:\windows\system32\swupdate.dll
c:\windows\System32\drivers\7b7aefb7.sys 

Rootkit::
c:\windows\system32\drivers\str.sys

Driver:: 
ldfc15f
7b7aefb7.sys


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 07 September 2009 - 07:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 PonchyRCA

PonchyRCA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 September 2009 - 09:34 PM

Hi SifuMike,
Ensured McAfee was completly disabled.
Copied text file to CFScript.txt in notepad and placed on desktop.
Ran ComboFix using the CFScript provided. ComboFix started ran first part and then rebooted. Following reboot ComboFix picked up with scan. However, after showing "ComboFix is preparing to run" the DOS window went away and I saw no hardrive activity for over 20 minutes. Machine is still sitting in that state.

Got the following error messages when ComboFix was running.
PVE.cfxxe has encountered a problem and needs to close. Option to send error report. I did not send error report.
On blue DOS window saw one line "The system cannot find the file temp04"

When ComboFix was running a catchme.log file created on my desktop that contained the following:
File "C:\ComboFix\MT_eventlog.dll.tmp" added successfully

I apologize for the difficulty this is presenting and truly appreciate all your help.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:34 AM

Posted 07 September 2009 - 10:40 PM

Hi PonchyRCA,

PVE.cfxxe has encountered a problem and needs to close. Option to send error report. I did not send error report

Is it wanting to send the error report to MS or to the maker of ComboFix? If the latter, then send the report.



Reboot the computer, uninstall McAfee Security Center. run Comobfix (but not the script) and post the log.

I need to see the log to see if it removed anything.

Be careful not to go surfing the web while McAfee is uninstalled. You can install it once ComboFix is done and has produced a log.

Edited by SifuMike, 08 September 2009 - 01:06 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 PonchyRCA

PonchyRCA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 09 September 2009 - 10:52 PM

Hi SifuMike

Uninstalled McAfee and ran ComboFix without script. Process did not complete so there is no log.

After initial startup got line stating Scanning for Infected Files followed by two line on amount of time scanning may take.
After a few minutes (<10) got
"PVE.cfxxe has encountered a problem and needs to close". Opportunity to report to Microsoft. Did not sent.
This was immediately followed by a "The system cannot find the file temp04".

Then noticed desktop icons going away and start of shutdown process. At this point got a message:
catchme.cfxxe - dll initialization failed "the application failed to initialize because the window station is shutting down".
The computer shut down and then rebooted.
Following reboot did not get a restart of ComboFix.

Previously got a restart of ComboFix following the restart. On one of my previous attempts prior to removing McAfee got the following message on the blue screen after the line Scanning for Infected Files followed by two lines on amount of time scanning may take.
"The process cannot access the file because it is being used by another process". Got this two times before the blue DOS window went away with no other progress.

Sorry for no logs but I have tried several times with no success.

Hope this gives you something to give me further direction on.

Thanks for your help
PonchyRCA

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:34 AM

Posted 10 September 2009 - 12:16 AM

Hi PonchyRCA ,

After a few minutes (<10) got
"PVE.cfxxe has encountered a problem and needs to close". Opportunity to report to Microsoft. Did not sent.
This was immediately followed by a "The system cannot find the file temp04".



This does not look good. :( PVE.cfxxe is part of combofix.

It sounds like ComboFix file(s) were damaged by McAfee.

Delete the version of ComboFix you have on your desktop. Then Download a fresh version and run it.

Edited by SifuMike, 10 September 2009 - 12:31 AM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 PonchyRCA

PonchyRCA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 September 2009 - 11:54 AM

Hi SifuMike
Just delete ComboFix from Desktop or go to Run and enter ComboFix /u?
Thanks
PonchyRCA

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:34 AM

Posted 10 September 2009 - 12:19 PM

Hi PonchyRCA ,



Just Delete ComboFix from Desktop.

Edited by SifuMike, 10 September 2009 - 12:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 PonchyRCA

PonchyRCA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 12 September 2009 - 09:39 AM

Hi SifuMike

Unfortunately fans there is no joy in Mudville!

Made sure McAfee was completly removed. Removed and reinstalled ComboFix and MBAM.

When I reinstall and MBAM starts after the installation it goes to start the scan and then the screen goes away. On subsequent attempts to restart MBAM get the following message. "Windows cannot access the specifiied device, path or file. You may not have the appropriate permissions to access them".
I get the same response in Normal or Safet Modes.

ComboFix opens the initial blue screen then after I get the lines Scanning for infected files . . . This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double. About 30-40 seconds after this shows up on the blue screen I get an error message

"PEV.cfxxe has encountered a problem and needs to close." We are sorry for the inconvenience. This is in a box with opportunity to tell Microsoft about the problem. Clicked "Don't Send".

After clicking "Don't send" get "The system cannot find the file temp04" on the blue screen. This is followed by error
"catchme.cfxxe - DLL initialization failed" with note "The application failed because the window station is shutting down".

Following restart I do not get the blue screen back and basically nothing happens.

Tried in Safe Mode and got the same response. Although when I ran in Safe Mode I did see the blue screen come back up for a little while (10 seconds) with the Scanning for Infected Files message before it went away.

HELP!!!. Don't what else to do. Have tried to be very detailed.

Thanks for your help.
PonchyRCA

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:34 AM

Posted 12 September 2009 - 12:32 PM

Hi PonchyRCA,


Good job on descripting what is happening.

I see you have a permissions problem so we will try to fix that first.


Download and run Win32kDiag:Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
Please post back with:
  • Win32kDiag.txt
  • Content of the log.txt

Edited by SifuMike, 12 September 2009 - 12:34 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 PonchyRCA

PonchyRCA
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 12 September 2009 - 06:20 PM

Hi SifuMike
Here are the two reports you requested.


Win32Diag.txt

Running from: C:\Documents and Settings\Elaine\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Elaine\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB951072-v2\KB951072-v2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB960859\KB960859

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971557\KB971557

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971657\KB971657

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB973507\KB973507

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB973815\KB973815

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 05:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\40fc5c00ee89ac515590995374843d78\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\BTJM6NQQ\BTJM6NQQ

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\3TR3RQNS\3TR3RQNS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2236256150-2318831477-1304905272-1003\S-1-5-21-2236256150-2318831477-1304905272-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2236256150-2318831477-1304905272-1003\S-1-5-21-2236256150-2318831477-1304905272-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2236256150-2318831477-1304905272-1003\S-1-5-21-2236256150-2318831477-1304905272-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\ldfc15f.sys

[1] 2009-08-08 19:53:22 45344 C:\WINDOWS\system32\drivers\ldfc15f.sys ()



Found mount point : C:\WINDOWS\system32\DRVSTORE\DRVSTORE

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 05:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[1] 2004-08-04 05:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ERDNT\cache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

Content of the log

Volume in drive C has no label.
Volume Serial Number is 7868-AB4B

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 05:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
12 File(s) 2,582,528 bytes
0 Dir(s) 57,864,163,328 bytes free




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users