Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Western Digital Releases Hotfix for My Cloud Auth Bypass Vulnerability

Featured Deal: Get 95% off The Ultimate MCSE Certification Training Bundle

Photo

Poprock b.exe im Startup?

Started by growy , Oct 06 2009 04:48 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 growy

growy

  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:07:43 PM

Posted 06 October 2009 - 04:48 PM

Hi i checked my Startup process and found unkown date claae b.exe, poprock. I've read that it is a a virus or malware and not easy to delete i made a log file with rootrepeal plz give me some hinds how to delete this virus.

plz let me know whate else i need to do thx

here is the log

OOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 04:08
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x90286000 Size: 892928 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA1D77000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spdx.sys
Image Path: C:\Windows\System32\Drivers\spdx.sys
Address: 0x80692000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\system32\slui\migip.dun
Status: Allocation size mismatch (API: 4096, Raw: 344)

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.363_none_91949ed2671d02fc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.363_none_0c1882c59ee1cca8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.363_none_11eda95d9b2bd3f7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.363_none_8a15b9086beb7fdf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.363_none_8e06373e6966df58.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.363_none_10b3ee119bfeddb3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.363_none_43f0c5a37830f5ec.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.363_none_8dd8d757d5a6c645.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fundisc_31bf3856ad364e35_6.0.6001.18000_none_7be46ed83ae29055\$$DeleteMe.fundisc.dll.01ca2262ecd8d78f.002f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0\$$DeleteMe.advapi32.dll.01ca2262ec7e634f.0014
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiodg.exe.01ca2262ec80c4af.0015
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.AudioSes.dll.01ca2262edaf134f.0059
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiosrv.dll.01ca2262ee02636f.0073
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.0.6001.18000_none_0bf37d16f567e1f7\$$DeleteMe.authui.dll.01ca2262ed7d166f.0053
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_ee8c936cef65a88f\$$DeleteMe.bcrypt.dll.01ca2262ec8a4a2f.0017
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cmi_31bf3856ad364e35_6.0.6001.18000_none_a9ce4a485a8ade99\$$DeleteMe.cmiv2.dll.01ca2262ef6e95cf.0098
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-credui_31bf3856ad364e35_6.0.6001.18000_none_db374cc18eed7408\$$DeleteMe.credui.dll.01ca2262ec2d748f.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_75ff99649acf4de9\$$DeleteMe.cryptsvc.dll.01ca2262ecf7c96f.0039
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samlib.dll.01ca2262ed48b82f.0047
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samsrv.dll.01ca2262ec6db9af.0011
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsapi.dll.01ca2262ec4ec7cf.000f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsrslvr.dll.01ca2262ecc5cc8f.0029
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-eventlog-api_31bf3856ad364e35_6.0.6001.18000_none_ac31021c654a3267\$$DeleteMe.wevtapi.dll.01ca2262ec36fa0f.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feclient_31bf3856ad364e35_6.0.6001.18000_none_beda112b5794d4e0\$$DeleteMe.feclient.dll.01ca2262ee42a88f.0085
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-icm-base_31bf3856ad364e35_6.0.6001.18000_none_22c7ea5489633945\$$DeleteMe.mscms.dll.01ca2262ed4fdc4f.0049
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18157_none_47749ea98ca66a80\$$DeleteMe.iertutil.dll.01ca2262ed380e8f.0043
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6001.18000_none_5c561e167a6afd02\$$DeleteMe.imm32.dll.01ca2262ecb0602f.0020
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-installer-engine_31bf3856ad364e35_6.0.6001.18000_none_037a7e2bb384bf01\$$DeleteMe.msi.dll.01ca2262ec5f716f.0010
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.0.6001.18000_none_f33c4797566bb3db\$$DeleteMe.Wldap32.dll.01ca2262ed4d7aef.0048
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mfplat_31bf3856ad364e35_6.0.6001.18000_none_f6aa98ad53755122\$$DeleteMe.mfplat.dll.01ca2262ec407f8f.000c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mprapi_31bf3856ad364e35_6.0.6001.18000_none_140c84ec53049b39\$$DeleteMe.mprapi.dll.01ca2262ec2fd5ef.0008
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.0.6001.18000_none_c7427a4e786d74bc\$$DeleteMe.adtschema.dll.01ca2262edc21e4f.0060
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.0.6001.18000_none_d15536209ee61dad\$$DeleteMe.msvcrt.dll.01ca2262ed334bcf.0042
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18136_none_8853d47896e90b40\$$DeleteMe.msxml3.dll.01ca2262ee00020f.0071
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ntdll_31bf3856ad364e35_6.0.6001.18000_none_58d6de41fc2dac16\$$DeleteMe.ntdll.dll.01ca2262eacf8a6f.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.0.6001.18000_none_ab6af9d0f92539f0\$$DeleteMe.cscapi.dll.01ca2262ee1c928f.007f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..pooler-core-spoolss_31bf3856ad364e35_6.0.6001.18000_none_5b3992df8e604356\$$DeleteMe.spoolss.dll.01ca2262ed869bef.0055
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor-tcpmondll_31bf3856ad364e35_6.0.6001.18000_none_d2ac9d5aa723258e\$$DeleteMe.tcpmon.dll.01ca2262ee5a764f.0088
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.0.6001.18000_none_932df61f18add086\$$DeleteMe.winspool.drv.01ca2262edf67c8f.006e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-wsdportmonitor_31bf3856ad364e35_6.0.6001.18000_none_16d3442ddf994157\$$DeleteMe.WSDMon.dll.01ca2262ec9af3cf.001b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-pantherengine_31bf3856ad364e35_6.0.6001.18000_none_ae116f90a5d6b7d4\$$DeleteMe.wdscore.dll.01ca2262ed6085ef.004d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-profsvc_31bf3856ad364e35_6.0.6001.18000_none_fbb1576d32ad0ba9\$$DeleteMe.profsvc.dll.01ca2262edd5294f.0064
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasapi_31bf3856ad364e35_6.0.6001.18000_none_6d377f6a4f85327c\$$DeleteMe.rasapi32.dll.01ca2262ec42e0ef.000d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-raschap_31bf3856ad364e35_6.0.6001.18000_none_12bf0305774c76e6\$$DeleteMe.raschap.dll.01ca2262ecc36b2f.0026
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasmanservice_31bf3856ad364e35_6.0.6001.18000_none_9ebd9641a0a88359\$$DeleteMe.rasmans.dll.01ca2262edb6376f.005c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6000.16386_none_0aded214ed8f7ec9\$$DeleteMe.rtutils.dll.01ca2262ecca8f4f.002a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6001.18000_none_0d159410ea7a8f9d\$$DeleteMe.rtutils.dll.01ca2262ecca8f4f.002a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastapi_31bf3856ad364e35_6.0.6001.18000_none_0ee42a5979dd0144\$$DeleteMe.rastapi.dll.01ca2262edbfbcef.005e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6001.18051_none_b3c58fc5453bf46b\$$DeleteMe.rpcrt4.dll.01ca2262ee28796f.0082
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.0.6001.18000_none_5fc70fc7b14478d4\$$DeleteMe.rsaenh.dll.01ca2262ece71fcf.0034
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.0.6001.18000_none_18e47a437999387f\$$DeleteMe.WinSCard.dll.01ca2262ed41940f.0046
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.0.6001.18000_none_3a21c33374546c1e\$$DeleteMe.authz.dll.01ca2262edef586f.006d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.0.6001.18000_none_3a21c33374546c1e\$$DeleteMe.ntmarta.dll.01ca2262ecfeed8f.003d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..icensing-slc-client_31bf3856ad364e35_6.0.6001.18000_none_c51f5aefa5ed5be4\$$DeleteMe.SLC.dll.01ca2262ed014eef.003e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..mmaintenanceservice_31bf3856ad364e35_6.0.6001.18000_none_3d4df24ae03752d7\$$DeleteMe.sysmain.dll.01ca2262ed30ea6f.0041
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_microsoft-windows-s..ty-licensing-slc-ux_31bf3856ad364e35_6.0.6001.18000_none_8a77ef16b537c01e\migip.dun
Status: Allocation size mismatch (API: 4096, Raw: 344)

Path: C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\$$DeleteMe.scecli.dll.01ca2262ec2d748f.0005
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-licensing-slc_31bf3856ad364e35_6.0.6001.18000_none_4e777d79f985fac8\$$DeleteMe.SLsvc.exe.01ca2262ecccf0af.002b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-licensing-wga_31bf3856ad364e35_6.0.6001.18000_none_4e4769e7f9aab897\$$DeleteMe.slwga.dll.01ca2262ed2e890f.0040
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.0.6001.18000_none_1a405db2b218d641\$$DeleteMe.wscapi.dll.01ca2262ecd8d78f.0030
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.0.6001.18000_none_1a405db2b218d641\$$DeleteMe.wscisvif.dll.01ca2262ed3a6fef.0044
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\$$DeleteMe.shsvcs.dll.01ca2262ed7d166f.0052
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-slc-component-sku-ocur_31bf3856ad364e35_6.0.6002.18005_none_1a3913896b7e0bf6\SECURI~3.XRM
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_microsoft-windows-slc-component-sku-ocur_31bf3856ad364e35_6.0.6002.18005_none_1a3913896b7e0bf6\security-licensing-slc-component-sku-ocur-ppdlic.xrm-ms
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: C:\Windows\winsxs\x86_microsoft-windows-slc-component-sku-ocur_31bf3856ad364e35_6.0.6002.18005_none_1a3913896b7e0bf6\SECURI~2.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-smss_31bf3856ad364e35_6.0.6001.18000_none_ac3aa7fd19319fba\$$DeleteMe.smss.exe.01ca2262eacac7af.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-snmp-winsnmp-api_31bf3856ad364e35_6.0.6001.18000_none_e04d7d11c2a2726e\$$DeleteMe.wsnmp32.dll.01ca2262ecd6762f.002e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18027_none_46d13215b348e76c\$$DeleteMe.srclient.dll.01ca2262ec7e634f.0013
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..duler-compatibility_31bf3856ad364e35_6.0.6001.18000_none_6894fbcadc3bb34f\$$DeleteMe.taskcomp.dll.01ca2262ee07262f.0076
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_6.0.6001.18000_none_75c3b019eec51999\$$DeleteMe.msctf.dll.01ca2262ec3e1e2f.000b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6001.18000_none_910d33844d26b5fb\$$DeleteMe.TrustedInstaller.exe.01ca2262f1a51d0f.0099
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-unimodem-core-tsp_31bf3856ad364e35_6.0.6001.18000_none_add9f22acf970298\$$DeleteMe.unimdm.tsp.01ca2262ecc36b2f.0027
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-tapiservice_31bf3856ad364e35_6.0.6001.18000_none_e33cd8dbe4f2987f\$$DeleteMe.tapisrv.dll.01ca2262ecee43ef.0035
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-userenv_31bf3856ad364e35_6.0.6001.18000_none_90406a734b42d9a2\$$DeleteMe.userenv.dll.01ca2262ee26180f.0081
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-version_31bf3856ad364e35_6.0.6001.18000_none_14fe4f2f50e5bbf4\$$DeleteMe.version.dll.01ca2262ec4a050f.000e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-vssapi_31bf3856ad364e35_6.0.6001.18000_none_d4e6de5081c1ab4e\$$DeleteMe.vssapi.dll.01ca2262ec87e8cf.0016
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-webdavredir-davclient_31bf3856ad364e35_6.0.6000.16386_none_9196a743555429b0\$$DeleteMe.davclnt.dll.01ca2262ee130d0f.007a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\$$DeleteMe.winlogon.exe.01ca2262ee1a312f.007d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.18000_none_b67e96a29c5535ab\$$DeleteMe.winsrv.dll.01ca2262ecb2c18f.0022
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-fastprox-dll_31bf3856ad364e35_6.0.6001.18000_none_fb49535a79bca3e8\$$DeleteMe.fastprox.dll.01ca2262eeab650f.0092
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.0.6001.18000_none_1062be8b8b6509c7\$$DeleteMe.WmiPrvSD.dll.01ca2262eeadc66f.0094
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-repdrvfs-dll_31bf3856ad364e35_6.0.6001.18000_none_7e41b9e130eb1f1b\$$DeleteMe.repdrvfs.dll.01ca2262eeb027cf.0095
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.0.6001.18000_none_a0b2bbcff6f11e8e\$$DeleteMe.WMIsvc.dll.01ca2262eeab650f.0091
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_b95403151f989ff3\$$DeleteMe.esscli.dll.01ca2262eea6a24f.0090
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_b95403151f989ff3\$$DeleteMe.NCProv.dll.01ca2262eea6a24f.008f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_b95403151f989ff3\$$DeleteMe.wbemprox.dll.01ca2262eeb4ea8f.0097
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_b95403151f989ff3\$$DeleteMe.wbemsvc.dll.01ca2262eeadc66f.0093
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_b95403151f989ff3\$$DeleteMe.wmiutils.dll.01ca2262eea1df8f.008e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\$$DeleteMe.PortableDeviceTypes.dll.01ca2262ec8f0cef.0018
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\$$DeleteMe.PortableDeviceApi.dll.01ca2262edaa508f.0057
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\$$DeleteMe.PortableDeviceTypes.dll.01ca2262ec8f0cef.0018
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wsdapi_31bf3856ad364e35_6.0.6001.18000_none_beb38cd34d56a01d\$$DeleteMe.WSDApi.dll.01ca2262ecf7c96f.0038
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6001.18000_none_24cdf96ec22363fa\$$DeleteMe.winhttp.dll.01ca2262eca93c0f.001e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.0.6001.18000_none_f1e446e12c0bbf09\$$DeleteMe.esent.dll.01ca2262ed94e42f.0056
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..rformance-xperfcore_31bf3856ad364e35_6.0.6001.18000_none_d71173946e986845\$$DeleteMe.diagperf.dll.01ca2262ee5f390f.0089
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.18000_none_d77db57c3ca78826\$$DeleteMe.certcli.dll.01ca2262ecdffbaf.0032
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdproxy_31bf3856ad364e35_6.0.6000.16386_none_792f8ff471a64e3b\$$DeleteMe.fdProxy.dll.01ca2262ec98926f.0019
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdssdp_31bf3856ad364e35_6.0.6001.18000_none_3addf297743e6161\$$DeleteMe.fdSSDP.dll.01ca2262ed29c64f.003f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdwsd_31bf3856ad364e35_6.0.6001.18000_none_7da88373c225d895\$$DeleteMe.fdWSD.dll.01ca2262ee10abaf.0078
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_d51103be4cb9d6c3\$$DeleteMe.apphelp.dll.01ca2262ee130d0f.007b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..configurationengine_31bf3856ad364e35_6.0.6001.18000_none_b924e3b3889aaa51\$$DeleteMe.scesrv.dll.01ca2262ee476b4f.0086
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_6.0.6001.18000_none_420aa4b9c28d5162\$$DeleteMe.SmartcardCredentialProvider.dll.01ca2262edbafa2f.005d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18098_none_9e329f52f6fc276d\$$DeleteMe.emdmgmt.dll.01ca2262edcba3cf.0063
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_2d3ee4e91d04fa01\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_2d3ee4e91d04fa01\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_2d3ee4e91d04fa01\WINDOW~2.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_2d3ee4e91d04fa01\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_2debf43c36078f24\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_2debf43c36078f24\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_2debf43c36078f24\WINDOW~2.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_2debf43c36078f24\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~2.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_314d791517204c15\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_314d791517204c15\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_314d791517204c15\WINDOW~2.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_314d791517204c15\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18157_none_01b9e7cda1f54c23\$$DeleteMe.wininet.dll.01ca2262ed7853af.0051
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18000_none_301b5dfb92ae18db\$$DeleteMe.localspl.dll.01ca2262ee156e6f.007c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\$$DeleteMe.win32spl.dll.01ca2262ecb7844f.0023
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.0.6001.18000_none_ea70eae59b4e2b12\$$DeleteMe.IPHLPAPI.DLL.01ca2262ecd1b36f.002c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.18000_none_e6d6dd2bb0cd8ff8\$$DeleteMe.kerberos.dll.01ca2262ede1102f.0068
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\$$DeleteMe.netlogon.dll.01ca2262ec9d552f.001c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18000_none_22164b0e5542d6c1\$$DeleteMe.schannel.dll.01ca2262ed7f77cf.0054
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6001.18138_none_885590b496e78ad1\$$DeleteMe.msxml6.dll.01ca2262ee79682f.008c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shlwapi_31bf3856ad364e35_6.0.6001.18000_none_f9d9b204a4aeeb4a\$$DeleteMe.shlwapi.dll.01ca2262ecfc8c2f.003b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6001.18000_none_bd002a8dfb7a3328\$$DeleteMe.oleaut32.dll.01ca2262ecc5cc8f.0028
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6001.18159_none_59519ee04971f856\$$DeleteMe.gdi32.dll.01ca2262edc47faf.0061
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_6.0.6001.18000_none_8ad265adc8633a42\$$DeleteMe.inetpp.dll.01ca2262ecc109cf.0025
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mmdeviceapi_31bf3856ad364e35_6.0.6001.18000_none_55044397b961da8a\$$DeleteMe.MMDevAPI.dll.01ca2262ee50f0cf.0087
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\$$DeleteMe.netapi32.dll.01ca2262edecf70f.006c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_5dde5591f19c0ea3\$$DeleteMe.ncrypt.dll.01ca2262ed7853af.0050
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\$$DeleteMe.user32.dll.01ca2262ec9fb68f.001d
Status: Locked to the Windows API!
PSSDT
-------------------
#: 012 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa73f32

#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa75182

#: 022 Function Name: NtAlpcCreatePort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa74118

#: 054 Function Name: NtConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa73292

#: 060 Function Name: NtCreateFile
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa73ad6

#: 071 Function Name: NtCreatePort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa73174

#: 075 Function Name: NtCreateSection
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa7392c

#: 077 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa74e3c

#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x91ad33f4

#: 129 Function Name: NtDuplicateObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa72a9c

#: 165 Function Name: NtLoadDriver
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa74abe

#: 174 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa73516

#: 186 Function Name: NtOpenFile
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa73d1a

#: 194 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x91ad33e0

#: 197 Function Name: NtOpenSection
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa737a6

#: 201 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x91ad33e5

#: 276 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa745d8

#: 286 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa7485a

#: 317 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa74c6c

#: 326 Function Name: NtShutdownSystem
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa734b0

#: 332 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa7369a

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x91ad33ef

#: 335 Function Name: NtTerminateThread
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa72f0c

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x91ad33ea

#: 382 Function Name: NtCreateThreadEx
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa74224

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x85aeb1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_CREATE]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_CLOSE]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_READ]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_WRITE]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_SHUTDOWN]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_CLEANUP]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: udfsІ癅, IRP_MJ_PNP]
Process: System Address: 0x897ee1f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_CREATE]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_CLOSE]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_READ]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_WRITE]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_POWER]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: cdrom虱虱潉†Џ浍摌筘蝂, IRP_MJ_PNP]
Process: System Address: 0x873631f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x85aea1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x85aea1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85aea1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85aea1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x85aea1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85aea1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x85aea1f8 Size: 121

Object: Hidden Code [Driver: aakx26g5Ѕ晖呉⁤轩芓, IRP_MJ_CREATE]
Process: System Address: 0x87306500 Size: 121

Object: Hidden Code [Driver: aakx26g5Ѕ晖呉⁤轩芓, IRP_MJ_CLOSE]
Process: System Address: 0x87306500 Size: 121

Object: Hidden Code [Driver: aakx26g5Ѕ晖呉⁤轩芓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87306500 Size: 121

Object: Hidden Code [Driver: aakx26g5Ѕ晖呉⁤轩芓, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87306500 Size: 121

Object: Hidden Code [Driver: aakx26g5Ѕ晖呉⁤轩芓, IRP_MJ_POWER]
Process: System Address: 0x87306500 Size: 121

Object: Hidden Code [Driver: aakx26g5Ѕ晖呉⁤轩芓, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87306500 Size: 121

Object: Hidden Code [Driver: aakx26g5Ѕ晖呉⁤轩芓, IRP_MJ_PNP]
Process: System Address: 0x87306500 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_CREATE]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_CLOSE]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_READ]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_WRITE]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_POWER]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: USBSTOR￿Џ捓㑂(, IRP_MJ_PNP]
Process: System Address: 0x888541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x872f91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x872f91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x872f91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x872f91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x872f91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x872f91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x872f91f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System Address: 0x88a2f1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System Address: 0x88a2f1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88a2f1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88a2f1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System Address: 0x88a2f1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System Address: 0x88a2f1f8 Size: 121

Object: Hidden Code [Driver: netbt軥￿Р晁앤륒羛谛サ峮厺, IRP_MJ_CREATE]
Process: System Address: 0x88a65500 Size: 121

Object: Hidden Code [Driver: netbt軥￿Р晁앤륒羛谛サ峮厺, IRP_MJ_CLOSE]
Process: System Address: 0x88a65500 Size: 121

Object: Hidden Code [Driver: netbt軥￿Р晁앤륒羛谛サ峮厺, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88a65500 Size: 121

Object: Hidden Code [Driver: netbt軥￿Р晁앤륒羛谛サ峮厺, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88a65500 Size: 121

Object: Hidden Code [Driver: netbt軥￿Р晁앤륒羛谛サ峮厺, IRP_MJ_CLEANUP]
Process: System Address: 0x88a65500 Size: 121

Object: Hidden Code [Driver: netbt軥￿Р晁앤륒羛谛サ峮厺, IRP_MJ_PNP]
Process: System Address: 0x88a65500 Size: 121

Object: Hidden Code [Driver: iScsiPrtЎ浍摌怈蜰瘈蝂ꈀ轧, IRP_MJ_CREATE]
Process: System Address: 0x873fd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЎ浍摌怈蜰瘈蝂ꈀ轧, IRP_MJ_CLOSE]
Process: System Address: 0x873fd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЎ浍摌怈蜰瘈蝂ꈀ轧, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873fd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЎ浍摌怈蜰瘈蝂ꈀ轧, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873fd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЎ浍摌怈蜰瘈蝂ꈀ轧, IRP_MJ_POWER]
Process: System Address: 0x873fd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЎ浍摌怈蜰瘈蝂ꈀ轧, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873fd1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtЎ浍摌怈蜰瘈蝂ꈀ轧, IRP_MJ_PNP]
Process: System Address: 0x873fd1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x851591f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x873101f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x873101f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873101f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873101f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x873101f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873101f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x873101f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLOSE]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_READ]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_WRITE]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_EA]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLEANUP]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_POWER]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_PNP]
Process: System Address: 0x873791f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_CREATE]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_CLOSE]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_READ]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_WRITE]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_SHUTDOWN]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_CLEANUP]
Process: System Address: 0x872c91f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄䄘诧並鸗, IRP_MJ_PNP]
Process: System Address: 0x872c91f8 Size: 121

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa77082

#: 124 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa777ac

#: 235 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa771b6

#: 241 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa77666

#: 245 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa772f6

#: 301 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa7742a

#: 320 Function Name: NtUserBlockInput
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76f02

#: 329 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76154

#: 397 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76bd2

#: 403 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa77564

#: 428 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76940

#: 430 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76a82

#: 479 Function Name: NtUserMessageCall
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76624

#: 484 Function Name: NtUserMoveWindow
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa75e8c

#: 497 Function Name: NtUserPostMessage
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa762d6

#: 498 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76482

#: 513 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76d22

#: 525 Function Name: NtUserSendInput
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa767e6

#: 532 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa76e18

#: 550 Function Name: NtUserSetParent
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa75ffc

#: 573 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa77812

#: 576 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x8fa77a46

==EOF==

BC AdBot (Login to Remove)

 

#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:43 AM

Posted 23 October 2009 - 03:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:43 AM

Posted 28 October 2009 - 01:57 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·