Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo (Security tool?)


  • This topic is locked This topic is locked
29 replies to this topic

#1 madspiderman

madspiderman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 20 October 2009 - 01:50 AM

I keep getting blue screen with the following message whenever i try to start windows. (Right now i am using "debugging mode".)
"IRQL_NOT_LESS_OR_EQUAL"
(Message the blue screen has without the quotes.)
And the virus also keeps disabling my registry, and task manager privileges. I got it turned on using malware bytes once.
I also tried removing the registry which is starting the virus file at start by manually deleting it. But it just keeps adding the registry back up when i close the regedit.exe.

Thank you very much for looking at this.

Here is the log that was requested:

DDS (Ver_09-10-13.01) - NTFSx86
Run by Chandan at 2:00:16.06 on Tue 10/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1039 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k netinfsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMenu.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chandan\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.fujitsu.com/computers
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
mWinlogon: Shell=explorer.exe rundll32.exe cpcp.cpo bef0regiiav
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1FCC2563-F07F-4962-8F3D-7668C3F2010C} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [SSUtility] c:\program files\fujitsu\ssutility\FJSSDMN.exe
mRun: [FjStrtAp] c:\program files\fujitsu\utils\FjStrtAp.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\fjdvrupd.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [derutabaz] Rundll32.exe "c:\windows\system32\nowaboro.dll",a
dRun: [TabletWizard] %windir%\help\wizard.hta
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\npjpi160_05.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: %systemroot%\system32\MSAFDLsp.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: c:\windows\system32\nowaboro.dll,delobevu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: ziyofisom - {8c8ab7a1-d5be-422f-b72a-730a0528d2b1} - c:\windows\system32\nowaboro.dll
STS: gahurihor: {8c8ab7a1-d5be-422f-b72a-730a0528d2b1} - c:\windows\system32\nowaboro.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli zihihaga.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chandan\applic~1\mozilla\firefox\profiles\twl38ie1.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-4-19 8960]
R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2007-4-19 10496]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2007-4-19 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-3 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-10-12 33152]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-16 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R2 NetInfs;Network Interface Service;c:\windows\system32\svchost.exe -k netinfsvc [2007-4-19 14336]
R2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\webdrive\wdfsd.sys [2006-11-11 166912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2007-4-19 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-4-19 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2007-4-19 30976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-19 36608]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-3-8 92550]
R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-7-5 4608]
R4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-10-16 112592]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 FjGenIo;Fujitsu Generic I/O Driver;c:\windows\system32\drivers\FjGenIo.sys [2007-10-10 7680]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 NinjaVideo Helper.exe;NinjaVideo Helper;c:\program files\ninjavideo\ninjavideo helper\NinjaVideo Helper.exe [2008-4-10 110592]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S4 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe --> c:\program files\spyware doctor\svcntaux.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-21 24652]

=============== Created Last 30 ================

2009-10-20 01:44 <DIR> --d----- c:\program files\Trend Micro
2009-10-20 00:24 <DIR> --d----- c:\docume~1\chandan\applic~1\Malwarebytes
2009-10-20 00:23 <DIR> --d----- c:\docume~1\chandan\applic~1\Intel
2009-10-20 00:23 <DIR> --d----- c:\documents and settings\Chandan
2009-10-20 00:05 205 a------- c:\windows\system32\lk.dat
2009-10-20 00:02 45 a------- c:\windows\system32\pog.dat
2009-10-19 19:20 3 a------- c:\windows\system32\o6.dat
2009-10-19 19:20 1 a------- c:\windows\system32\qsf.dat
2009-10-19 19:20 1 a------- c:\windows\system32\jl.dat
2009-10-19 19:20 1 a------- c:\windows\system32\idm.dat
2009-10-19 19:20 1 a------- c:\windows\system32\fcd.dat
2009-10-19 17:22 6,967 a------- c:\windows\system32\lknm
2009-10-19 17:22 43,520 a------- c:\windows\system32\pcfr32.dll
2009-10-17 05:46 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 05:46 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-17 05:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 13:51 187,184 a------- c:\windows\system32\pskill.exe
2009-10-16 13:30 1,636,304 a------- c:\windows\PCTBDCore.dll
2009-10-16 13:30 1,152,470 a------- c:\windows\UDB.zip
2009-10-16 13:30 767,952 a------- c:\windows\BDTSupport.dll
2009-10-16 13:30 165,840 a------- c:\windows\PCTBDRes.dll
2009-10-16 13:30 149,456 a------- c:\windows\SGDetectionTool.dll
2009-10-16 13:30 882 a------- c:\windows\RegSDImport.xml
2009-10-16 13:30 880 a------- c:\windows\RegISSImport.xml
2009-10-16 13:30 131 a------- c:\windows\IDB.zip
2009-10-16 13:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-16 13:28 229,304 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-10-16 13:28 7,387 a------- c:\windows\system32\drivers\pctgntdi.cat
2009-10-16 13:27 207,280 a------- c:\windows\system32\drivers\PCTCore.sys
2009-10-16 13:27 87,784 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-16 13:27 7,412 a------- c:\windows\system32\drivers\PCTAppEvent.cat
2009-10-16 13:27 7,383 a------- c:\windows\system32\drivers\pctcore.cat
2009-10-16 13:27 70,408 a------- c:\windows\system32\drivers\pctplsg.sys
2009-10-16 13:27 7,383 a------- c:\windows\system32\drivers\pctplsg.cat
2009-10-16 13:27 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-16 13:27 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-16 13:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-16 04:25 26,112 a------- c:\windows\system32\cpcp.cpo
2009-10-12 05:15 178,176 a------- c:\windows\system32\unrar.dll
2009-10-12 05:15 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-10-11 10:27 <DIR> --d----- C:\54eaf688fc80f62de37df8cd6b
2009-10-09 16:57 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-09 16:55 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-01 05:06 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-09-22 01:37 <DIR> --d----- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-10-09 17:18 175,112 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-09-11 19:43 1,984 a------- c:\windows\system32\d3d9caps.dat
2009-09-11 10:03 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 03:36 832,512 a------- c:\windows\system32\wininet.dll
2009-08-29 03:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 03:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 04:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-22 15:49 0 a------- c:\windows\system32\drivers\FUJITSU_A1A5J3E617B30000_WXPTPC.MKR
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 08:49 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 08:02 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-30 15:45 104,314 a------- c:\windows\system32\hjgruixfosxela.dat
2008-02-28 15:12 18 a--sh--- c:\windows\WINPROD.DLL
2009-07-19 23:22 39,424 a--sh--- c:\windows\system32\benuyopa.dll
2009-07-18 17:34 38,400 a--sh--- c:\windows\system32\biyeneko.dll
2009-07-19 11:22 39,424 a--sh--- c:\windows\system32\ruvekifo.dll
2009-07-18 17:34 1,114,994 a--sh--- c:\windows\system32\sifajade.exe
2009-07-17 05:34 51,712 a--sh--- c:\windows\system32\sojamuli.dll
2009-07-19 11:22 88,576 a--sh--- c:\windows\system32\tesegigo.dll
2009-07-17 05:34 51,712 a--sh--- c:\windows\system32\tezudute.dll
2009-07-18 05:34 38,400 a--sh--- c:\windows\system32\toruyuhu.dll
2009-07-17 05:34 90,112 a--sh--- c:\windows\system32\vifabihu.dll
2009-07-19 23:22 1,011,245 a--sh--- c:\windows\system32\viyarefi.exe
2009-07-17 17:33 38,400 a--sh--- c:\windows\system32\yujemuza.dll
2009-07-17 05:34 51,712 a--sh--- c:\windows\system32\zihihaga.dll

============= FINISH: 2:01:12.34 ===============

Attached Files


Edited by madspiderman, 20 October 2009 - 01:55 AM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:29 AM

Posted 30 October 2009 - 09:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 madspiderman

madspiderman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 31 October 2009 - 02:48 AM

DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 3:44:58.78 on Sat 10/31/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.273 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
C:\Program Files\Windows Defender\MSASCui.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMenu.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k netinfsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SwiftSwitch\SwiftSwitch.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\office12\offlb.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
mWinlogon: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1FCC2563-F07F-4962-8F3D-7668C3F2010C} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RMClock] "c:\program files\rmclock\RMClockLauncher.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [SSUtility] c:\program files\fujitsu\ssutility\FJSSDMN.exe
mRun: [FjStrtAp] c:\program files\fujitsu\utils\FjStrtAp.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [FJUPDNV_Chitose] c:\program files\fujitsu\fjdvrupd\fjdvrupd.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [TabletWizard] %windir%\help\wizard.hta
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoTrayItemsDisplay = 00000000
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: %systemroot%\system32\MSAFDLsp.dll
Trusted Zone: vt.edu\learn
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
AppInit_DLLs: delobevu.dll c:\windows\system32\vuwozisa.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {f603f657-1b6e-4950-837e-891c21d93774} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {27E53DCF-6B78-4088-BE71-5CA5CDCB2624} - rundll32 pcfr32.dll,laspi

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\2j6a01gz.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-4-19 8960]
R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2007-4-19 10496]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2007-4-19 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-3 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-10-12 33152]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-16 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R2 NetInfs;Network Interface Service;c:\windows\system32\svchost.exe -k netinfsvc [2007-4-19 14336]
R2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\webdrive\wdfsd.sys [2006-11-11 166912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2007-4-19 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-4-19 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2007-4-19 30976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-19 36608]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-3-8 92550]
R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-7-5 4608]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 FjGenIo;Fujitsu Generic I/O Driver;c:\windows\system32\drivers\FjGenIo.sys [2007-10-10 7680]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-10-16 112592]
S4 NinjaVideo Helper.exe;NinjaVideo Helper;c:\program files\ninjavideo\ninjavideo helper\NinjaVideo Helper.exe [2008-4-10 110592]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S4 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe --> c:\program files\spyware doctor\svcntaux.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-21 24652]
UnknownUnknown hdqhqjwf;hdqhqjwf; [x]
UnknownUnknown vqdzfahb;vqdzfahb; [x]

=============== Created Last 30 ================

2009-10-31 07:40:08 63 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2009-10-20 05:44:36 0 d-----w- c:\program files\Trend Micro
2009-10-20 04:05:50 205 ----a-w- c:\windows\system32\lk.dat
2009-10-20 04:02:20 45 ----a-w- c:\windows\system32\pog.dat
2009-10-19 23:20:23 3 ----a-w- c:\windows\system32\o6.dat
2009-10-19 23:20:14 1 ----a-w- c:\windows\system32\qsf.dat
2009-10-19 23:20:14 1 ----a-w- c:\windows\system32\jl.dat
2009-10-19 23:20:14 1 ----a-w- c:\windows\system32\fcd.dat
2009-10-19 21:22:40 6967 ----a-w- c:\windows\system32\lknm
2009-10-19 21:22:39 0 ----a-w- c:\windows\system32\pcfr32.dll
2009-10-17 09:46:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 09:46:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 09:46:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:51:24 187184 ----a-w- c:\windows\system32\pskill.exe
2009-10-16 17:30:22 882 ----a-w- c:\windows\RegSDImport.xml
2009-10-16 17:30:22 880 ----a-w- c:\windows\RegISSImport.xml
2009-10-16 17:30:22 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-16 17:30:22 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-16 17:30:22 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-16 17:30:22 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-16 17:30:22 131 ----a-w- c:\windows\IDB.zip
2009-10-16 17:30:22 1152470 ----a-w- c:\windows\UDB.zip
2009-10-16 17:29:19 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-16 17:29:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-16 17:28:02 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-10-16 17:28:02 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-16 17:27:58 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-16 17:27:58 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-10-16 17:27:58 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-10-16 17:27:58 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-16 17:27:51 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-10-16 17:27:51 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-16 17:27:41 0 d-----w- c:\program files\Spyware Doctor
2009-10-16 17:27:41 0 d-----w- c:\program files\common files\PC Tools
2009-10-16 17:27:41 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-16 08:25:20 0 ----a-w- c:\windows\system32\cpcp.cpo
2009-10-12 09:15:29 178176 ----a-w- c:\windows\system32\unrar.dll
2009-10-12 09:15:24 0 d-----w- c:\program files\K-Lite Codec Pack
2009-10-11 14:27:56 0 d-----w- C:\54eaf688fc80f62de37df8cd6b
2009-10-09 20:57:53 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-09 20:55:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-01 09:07:48 632 --sha-r- c:\documents and settings\administrator\ntuser.pol
2009-10-01 09:06:25 0 d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2009-10-31 07:40:10 38 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2009-10-30 12:24:58 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 12:49:00 2142720 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:02:00 2020864 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-02-28 19:12:55 18 --sha-w- c:\windows\WINPROD.DLL

============= FINISH: 3:46:20.40 ===============

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:29 AM

Posted 01 November 2009 - 08:05 AM

Hello madspiderman and welcome to Bleeping Computer!! :(

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off when copying and pasting logs and only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.

Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#5 madspiderman

madspiderman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 01 November 2009 - 02:31 PM

Done. And thank you for helping me.

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:29 AM

Posted 08 November 2009 - 07:51 AM

Hello madspiderman,


Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case BitTorrent). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so it is suggested that these tools be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes on copyright laws in many countries over the world and you are putting yourself at risk of of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

If you decide to keep this program please refrain from using it until we get your computer clean.

The following is referring to TuneUp Utilities 2007.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

More information about registry cleaners can be found at Miekiemoes Blog


Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Step 1.

Download to your desktop FixPolicies, a self-extracting ZIP archive.
  • Double-click FixPolicies.exe.
  • Click the Install button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close.
  • Reboot the computer so the changes can take affect.
Step 2.

I see you have MalwareBytes AntiMalware installed.

Please open MBAM. Click on the Updates tab and allow the program to update.
Click on the Scanner tab and choose Perform Quick Scan then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Step 3.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Step 4.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply please include:

MBAM log
Combofix.txt
Gmer log


Thanks!!
PW

#7 madspiderman

madspiderman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 08 November 2009 - 03:08 PM

Hey,
I tried to uninstall Tuneup but it gave me this error:
"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

Then I tried to update Malwarebytes but it gave me an error so i couldn't update it. I ran the scan anyways. It deleted couple of files and had to restart and saved the log. After I restarted, I started combo fix. It detected a Rootkit or something i believe and restarted. And then it deleted some files. And then it restarted again.

After the restart, the blue screen was gone, and I was able to start the computer regularly. No more debugging mode so that was good. But one of my login accounts for windows somehow got deleted. So I had to login on my other windows administrator. When I logged on it gave me the blue screen and restarted the computer, hence there was no combofix log.

After the restart, i tried doing the update for malware bytes again and it worked. So i did another scan and here is the log for that:

Malwarebytes' Anti-Malware 1.41
Database version: 3128
Windows 5.1.2600 Service Pack 2

11/8/2009 2:14:22 PM
mbam-log-2009-11-08 (14-14-22).txt

Scan type: Quick Scan
Objects scanned: 115025
Time elapsed: 8 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1fcc2563-f07f-4962-8f3d-7668c3f2010c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1fcc2563-f07f-4962-8f3d-7668c3f2010c} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


After that I ran the combo fix again. It restarted the computer, but still there was no log whatsoever. So I can't upload that.
Although here is the GMER log:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-08 14:54:22
Windows 5.1.2600 Service Pack 2
Running: pwnygq5x.exe; Driver: C:\DOCUME~1\Chandan\LOCALS~1\Temp\kwliqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 89A56490 ZwAlertResumeThread
SSDT 89A447E0 ZwAlertThread
SSDT 89E25BD0 ZwAllocateVirtualMemory
SSDT 89B58498 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA73FE22]
SSDT 89A5C450 ZwCreateMutant
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA720CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA720ECE]
SSDT 89BE14A8 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA740610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA7408C4]
SSDT spzg.sys ZwEnumerateKey [0xF74F6CA2]
SSDT spzg.sys ZwEnumerateValueKey [0xF74F7030]
SSDT 89A0D998 ZwFreeVirtualMemory
SSDT 89A5C418 ZwImpersonateAnonymousToken
SSDT 89A5B0C0 ZwImpersonateThread
SSDT 89B576F8 ZwMapViewOfSection
SSDT 89A5D308 ZwOpenEvent
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA73EB14]
SSDT 89A0C878 ZwOpenProcessToken
SSDT 89A28878 ZwOpenThreadToken
SSDT spzg.sys ZwQueryKey [0xF74F7108]
SSDT 8966A7B0 ZwQueryValueKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA740D30]
SSDT 89A0BD50 ZwResumeThread
SSDT 89A2AC70 ZwSetContextThread
SSDT 89A0FD88 ZwSetInformationProcess
SSDT 89A400C8 ZwSetInformationThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA7400E2]
SSDT 89A5D958 ZwSuspendProcess
SSDT 89A43278 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA720982]
SSDT 89A42788 ZwTerminateThread
SSDT 89A0E5E8 ZwUnmapViewOfSection
SSDT 89DC14A8 ZwWriteVirtualMemory

INT 0x62 ? 8A98EBF8
INT 0x82 ? 8A98EBF8
INT 0x94 ? 89D1BF00
INT 0xA4 ? 89D1BF00
INT 0xA4 ? 89D1BF00
INT 0xA4 ? 89D1BF00
INT 0xA4 ? 89D1BF00
INT 0xA4 ? 89D1BF00
INT 0xA4 ? 89D1BF00
INT 0xB4 ? 8AA02BF8

---- Kernel code sections - GMER 1.0.15 ----

.text TUKERNEL.EXE!ZwYieldExecution + 47A 804E4CB4 5 Bytes [82, 09, 72, BA, 88]
.text TUKERNEL.EXE!ZwYieldExecution + 480 804E4CBA 2 Bytes [A4, 89]
.text TUKERNEL.EXE!ZwYieldExecution + 4A2 804E4CDC 4 Bytes CALL 36D7EDC6
? spzg.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B78F37AE 5 Bytes JMP 89D1B4E0
.text aqb0cosa.SYS B758E384 1 Byte [20]
.text aqb0cosa.SYS B758E384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text aqb0cosa.SYS B758E3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text aqb0cosa.SYS B758E3C4 3 Bytes [00, 00, 00]
.text aqb0cosa.SYS B758E3C9 1 Byte [00]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74DA046] spzg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74DA142] spzg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74DA0C4] spzg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74DA7CE] spzg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74DA6A4] spzg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E5D7A] spzg.sys
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\aqb0cosa.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A98D1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{0A26BEE9-89F9-4317-B3DC-563D1C3B268E} 89D1A500
Device \Driver\usbuhci \Device\USBPDO-0 89DCA1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A98F1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A98F1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A98F1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A98F1F8
Device \Driver\usbuhci \Device\USBPDO-1 89DCA1F8
Device \Driver\usbehci \Device\USBPDO-2 89DF91F8
Device \Driver\usbuhci \Device\USBPDO-3 89DCA1F8
Device \Driver\usbuhci \Device\USBPDO-4 89DCA1F8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-5 89DCA1F8
Device \Driver\usbehci \Device\USBPDO-6 89DF91F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AA031F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AA031F8
Device \Driver\Cdrom \Device\CdRom0 89BDB1F8
Device \Driver\PCI_PNP2532 \Device\00000065 spzg.sys
Device \Driver\PCI_PNP2532 \Device\00000065 spzg.sys
Device \Driver\Cdrom \Device\CdRom1 89BDB1F8
Device \Driver\iaStor \Device\Ide\iaStor0 [F7B5ED30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A98E1F8
Device \Driver\atapi \Device\Ide\IdePort0 8A98E1F8
Device \Driver\atapi \Device\Ide\IdePort1 8A98E1F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F7B5ED30] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 89D1A500
Device \Driver\NetBT \Device\NetbiosSmb 89D1A500
Device \Driver\NetBT \Device\NetBT_Tcpip_{B5854834-5647-4BA3-B407-877BE2DF7CB2} 89D1A500
Device \Driver\sptd \Device\1298748782 spzg.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 89DCA1F8
Device \Driver\usbuhci \Device\USBFDO-1 89DCA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89677500
Device \Driver\usbehci \Device\USBFDO-2 89DF91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89677500
Device \Driver\usbuhci \Device\USBFDO-3 89DCA1F8
Device \Driver\usbuhci \Device\USBFDO-4 89DCA1F8
Device \Driver\Ftdisk \Device\FtControl 8AA031F8
Device \Driver\usbuhci \Device\USBFDO-5 89DCA1F8
Device \Driver\usbehci \Device\USBFDO-6 89DF91F8
Device \Driver\aqb0cosa \Device\Scsi\aqb0cosa1Port5Path0Target0Lun0 89BB51F8
Device \Driver\aqb0cosa \Device\Scsi\aqb0cosa1 89BB51F8
Device \FileSystem\Cdfs \Cdfs 89693500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD9 0x2B 0x57 0xEB ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0x7A 0xB4 0x64 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1B 0xB7 0x70 0xE0 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0B 0x79 0x54 0x2A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD9 0x2B 0x57 0xEB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0x7A 0xB4 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1B 0xB7 0x70 0xE0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0B 0x79 0x54 0x2A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD9 0x2B 0x57 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0x7A 0xB4 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1B 0xB7 0x70 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0B 0x79 0x54 0x2A ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\InProcServer32@ %SystemRoot%\system32\browseui.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{EA07B874-F404-0975-0E56-7458120EC520}\InProcServer32@ThreadingModel Apartment

---- EOF - GMER 1.0.15 ----

Thanks again for helping me. I am happy that there's no blue screen atleast. Thanks again!

#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:29 AM

Posted 09 November 2009 - 07:12 PM

Hello madspiderman,

We will address Windows Installer issue later but first I need you to post Combofix.txt

Using Windows Explorer please navigate to C:\qoobox\ComboFixX.txt where X is the highest number. Click on that file to open and post it in your next reply.

Thanks!!
PW

#9 madspiderman

madspiderman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 10 November 2009 - 08:54 AM

I went into the Qoobox folder but there was no file called ComboFix.txt in there. There are only more folders named BackEnv, LastRun, Quarantine, Test, and TestC.

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:29 AM

Posted 12 November 2009 - 11:36 AM

Hi madspiderman,

Let's look at another location for ComboFix.txt

Using Windows Explorer please navigate to C:\ComboFix.txt. Click on that file to open and post it in your next reply.

Let's get another opinion.

Step 1.

RootRepeal - Rootkit Detector


Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Step 2.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply please include:

Combofix.txt
RootRepeal.txt
ESET Scan


Thanks!!!
PW

#11 madspiderman

madspiderman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 14 November 2009 - 11:16 AM

Combofix wasn't there either.
I ran RootRepeal but at first it gav me an error.
"Mismatch between the kernel reported by windows and the one reported by hardware scan. Do you want to use kernel reported by windows?"
I hit no for that and then RootRepeal popped up. I did the whole scan and then when the scan ended it gave me an error which said "Could not read the registery. Contact the author." Something like that. But i did get the txt file from it so here it is.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/13 08:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP Tablet PC Edition SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9EC11000 Size: 778240 File Visible: No Signed: -
Status: -

Name: kwliqpoc.sys
Image Path: C:\DOCUME~1\Chandan\LOCALS~1\Temp\kwliqpoc.sys
Address: 0x9C7F8000 Size: 87040 File Visible: No Signed: -
Status: -

Name: PCI_PNP2532
Image Path: \Driver\PCI_PNP2532
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9C758000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spzg.sys
Image Path: spzg.sys
Address: 0xF74D8000 Size: 1040384 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Chandan\Application Data\Macromedia\Flash Player\#SharedObjects\HVUQGCPV\wwwstatic.megavideo.com\megavideoads.sol
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\chandan\local settings\application data\mozilla\firefox\profiles\twl38ie1.default\cache\b4735716d01
Status: Size mismatch (API: 23003136, Raw: 10223616)

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_restore{996E336A-58F5-476F-9F9E-844E1723D7CB}
Status: Visible to the Windows API, but not on disk.

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP852
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP854
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP855
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP856
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP857
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP859
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP860
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP861
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP862
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP863
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP864
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP865
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP866
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP867
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP868
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP869
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP870
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP871
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP872
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP873
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP875
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP876
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP877
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP878
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP775
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP796
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP825
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP851
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP769
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP770
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP771
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP772
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP773
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP774
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP776
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP777
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP778
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP779
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP780
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP781
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP782
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP783
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP784
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP785
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP786
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP787
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP788
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP789
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP790
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP791
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP792
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP793
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP794
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP795
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP797
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP798
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP799
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP800
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP801
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP802
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP803
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP804
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP805
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP806
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP807
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP808
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP809
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP810
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP811
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP812
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP813
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP814
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP823
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP824
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP827
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP828
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP829
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP831
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP832
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP833
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP834
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP835
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP837
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP838
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP839
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP840
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP841
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP842
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP845
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP846
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP847
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP848
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP849
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP850
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP852\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP852\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP852\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP854\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP854\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP854\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP855\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP855\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP855\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP856\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP856\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP856\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP857\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP857\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP857\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP859\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP859\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP859\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP860\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP860\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP860\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP861\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP861\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP861\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP862\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP862\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP862\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP863\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP863\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP863\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP864\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP864\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP864\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP865\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP865\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP865\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP866\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP866\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP866\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP867\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP867\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP867\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP868\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP868\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP868\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP869\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP869\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP869\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP870\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP870\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP870\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP871\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP871\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP871\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP872\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP872\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP872\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP873\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP873\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP873\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\A0093106.ini
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\A0093136.ini
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\A0094257.ini
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\change.log.2
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\change.log.3
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\change.log.4
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\change.log.5
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP874\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP875\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP875\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP875\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP876\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP876\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP876\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP877\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP877\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP877\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP878\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP878\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP878\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP775\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP775\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP775\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP796\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP796\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP796\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP825\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP825\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP825\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP851\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP851\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP851\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP769\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP769\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP769\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP770\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP770\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP770\RestorePointSize
Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP771\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP771\change.log.1
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_rթstore{996E336A-58F5-476F-9F9E-844E1723D7CB}\RP771\RestorePointSize
Status: Invisible to the Windows API!

Path: \\SSDT
-------------------
ServiceTable Hooked [0x805614c0]!

#: 000 Function Name: NtAcceptConnectPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80588fbb

#: 001 Function Name: NtAccessCheck
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057c8e4

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805aecb8

#: 003 Function Name: NtAccessCheckByType
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ad021

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805aed3f

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063e3e4

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80640575

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806405be

#: 008 Function Name: NtAddAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80578f6e

#: 009 Function Name: NtAddBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e28b

#: 010 Function Name: NtAdjustGroupsToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063dba7

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ae676

#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89a56490

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x89a447e0

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a91d5

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062cd0a

#: 016 Function Name: NtAllocateUuids
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a3519

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89e25bd0

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a4415

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a501c

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e277

#: 022 Function Name: NtCancelIoFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b83ab

#: 023 Function Name: NtCancelTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x804ebbb7

#: 024 Function Name: NtClearEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056f718

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056e9e9

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a8b7e

#: 027 Function Name: NtCompactKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80654597

#: 028 Function Name: NtCompareTokens
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a7d92

#: 029 Function Name: NtCompleteConnectPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80587de6

#: 030 Function Name: NtCompressKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80654805

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89b58498

#: 033 Function Name: NtCreateDebugObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065f554

#: 034 Function Name: NtCreateDirectoryObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b9add

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057545b

#: 036 Function Name: NtCreateEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e8dc

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057e500

#: 038 Function Name: NtCreateIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805afddb

#: 039 Function Name: NtCreateJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e4714

#: 040 Function Name: NtCreateJobSet
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80636361

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xba73fe22

#: 042 Function Name: NtCreateMailslotFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e5dd4

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89a5c450

#: 044 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058999e

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805c4381

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80594d80

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xba720cdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xba720ece

#: 049 Function Name: NtCreateProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064eefd

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056ce25

#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805793d2

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a3fa8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89be14a8

#: 054 Function Name: NtCreateTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80596d39

#: 055 Function Name: NtCreateToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b5f03

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b9e48

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806606d1

#: 058 Function Name: NtDebugContinue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8066082b

#: 059 Function Name: NtDelayExecution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056db59

#: 060 Function Name: NtDeleteAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a803e

#: 061 Function Name: NtDeleteBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e277

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e3eea

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xba740610

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80640615

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xba7408c4

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058969a

#: 067 Function Name: NtDisplayString
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805c5820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80580714

#: 069 Function Name: NtDuplicateToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057cc1c

#: 070 Function Name: NtEnumerateBootEntries
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e28b

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spzg.sys" at address 0xf74f6ca2

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e263

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spzg.sys" at address 0xf74f7030

#: 074 Function Name: NtExtendSection
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062bcc9

#: 075 Function Name: NtFilterToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dee2d

#: 076 Function Name: NtFindAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805af652

#: 077 Function Name: NtFlushBuffersFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80582de5

#: 078 Function Name: NtFlushInstructionCache
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80585f07

#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b3e35

#: 080 Function Name: NtFlushVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a63f0

#: 081 Function Name: NtFlushWriteBuffer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062d569

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062d0bf

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89a0d998

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057cfde

#: 085 Function Name: NtGetContextThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80633e49

#: 086 Function Name: NtGetDevicePowerState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80632317

#: 087 Function Name: NtGetPlugPlayEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80599fca

#: 088 Function Name: NtGetWriteWatch
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8053ebf9

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89a5c418

#: 090 Function Name: NtImpersonateClientOfPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a7705

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x89a5b0c0

#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ba04d

#: 093 Function Name: NtInitiatePowerAction
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806320e3

#: 094 Function Name: NtIsProcessInJob
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80636217

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806322fe

#: 096 Function Name: NtListenPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dc48c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b8ba9

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805df2f6

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805df144

#: 100 Function Name: NtLockFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a8632

#: 101 Function Name: NtLockProductActivationKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dc558

#: 102 Function Name: NtLockRegistryKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805da37b

#: 103 Function Name: NtLockVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805bdc85

#: 104 Function Name: NtMakePermanentObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a42c0

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a4209

#: 106 Function Name: NtMapUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062c366

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062c7bf

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89b576f8

#: 109 Function Name: NtModifyBootEntry
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e277

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ac48c

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805adf1b

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805add2d

#: 113 Function Name: NtOpenDirectoryObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80587723

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89a5d308

#: 115 Function Name: NtOpenEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e9cd

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057e674

#: 117 Function Name: NtOpenIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8061fb23

#: 118 Function Name: NtOpenJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806365b9

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xba73eb14

#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805797f8

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e8435

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80580ba8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89a0c878

#: 124 Function Name: NtOpenProcessTokenEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057669d

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805792a3

#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a4387

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805876a6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ae1fd

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x89a28878

#: 130 Function Name: NtOpenThreadTokenEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80574e04

#: 131 Function Name: NtOpenTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e803

#: 132 Function Name: NtPlugPlayControl
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80595e05

#: 133 Function Name: NtPowerInformation
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b3ffa

#: 134 Function Name: NtPrivilegeCheck
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80596100

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a365f

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805dc210

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80580d2f

#: 138 Function Name: NtPulseEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b9da0

#: 139 Function Name: NtQueryAttributesFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057a0c0

#: 140 Function Name: NtQueryBootEntryOrder
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e28b

#: 141 Function Name: NtQueryBootOptions
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e28b

#: 142 Function Name: NtQueryDebugFilterState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x804fb511

#: 143 Function Name: NtQueryDefaultLocale
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056e139

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80586e9d

#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80581307

#: 146 Function Name: NtQueryDirectoryObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058ee40

#: 147 Function Name: NtQueryEaFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8061fd6c

#: 148 Function Name: NtQueryEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058748d

#: 149 Function Name: NtQueryFullAttributesFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805847fa

#: 150 Function Name: NtQueryInformationAtom
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ba48a

#: 151 Function Name: NtQueryInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057fb72

#: 152 Function Name: NtQueryInformationJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058bac3

#: 153 Function Name: NtQueryInformationPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80629969

#: 154 Function Name: NtQueryInformationProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80574fee

#: 155 Function Name: NtQueryInformationThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057464a

#: 156 Function Name: NtQueryInformationToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80575534

#: 157 Function Name: NtQueryInstallUILanguage
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80587fd7

#: 158 Function Name: NtQueryIntervalProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f3af

#: 159 Function Name: NtQueryIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8061fbe4

#: 160 Function Name: NtQueryKey
Status: Hooked by "spzg.sys" at address 0xf74f7108

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80653fb8

#: 162 Function Name: NtQueryMutant
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064ed36

#: 163 Function Name: NtQueryObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058a02f

#: 164 Function Name: NtQueryOpenSubKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806541be

#: 165 Function Name: NtQueryPerformanceCounter
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056f8fb

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062061d

#: 167 Function Name: NtQuerySection
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80586354

#: 168 Function Name: NtQuerySecurityObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80595128

#: 169 Function Name: NtQuerySemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064db3b

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80587517

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e2b3

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e24d

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80584945

#: 174 Function Name: NtQuerySystemTime
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a8f65

#: 175 Function Name: NtQueryTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805acc20

#: 176 Function Name: NtQueryTimerResolution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058c9e9

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x8966a7b0

#: 178 Function Name: NtQueryVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805799d7

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057e7b2

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805acb7b

#: 182 Function Name: NtRaiseHardError
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064d877

#: 183 Function Name: NtReadFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80579ceb

#: 184 Function Name: NtReadFileScatter
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80620ef3

#: 185 Function Name: NtReadRequestData
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a7c1d

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805867d8

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80585ceb

#: 188 Function Name: NtReleaseMutant
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056dbc4

#: 189 Function Name: NtReleaseSemaphore
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80582fb9

#: 190 Function Name: NtRemoveIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056e65f

#: 191 Function Name: NtRemoveProcessDebug
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806607a6

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xba740d30

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806548f2

#: 194 Function Name: NtReplyPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057c915

#: 195 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80574629

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80574141

#: 197 Function Name: NtReplyWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80629a48

#: 198 Function Name: NtRequestDeviceWakeup
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8063228b

#: 199 Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e86b3

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805781a2

#: 201 Function Name: NtRequestWakeupLatency
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80632084

#: 202 Function Name: NtResetEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805970a5

#: 203 Function Name: NtResetWriteWatch
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8053f072

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80653410

#: 205 Function Name: NtResumeProcess
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80635e5a

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x89a0bd50

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806534b7

#: 208 Function Name: NtSaveKeyEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065354f

#: 209 Function Name: NtSaveMergedKeys
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80653623

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805887f1

#: 211 Function Name: NtSetBootEntryOrder
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e28b

#: 212 Function Name: NtSetBootOptions
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e28b

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89a2ac70

#: 214 Function Name: NtSetDebugFilterState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80662188

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805bf911

#: 216 Function Name: NtSetDefaultLocale
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e4d81

#: 217 Function Name: NtSetDefaultUILanguage
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e4d28

#: 218 Function Name: NtSetEaFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806202b1

#: 219 Function Name: NtSetEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056f689

#: 220 Function Name: NtSetEventBoostPriority
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057a997

#: 221 Function Name: NtSetHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064ecc1

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064ebe5

#: 223 Function Name: NtSetInformationDebugObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80660145

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805833c8

#: 225 Function Name: NtSetInformationJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e4868

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80653b1b

#: 227 Function Name: NtSetInformationObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80587f56

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89a0fd88

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89a400c8

#: 230 Function Name: NtSetInformationToken
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b559d

#: 231 Function Name: NtSetIntervalProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064eedb

#: 232 Function Name: NtSetIoCompletion
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8057490f

#: 233 Function Name: NtSetLdtEntries
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80634d73

#: 234 Function Name: NtSetLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064ec57

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064eb73

#: 236 Function Name: NtSetQuotaInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806205f5

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a6e94

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e550

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e24d

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805e5227

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8066d103

#: 242 Function Name: NtSetSystemTime
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064d52b

#: 243 Function Name: NtSetThreadExecutionState
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ea29a

#: 244 Function Name: NtSetTimer
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x804e7a15

#: 245 Function Name: NtSetTimerResolution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805ea561

#: 246 Function Name: NtSetUuidSeed
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805df455

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xba7400e2

#: 248 Function Name: NtSetVolumeInformationFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80620b31

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064cc77

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8051b9d9

#: 251 Function Name: NtStartProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f144

#: 252 Function Name: NtStopProfile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f2fd

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89a5d958

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89a43278

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064f45d

#: 256 Function Name: NtTerminateJobObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80636737

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xba720982

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89a42788

#: 259 Function Name: NtTestAlert
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805856f9

#: 260 Function Name: NtTraceEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80548e38

#: 261 Function Name: NtTranslateFilePath
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064e29f

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806231dc

#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806536e9

#: 264 Function Name: NtUnloadKeyEx
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x806538e6

#: 265 Function Name: NtUnlockFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a8792

#: 266 Function Name: NtUnlockVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8062d5dd

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89a0e5e8

#: 268 Function Name: NtVdmControl
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805bd2b6

#: 269 Function Name: NtWaitForDebugEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8065fe90

#: 270 Function Name: NtWaitForMultipleObjects
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056dca1

#: 271 Function Name: NtWaitForSingleObject
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8056d265

#: 272 Function Name: NtWaitHighEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064eb09

#: 273 Function Name: NtWaitLowEventPair
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8064ea9f

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x8058364d

#: 275 Function Name: NtWriteFileGather
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805b8711

#: 276 Function Name: NtWriteRequestData
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805a7ca1

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89dc14a8

#: 278 Function Name: NtYieldExecution
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x80509044

#: 279 Function Name: NtCreateKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address 0x805d248a

#: 280 Function Name: NtOpenKeyedEvent
Status: Hooked by "C:\WINDOWS\system32\TUKERNEL.EXE" at address Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a98d1f8 Size: 121

Object: Hidden Code [Driver: Volume{8, IRP_MJ_CREATE]
Process: System Address: 0x89bb51f8 Size: 121

Object: Hidden Code [Driver: Volume{8, IRP_MJ_CLOSE]
Process: System Address: 0x89bb51f8 Size: 121

Object: Hidden Code [Driver: Volume{8, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89bb51f8 Size: 121

Object: Hidden Code [Driver: Volume{8, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89bb51f8 Size: 121

Object: Hidden Code [Driver: Volume{8, IRP_MJ_POWER]
Process: System Address: 0x89bb51f8 Size: 121

Object: Hidden Code [Driver: Volume{8, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89bb51f8 Size: 121

Object: Hidden Code [Driver: Volume{8, IRP_MJ_PNP]
Process: System Address: 0x89bb51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a98e1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a98e1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a98e1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a98e1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a98e1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a98e1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a98e1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a98f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89dca1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89dca1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89dca1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89dca1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89dca1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89dca1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89dca1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8aa031f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89d1a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89d1a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89d1a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89d1a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89d1a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89d1a500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89df91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89df91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89df91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89df91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89df91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89df91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89df91f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89677500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_CREATE]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_CLOSE]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_READ]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_CLEANUP]
Process: System Address: 0x89693500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵆湦ȁధ浗灩㻔STORAG, IRP_MJ_PNP]
Process: System Address: 0x89693500 Size: 121

==EOF==

Here is the ESETScanner file.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.OF virus deleted - quarantined

Thank you.

#12 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:29 AM

Posted 15 November 2009 - 06:29 PM

Hello madspidermanYour Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please try again to uninstall TuneUp Utilities 2007 via Add/Remove Programs

How is your computer running? Any problems?

Thanks!!
PW

#13 madspiderman

madspiderman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 16 November 2009 - 08:51 AM

I am still getting a message.
"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

I got this after installing the WindowsInstaller file you told me to install. So I couldn't remove older version of java from Add/Remove.

I am also getting random ad pop ups. And my symantec will randomly pop up that it has caught a adware or spyware. I believe it called it "fake AV" i believe.

Thanks again for helping me.

#14 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:04:29 AM

Posted 16 November 2009 - 10:46 AM

Hi madspiderman

My coach is having computer problems so it might be a couple of days before I can get back to you.

Thanks!!
PW

#15 madspiderman

madspiderman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 16 November 2009 - 11:45 AM

Alrighty, thanks for keeping me posted. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users