Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
31 replies to this topic

#1 K_Town

K_Town

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 13 November 2009 - 07:15 AM

Hi, the problem I am having is that browser windows are opening at random and certain pages I click on are being redirected to different sites. This problem started on Tuesday 10th November '09.

I have run Avast 4.8 Home Edition and it has returned a number of results all of which are now in the Virus Chest:

XXXX = users name.

C:\Windows\System32 - Win32:Rootkit-gen [Rtk]
C:\Users\XXXX\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XELGWGFM\3.01[1].exe - Win32:Trojan-gen
C:\Users\XXXX\AppData\Local\Temp\3.01.exe - Win32:Trojan-gen
I:\autorun.inf - BV:AutoRun-G [Wrm]
C:\$RECYCLE.BIN\S-1-5-21-837330612-2378831076-2722832470-1000\$R9SCR0K.exe - Win32:Malware-gen
C:\$RECYCLE.BIN\S-1-5-21-837330612-2378831076-2722832470-1000\$RLKSYZJ.exe - Win32:Malware-gen


I had turned off C:\ restore points then had Avast do a boot-time scan afterwhich I turned back on the restore points on C:\

I've now run HijackThis but need some interpretation of the results, plus any advice on how to clean my laptop. Thanks guys.

HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:07 a.m., on 13/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\System32\ASUSTPE.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\PING.EXE
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUSTPE] C:\Windows\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nvdsp] C:\svchosts.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [{D78E3EB4-70A0-BA37-DC89-F4940E2F8C41}] C:\Users\Kaleb\AppData\Roaming\pl0x.exe
O4 - HKCU\..\Run: [nvdsp] C:\svchosts.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.inforiviera.it/new_webcam/AxisCamControl.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: ESET Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 10304 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 16 November 2009 - 07:49 AM

Apologies - not trying to bump this thread, however, reading out threads I should have run dds. and posted the results.

As follows:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Kaleb at 12:39:54.17 on Mon 16/11/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.64.1033.18.1919.845 [GMT 0:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! antivirus 4.8.1351 [VPS 091116-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1351 [VPS 091116-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Windows\System32\TUProgSt.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\System32\ASUSTPE.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\mobsync.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Kaleb\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.facebook.com/home.php?
uDefault_Page_URL = hxxp://www.asus.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.asus.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [{D78E3EB4-70A0-BA37-DC89-F4940E2F8C41}] c:\users\kaleb\appdata\roaming\pl0x.exe
uRun: [nvdsp] C:\svchosts.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ASUSTPE] c:\windows\system32\ASUSTPE.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ASUS Camera ScreenSaver] c:\windows\ASScrProlog.exe
mRun: [ASUS Screen Saver Protector] c:\windows\ASScrPro.exe
mRun: [PowerForPhone] c:\program files\powerforphone\PowerForPhone.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [nvdsp] C:\svchosts.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www4.snapfish.co.nz/SnapfishActivia.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://www.inforiviera.it/new_webcam/AxisCamControl.ocx
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {FJ2CBKNW-23CG-61IG-XBF3-0KVRO34F0IEN} - C:\svchosts.exe Restart
mASetup: ccc-core-static - msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb

================= FIREFOX ===================

FF - ProfilePath - c:\users\kaleb\appdata\roaming\mozilla\firefox\profiles\sdyeyxou.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 tblewdsk;tblewdsk;c:\windows\system32\drivers\tblewdsk.sys [2009-4-14 39296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-9 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-9 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-8-9 53328]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2006-12-11 24576]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-8-7 604488]
R3 Atc002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;c:\windows\system32\drivers\L260x86.sys [2006-12-13 25600]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2007-1-19 1324544]
R3 WCPU;WCPU;c:\program files\p4g\WCPU.sys [2007-4-3 11120]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-11-12 30336]
S4 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]

=============== Created Last 30 ================

2009-11-13 16:50:20 57344 ------w- c:\windows\system32\winbhsdll.dll
2009-11-13 16:21:15 581632 --sha-r- c:\users\kaleb\appdata\roaming\plugin.dat
2009-11-13 13:38:18 0 d-----w- C:\Pandorum
2009-11-13 10:39:57 0 d-----w- c:\program files\Trend Micro
2009-11-13 10:20:57 0 d-----w- c:\program files\CCleaner
2009-11-12 16:22:37 90112 ----a-w- c:\windows\unvise32.exe
2009-11-12 16:22:37 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-11-12 16:22:37 208896 ----a-w- c:\windows\system32\wpcap.dll
2009-11-12 16:22:36 57344 ----a-w- c:\windows\system32\packet.dll
2009-11-12 16:22:36 30336 ----a-w- c:\windows\system32\drivers\npf.sys
2009-11-12 16:22:13 0 d-----w- c:\program files\ExploreAnywhere
2009-11-12 11:03:50 118272 ----a-w- c:\windows\system32\maxekexp.dll
2009-11-11 15:46:48 0 d-----w- C:\Keylogger
2009-11-11 14:32:33 122880 --sha-r- c:\users\kaleb\appdata\roaming\poloc.exe
2009-11-11 14:31:40 60797 ----a-w- c:\users\kaleb\appdata\roaming\pl0x.exe
2009-11-11 08:56:42 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 08:56:31 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 18:10:39 0 d-----w- C:\House
2009-11-10 18:08:42 0 d-----w- C:\Arrested_Development
2009-11-10 15:18:14 0 d-----w- C:\Flowers
2009-11-10 15:15:30 0 d-----w- C:\Mind_Power
2009-11-09 00:19:57 0 d-----w- C:\AB's
2009-11-08 20:58:31 0 d-----w- C:\Little_Voice
2009-11-06 16:26:48 0 d-----w- C:\4_Christmases
2009-11-06 00:52:46 0 d-----w- C:\Iphone
2009-11-04 07:34:08 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-02 17:07:45 0 d-----w- C:\Grand_Designs
2009-11-01 14:46:07 0 d-----w- C:\Halloween
2009-10-30 22:48:39 124416 --sha-r- C:\svchosts.exe
2009-10-30 22:44:40 0 d-----w- c:\program files\Nero
2009-10-29 22:54:48 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-29 22:53:43 0 d-----w- c:\windows\SHELLNEW
2009-10-29 22:02:29 0 d-----w- C:\Office_07
2009-10-29 03:04:00 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 03:03:05 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 03:02:51 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-29 03:02:51 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-28 07:47:00 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 07:46:59 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 07:46:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 07:46:58 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 07:46:53 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 21:17:13 0 d-----w- C:\Mysterious_Skin
2009-10-27 20:50:15 1191951 ----a-w- C:\Lumley_Generic_PPT_AW_FORMAL_Hel.pptx
2009-10-25 18:37:30 0 d-----w- C:\The_Maiden_Heist
2009-10-19 21:05:47 0 d-----w- C:\Californication
2009-10-17 21:48:07 0 d-----w- C:\Music

==================== Find3M ====================

2009-11-14 12:03:37 45056 ----a-w- c:\windows\system32\acovcnt.exe
2009-11-12 18:46:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-15 15:21:08 124416 ----a-w- c:\windows\nero.exe
2009-10-14 11:15:58 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-14 11:15:49 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-05 07:42:12 16056 ----a-w- c:\windows\fonts\EdwardScissor Sans Negative.ttf
2009-10-05 07:42:12 15432 ----a-w- c:\windows\fonts\EdwardScissor Sans Positive.ttf
2009-10-04 13:53:42 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-10-04 12:50:35 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-04 12:50:34 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-04 12:50:33 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-27 21:02:18 9852 ----a-w- c:\windows\fonts\EdwardScissor Sans Negative.otf
2009-09-27 21:02:18 9692 ----a-w- c:\windows\fonts\EdwardScissor Sans Positive.otf
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:38:11 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02:34 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2008-12-11 03:24:25 174 --sha-w- c:\program files\desktop.ini
2008-08-17 15:19:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
1999-04-24 06:22:00 68871 --sha-r- c:\windows\configsetroot\DRVSPACE.BIN
1999-04-24 06:22:00 222390 --sha-r- c:\windows\configsetroot\IO.SYS
1999-05-06 06:22:00 1026 --sha-r- c:\windows\configsetroot\MSDOS.SYS
2000-06-21 20:22:56 0 --sha-w- c:\windows\configsetroot\dos\EBD.SYS

============= FINISH: 12:41:50.70 ===============

DDS zipped and attached also.

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:51 AM

Posted 20 November 2009 - 08:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 21 November 2009 - 07:15 AM

Hi thanks for your reply.

This is a copy and paste from the first post I made. I has the symptoms I am experiencing and the steps I have taken to date to try and fix the problem.

Hi, the problem I am having is that browser windows are opening at random and certain pages I click on are being redirected to different sites. This problem started on Tuesday 10th November '09.

I have run Avast 4.8 Home Edition and it has returned a number of results all of which are now in the Virus Chest:

XXXX = users name.

C:\Windows\System32 - Win32:Rootkit-gen [Rtk]
C:\Users\XXXX\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XELGWGFM\3.01[1].exe - Win32:Trojan-gen
C:\Users\XXXX\AppData\Local\Temp\3.01.exe - Win32:Trojan-gen
I:\autorun.inf - BV:AutoRun-G [Wrm]
C:\$RECYCLE.BIN\S-1-5-21-837330612-2378831076-2722832470-1000\$R9SCR0K.exe - Win32:Malware-gen
C:\$RECYCLE.BIN\S-1-5-21-837330612-2378831076-2722832470-1000\$RLKSYZJ.exe - Win32:Malware-gen

I had turned off C:\ restore points then had Avast do a boot-time scan afterwhich I turned back on the restore points on C:\

I've now run HijackThis but need some interpretation of the results, plus any advice on how to clean my laptop. Thanks guys.

HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:07 a.m., on 13/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\System32\ASUSTPE.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\PING.EXE
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUSTPE] C:\Windows\system32\ASUSTPE.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nvdsp] C:\svchosts.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [{D78E3EB4-70A0-BA37-DC89-F4940E2F8C41}] C:\Users\Kaleb\AppData\Roaming\pl0x.exe
O4 - HKCU\..\Run: [nvdsp] C:\svchosts.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.inforiviera.it/new_webcam/AxisCamControl.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: ESET Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 10304 bytes

#5 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 21 November 2009 - 07:35 AM

DDS log below as well as attachment:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Kaleb at 12:29:41.47 on Sat 21/11/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.64.1033.18.1919.840 [GMT 0:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! antivirus 4.8.1351 [VPS 091121-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1351 [VPS 091121-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Windows\System32\TUProgSt.exe
C:\Windows\System32\ACEngSvr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Windows\System32\ASUSTPE.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ASScrPro.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\FlashGet\flashget.exe
C:\Windows\System32\TuneUpDefragService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Kaleb\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.facebook.com/home.php?
uDefault_Page_URL = hxxp://www.asus.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.asus.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [{D78E3EB4-70A0-BA37-DC89-F4940E2F8C41}] c:\users\kaleb\appdata\roaming\pl0x.exe
uRun: [nvdsp] C:\svchosts.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ASUSTPE] c:\windows\system32\ASUSTPE.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ASUS Camera ScreenSaver] c:\windows\ASScrProlog.exe
mRun: [ASUS Screen Saver Protector] c:\windows\ASScrPro.exe
mRun: [PowerForPhone] c:\program files\powerforphone\PowerForPhone.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [nvdsp] C:\svchosts.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www4.snapfish.co.nz/SnapfishActivia.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://www.inforiviera.it/new_webcam/AxisCamControl.ocx
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {FJ2CBKNW-23CG-61IG-XBF3-0KVRO34F0IEN} - C:\svchosts.exe Restart
mASetup: ccc-core-static - msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb

================= FIREFOX ===================

FF - ProfilePath - c:\users\kaleb\appdata\roaming\mozilla\firefox\profiles\sdyeyxou.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 tblewdsk;tblewdsk;c:\windows\system32\drivers\tblewdsk.sys [2009-4-14 39296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-9 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-9 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-8-9 53328]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2006-12-11 24576]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-8-7 604488]
R3 Atc002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;c:\windows\system32\drivers\L260x86.sys [2006-12-13 25600]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2007-1-19 1324544]
R3 WCPU;WCPU;c:\program files\p4g\WCPU.sys [2007-4-3 11120]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-11-12 30336]
S4 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]

=============== Created Last 30 ================

2009-11-21 00:32:22 0 d-----w- C:\FNL
2009-11-20 17:42:06 0 d-----w- C:\M83
2009-11-20 13:56:10 0 d-----w- C:\Salton_Sea
2009-11-19 12:21:17 0 d-----w- C:\Hendrix
2009-11-18 21:32:28 0 d-----w- C:\Glee
2009-11-18 21:31:13 0 d-----w- C:\Modern_Family
2009-11-18 17:51:53 0 d-----w- C:\Editors
2009-11-18 17:50:14 0 d-----w- C:\Garbage
2009-11-18 16:16:48 0 d-----w- C:\Them_Crooked_Vultures
2009-11-18 10:50:45 0 d-----w- C:\GnR
2009-11-16 17:44:24 0 d-----w- C:\The_Prisoner
2009-11-13 16:21:15 581632 --sha-r- c:\users\kaleb\appdata\roaming\plugin.dat
2009-11-13 10:39:57 0 d-----w- c:\program files\Trend Micro
2009-11-13 10:20:57 0 d-----w- c:\program files\CCleaner
2009-11-12 16:22:37 90112 ----a-w- c:\windows\unvise32.exe
2009-11-12 16:22:37 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-11-12 16:22:37 208896 ----a-w- c:\windows\system32\wpcap.dll
2009-11-12 16:22:36 57344 ----a-w- c:\windows\system32\packet.dll
2009-11-12 16:22:36 30336 ----a-w- c:\windows\system32\drivers\npf.sys
2009-11-12 16:22:13 0 d-----w- c:\program files\ExploreAnywhere
2009-11-12 11:03:50 118272 ----a-w- c:\windows\system32\maxekexp.dll
2009-11-11 15:46:48 0 d-----w- C:\Keylogger
2009-11-11 14:32:33 122880 --sha-r- c:\users\kaleb\appdata\roaming\poloc.exe
2009-11-11 14:31:40 60797 ----a-w- c:\users\kaleb\appdata\roaming\pl0x.exe
2009-11-11 08:56:42 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 08:56:31 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 18:10:39 0 d-----w- C:\House
2009-11-10 18:08:42 0 d-----w- C:\Arrested_Development
2009-11-10 15:18:14 0 d-----w- C:\Flowers
2009-11-10 15:15:30 0 d-----w- C:\Mind_Power
2009-11-09 00:19:57 0 d-----w- C:\AB's
2009-11-08 20:58:31 0 d-----w- C:\Little_Voice
2009-11-06 16:26:48 0 d-----w- C:\4_Christmases
2009-11-06 00:52:46 0 d-----w- C:\Iphone
2009-11-04 07:34:08 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-02 17:07:45 0 d-----w- C:\Grand_Designs
2009-11-01 14:46:07 0 d-----w- C:\Halloween
2009-10-30 22:48:39 124416 --sha-r- C:\svchosts.exe
2009-10-30 22:44:40 0 d-----w- c:\program files\Nero
2009-10-29 22:54:48 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-29 22:53:43 0 d-----w- c:\windows\SHELLNEW
2009-10-29 22:02:29 0 d-----w- C:\Office_07
2009-10-29 03:04:00 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 03:03:05 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 03:02:51 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-29 03:02:51 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-28 07:47:00 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 07:46:59 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 07:46:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 07:46:58 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 07:46:53 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 21:17:13 0 d-----w- C:\Mysterious_Skin
2009-10-27 20:50:15 1191951 ----a-w- C:\Lumley_Generic_PPT_AW_FORMAL_Hel.pptx
2009-10-25 18:37:30 0 d-----w- C:\The_Maiden_Heist

==================== Find3M ====================

2009-11-14 12:03:37 45056 ----a-w- c:\windows\system32\acovcnt.exe
2009-11-12 18:46:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-15 15:21:08 124416 ----a-w- c:\windows\nero.exe
2009-10-14 11:15:58 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-14 11:15:49 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-05 07:42:12 16056 ----a-w- c:\windows\fonts\EdwardScissor Sans Negative.ttf
2009-10-05 07:42:12 15432 ----a-w- c:\windows\fonts\EdwardScissor Sans Positive.ttf
2009-10-04 13:53:42 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-10-04 12:50:35 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-04 12:50:34 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-04 12:50:33 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-27 21:02:18 9852 ----a-w- c:\windows\fonts\EdwardScissor Sans Negative.otf
2009-09-27 21:02:18 9692 ----a-w- c:\windows\fonts\EdwardScissor Sans Positive.otf
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:38:11 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02:34 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2008-12-11 03:24:25 174 --sha-w- c:\program files\desktop.ini
2008-08-17 15:19:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
1999-04-24 06:22:00 68871 --sha-r- c:\windows\configsetroot\DRVSPACE.BIN
1999-04-24 06:22:00 222390 --sha-r- c:\windows\configsetroot\IO.SYS
1999-05-06 06:22:00 1026 --sha-r- c:\windows\configsetroot\MSDOS.SYS
2000-06-21 20:22:56 0 --sha-w- c:\windows\configsetroot\dos\EBD.SYS

============= FINISH: 12:30:25.64 ===============

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:51 PM

Posted 22 November 2009 - 08:12 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Okay, first...

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either BitDefender or Avast.


Next

Can you run a RootRepeal scan for rootkits. I suspect there won't be anything there but we should rule it out first.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 22 November 2009 - 08:30 PM

Hi - when I open rootrepeal from the desktop I get an error message: FOPS - DeviceIocontrol Error! Error code: 0xc0000024 Extended info (0x000000e0)

I click and the message goes away, then head to scan tab, check all seven boxes then c:/ drive and press scan.

Another error message: Could not initialize driver! Please contact the author!

I click ok then another message: Error Dumpting SDT: (0x0000024)!

Click ok again, scan appears to take place, then another error message: Attempt to read from address: 0x00000024

Click ok: DeviceIoConrol Error! Error Code = 0x0

Click on that and it closes the program.

Have downloaded from all three locations and the same thing happens each time.

Any ideas?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:51 PM

Posted 23 November 2009 - 07:13 AM

There's two reasons for RootRepeal failure.


Let's run a similiar program to see if that works


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#9 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 23 November 2009 - 10:32 AM

Hi - was able to successfuly save and run gmer.

Below are the results:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-23 15:30:15
Windows 6.0.6000
Running: 3ghskm65.exe; Driver: C:\Users\Kaleb\AppData\Local\Temp\uwroqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x8F50614C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x8F50608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x8F5060F0]

INT 0x51 ? 83FC5BF8
INT 0x62 ? 858B4BF8
INT 0x62 ? 858B4BF8
INT 0x62 ? 858B4BF8
INT 0x72 ? 858B4BF8
INT 0x72 ? 858B4BF8
INT 0x82 ? 858B4BF8
INT 0x92 ? 858B4BF8
INT 0x92 ? 858B4BF8
INT 0xA2 ? 83FC5BF8
INT 0xB2 ? 83FC5BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_alloca_probe + 230 82456080 4 Bytes [4C, 61, 50, 8F]
.text ntoskrnl.exe!_alloca_probe + 334 82456184 4 Bytes [8C, 60, 50, 8F]
.text ntoskrnl.exe!_alloca_probe + 350 824561A0 4 Bytes [F0, 60, 50, 8F]
PAGE ntoskrnl.exe!SeAuditTransactionStateChange + 30D 8267C000 66 Bytes [89, 4C, 04, 2C, 8B, 44, 24, ...]
PAGE ntoskrnl.exe!SeAuditTransactionStateChange + 350 8267C043 60 Bytes [44, 24, 18, 40, 89, 44, 24, ...]
PAGE ntoskrnl.exe!SeAuditTransactionStateChange + 38D 8267C080 16 Bytes [00, CC, CC, CC, CC, CC, 90, ...] {ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
PAGE ntoskrnl.exe!SeAuditTransactionStateChange + 39E 8267C091 17 Bytes [E4, F8, 81, EC, 4C, 03, 00, ...]
PAGE ntoskrnl.exe!SeAuditTransactionStateChange + 3B0 8267C0A3 32 Bytes [48, 03, 00, 00, 8B, 45, 08, ...]
PAGE ...
PAGE ntoskrnl.exe!SeAuditingFileOrGlobalEvents + F 8267C6A3 58 Bytes [8B, 46, 08, 83, B8, C0, 00, ...]
PAGE ntoskrnl.exe!SeAuditingFileOrGlobalEvents + 4A 8267C6DE 1 Byte [53]
PAGE ntoskrnl.exe!SeAuditingFileOrGlobalEvents + 4A 8267C6DE 49 Bytes [53, 0F, 94, C3, 56, 53, FF, ...]
PAGE ntoskrnl.exe!SeAuditingFileOrGlobalEvents + 80 8267C714 17 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!SeAuditingFileEvents + D 8267C726 13 Bytes [02, 50, 82, 74, 04, 3A, C1, ...]
PAGE ntoskrnl.exe!SeAuditingFileEvents + 1B 8267C734 24 Bytes [82, 74, 04, 3A, C1, 74, 18, ...]
PAGE ntoskrnl.exe!SeAuditingFileEvents + 34 8267C74D 133 Bytes [74, 09, 3A, C1, 75, 05, 33, ...]
PAGE ntoskrnl.exe!SeAuditingHardLinkEventsWithContext + 4 8267C7D3 164 Bytes [EC, 8B, 45, 0C, 0F, B7, 48, ...]
PAGE ntoskrnl.exe!SeAuditingHardLinkEventsWithContext + A9 8267C878 8 Bytes [8B, 06, 66, 89, 48, 08, 8B, ...] {MOV EAX, [ESI]; MOV [EAX+0x8], CX; MOV EAX, [ESI]}
PAGE ntoskrnl.exe!SeAuditingHardLinkEventsWithContext + B2 8267C881 2 Bytes [8B, 48]
PAGE ntoskrnl.exe!SeAuditingHardLinkEventsWithContext + B5 8267C884 60 Bytes [66, 89, 48, 0A, 8B, 06, 8B, ...]
PAGE ntoskrnl.exe!SeAuditingHardLinkEventsWithContext + F2 8267C8C1 27 Bytes [48, 10, 83, 60, 10, 00, 53, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwAccessCheckByTypeResultListAndAuditAlarm + 2 8267CC5D 35 Bytes [55, 8B, EC, 6A, 01, FF, 75, ...]
PAGE ntoskrnl.exe!ZwAccessCheckByTypeResultListAndAuditAlarm + 26 8267CC81 128 Bytes [75, 18, FF, 75, 14, FF, 75, ...]
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 7 8267CD02 140 Bytes CALL 82456C18 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 94 8267CD8F 57 Bytes [75, DC, 89, 75, D8, C7, 45, ...]
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + CE 8267CDC9 3 Bytes [FF, B8, 9A]
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + D3 8267CDCE 11 Bytes [C0, 3B, F0, 75, 06, 50, E8, ...] {SAR BYTE [EBX], 0xf0; JNZ 0xb; PUSH EAX; CALL 0x2365}
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + DF 8267CDDA 35 Bytes CALL 82456C5C \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!SeCloseObjectAuditAlarmForNonObObject + F 8267CDFE 58 Bytes [FF, 75, 10, FF, 75, 0C, FF, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmForNonObObject + 1F 8267CE39 27 Bytes [E1, 34, F6, FF, 3A, C3, 88, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmForNonObObject + 3B 8267CE55 20 Bytes [45, 18, 0F, B7, 48, 02, F6, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmForNonObObject + 50 8267CE6A 1 Byte [48]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmForNonObObject + 53 8267CE6D 36 Bytes [CB, 74, F0, 03, C1, EB, 03, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmForNonObObject + 78 8267CE92 10 Bytes [38, 5C, 24, 0E, 74, 42, 64, ...]
PAGE ...
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmWithTransaction + 13 8267CF3F 69 Bytes [00, C6, 45, FE, 00, 89, 55, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmWithTransaction + 59 8267CF85 83 Bytes [00, 38, 55, 20, 6A, 01, 0F, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmWithTransaction + AE 8267CFDA 46 Bytes [80, 7D, FF, 00, 74, 3F, 80, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmWithTransaction + DD 8267D009 13 Bytes [7F, 0C, 8B, 45, 24, 83, C0, ...]
PAGE ntoskrnl.exe!SeOpenObjectAuditAlarmWithTransaction + EB 8267D017 43 Bytes CALL 824CF6EE \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarmWithTransaction + 39 8267D277 32 Bytes [0F, 84, A2, 02, 00, 00, 8B, ...]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarmWithTransaction + 5A 8267D298 39 Bytes [7D, 14, 3B, FA, 89, 44, 24, ...]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarmWithTransaction + 82 8267D2C0 6 Bytes [74, 4D, 0F, B7, 4F, 02] {JZ 0x4f; MOVZX ECX, [EDI+0x2]}
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarmWithTransaction + 89 8267D2C7 85 Bytes [43, 14, 0B, 43, 10, F6, C1, ...]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarmWithTransaction + DF 8267D31D 24 Bytes [74, 24, 83, 3F, 00, 76, 1F, ...]
PAGE ...
PAGE ntoskrnl.exe!SeCloseObjectAuditAlarm + 1D 8267D55B 109 Bytes [75, 08, 8D, 44, 24, 08, 50, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarmWithTransaction + 1A 8267D5C9 14 Bytes [75, 10, 8D, 44, 24, 08, 50, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarmWithTransaction + 29 8267D5D8 38 Bytes CALL 8267A824 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarmWithTransaction + 50 8267D5FF 65 Bytes [EC, 34, 53, 8B, 5D, 20, 56, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarmWithTransaction + 92 8267D641 131 Bytes [44, 24, 14, 75, 0F, 68, 7C, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarmWithTransaction + 116 8267D6C5 286 Bytes [8B, 4D, 14, 81, E1, FF, FF, ...]
PAGE ...
PAGE ntoskrnl.exe!SeExamineSacl + 65 8267D954 13 Bytes [66, 3B, 07, 75, 24, 0F, B6, ...]
PAGE ntoskrnl.exe!SeExamineSacl + 73 8267D962 81 Bytes [00, 00, 33, C0, F3, A6, 75, ...]
PAGE ntoskrnl.exe!SeExamineSacl + C5 8267D9B4 13 Bytes CALL 8247263E \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!SeExamineSacl + D3 8267D9C2 44 Bytes [74, 47, 8B, 35, 64, 60, 6F, ...]
PAGE ntoskrnl.exe!SeExamineSacl + 100 8267D9EF 426 Bytes [15, 84, C0, 79, 17, 80, 7D, ...]
PAGE ...
PAGE ntoskrnl.exe!SeTokenIsAdmin + 13 8267DED6 151 Bytes CALL 8247263E \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!SeTokenIsAdmin + AC 8267DF6F 5 Bytes [8D, 81, 80, 00, 00]
PAGE ntoskrnl.exe!SeTokenIsAdmin + B2 8267DF75 3 Bytes [66, FF, 00] {INC WORD [EAX]}
PAGE ntoskrnl.exe!SeTokenIsAdmin + B6 8267DF79 194 Bytes [B7, 00, 66, 85, C0, 75, 16, ...]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 179 8267E03C 15 Bytes [DF, EB, 03, 8B, 5F, 10, 85, ...]
PAGE ...
PAGE ntoskrnl.exe!SeGetLinkedToken + 30 8267E1D0 68 Bytes [8B, 5D, 0C, 8B, 83, C4, 00, ...]
PAGE ntoskrnl.exe!SeGetLinkedToken + 75 8267E215 67 Bytes [3B, C7, C7, 44, 24, 40, 18, ...]
PAGE ntoskrnl.exe!SeGetLinkedToken + B9 8267E259 115 Bytes [00, 00, 74, 38, 68, 53, 65, ...]
PAGE ntoskrnl.exe!SeGetLinkedToken + 12D 8267E2CD 46 Bytes [00, 89, 54, 24, 10, 05, E0, ...]
PAGE ntoskrnl.exe!SeGetLinkedToken + 15C 8267E2FC 71 Bytes CALL 8268706F \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 2F 8267EC38 2 Bytes [44, 4F] {INC ESP; DEC EDI}
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 32 8267EC3B 25 Bytes [8B, C6, F0, 0F, BA, 30, 00, ...]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 4C 8267EC55 67 Bytes [85, FF, B8, 3C, 60, 6F, 82, ...]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 90 8267EC99 31 Bytes [0F, B1, 16, 3B, C1, 75, 0A, ...]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + B0 8267ECB9 23 Bytes [00, 0F, B7, 00, 66, 85, C0, ...]
PAGE ...
PAGE ntoskrnl.exe!SeSetSecurityDescriptorInfoEx + B 8267EE6E 108 Bytes [75, 07, B8, D7, 00, 00, C0, ...]
PAGE ntoskrnl.exe!SeSetSecurityDescriptorInfoEx + 78 8267EEDB 1 Byte [FF]
PAGE ntoskrnl.exe!SeSetSecurityDescriptorInfoEx + 78 8267EEDB 8 Bytes [FF, 89, 45, F4, 66, 39, 16, ...]
PAGE ntoskrnl.exe!SeSetSecurityDescriptorInfoEx + 81 8267EEE4 18 Bytes [0F, 76, 4C, 8B, 5D, FC, 0F, ...] {PCMPEQD MM1, QWORD [EBX+ECX*4+0x5d]; CLD ; MOVZX EAX, DX; ADD EAX, EBX; MOV CL, DL; ADD CL, BL; MOV EBX, [EBP+0x8]}
PAGE ntoskrnl.exe!SeSetSecurityDescriptorInfoEx + 94 8267EEF7 82 Bytes [F8, D1, EF, 8A, 1C, 1F, 80, ...]
PAGE ...
PAGE ntoskrnl.exe!NtQueryInformationTransaction + 6 8267F8BE 15 Bytes CALL 82456BBC \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtQueryInformationTransaction + 16 8267F8CE 123 Bytes [95, 68, FF, FF, FF, 8B, 5D, ...]
PAGE ntoskrnl.exe!NtQueryInformationTransaction + 92 8267F94A 12 Bytes [FF, FF, 64, 8B, 0D, 24, 01, ...]
PAGE ntoskrnl.exe!NtQueryInformationTransaction + A0 8267F958 19 Bytes [00, 88, 8D, 58, FF, FF, FF, ...] {ADD [EAX-0xa773], CL; INC DWORD [ECX+ECX*8+0x75892974]; CLD ; PUSH EAX; PUSH DWORD [EBP+0x14]; PUSH EDX}
PAGE ntoskrnl.exe!NtQueryInformationTransaction + B4 8267F96C 3 Bytes CALL 825E1B4B \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!NtSavepointTransaction + 8 8267FDBD 22 Bytes [90, 90, 90, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!NtRollbackTransaction + 4 8267FDD4 6 Bytes [EC, 51, 51, 80, 7D, 0C]
PAGE ntoskrnl.exe!NtRollbackTransaction + B 8267FDDB 9 Bytes [64, A1, 24, 01, 00, 00, 8A, ...]
PAGE ntoskrnl.exe!NtRollbackTransaction + 15 8267FDE5 11 Bytes [00, 00, 6A, 10, 88, 45, F8, ...]
PAGE ntoskrnl.exe!NtRollbackTransaction + 21 8267FDF1 5 Bytes [00, 10, 00, 56, 6A] {ADD [EAX], DL; ADD [ESI+0x6a], DL}
PAGE ntoskrnl.exe!NtRollbackTransaction + 27 8267FDF7 12 Bytes [8D, 4D, FC, 51, FF, 75, F8, ...]
PAGE ...
PAGE ntoskrnl.exe!NtClearSavepointTransaction + 4 8267FE3D 52 Bytes [C0, C2, 08, 00, 90, CC, CC, ...]
PAGE ntoskrnl.exe!NtSetInformationTransaction + 25 8267FE72 23 Bytes JMP 8267FF8F \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetInformationTransaction + 3D 8267FE8A 28 Bytes [01, 00, 00, 83, FB, 01, 75, ...]
PAGE ntoskrnl.exe!NtSetInformationTransaction + 5B 8267FEA8 11 Bytes [8A, 80, E7, 00, 00, 00, 88, ...] {MOV AL, [EAX+0xe7]; MOV [EBP-0x20], AL; TEST AL, AL}
PAGE ntoskrnl.exe!NtSetInformationTransaction + 67 8267FEB4 43 Bytes [4B, 89, 7D, FC, FF, 75, 10, ...]
PAGE ntoskrnl.exe!NtSetInformationTransaction + 93 8267FEE0 46 Bytes CALL 8259976E \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwRecoverEnlistment + 43 8267FFF2 67 Bytes CALL 8246A377 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtQueryInformationEnlistment + 2C 82680037 4 Bytes JMP 826801DF \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtQueryInformationEnlistment + 32 8268003D 25 Bytes [39, 4D, 0C, 75, 10, 83, 7D, ...]
PAGE ntoskrnl.exe!NtQueryInformationEnlistment + 4C 82680057 54 Bytes [00, 8A, 80, E7, 00, 00, 00, ...]
PAGE ntoskrnl.exe!NtQueryInformationEnlistment + 84 8268008F 9 Bytes [6A, 00, 8D, 45, AC, 50, FF, ...] {PUSH 0x0; LEA EAX, [EBP-0x54]; PUSH EAX; PUSH DWORD [EBP-0x6c]}
PAGE ntoskrnl.exe!NtQueryInformationEnlistment + 8E 82680099 6 Bytes [35, D8, FE, 4F, 82, 6A]
PAGE ...
PAGE ntoskrnl.exe!NtSetInformationEnlistment + A 826801FC 103 Bytes [DD, FF, 33, DB, 89, 5D, E0, ...]
PAGE ntoskrnl.exe!NtSetInformationEnlistment + 72 82680264 12 Bytes [35, D8, FE, 4F, 82, 6A, 02, ...] {XOR EAX, 0x824ffed8; PUSH 0x2; POP EDI; PUSH EDI; PUSH DWORD [EBP+0x8]}
PAGE ntoskrnl.exe!NtSetInformationEnlistment + 7F 82680271 3 Bytes CALL 825C715C \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetInformationEnlistment + 83 82680275 34 Bytes [8B, 75, 0C, 89, 75, E0, 89, ...]
PAGE ntoskrnl.exe!NtSetInformationEnlistment + A7 82680299 61 Bytes [00, 89, 7D, FC, 39, 5E, 74, ...]
PAGE ...
PAGE ntoskrnl.exe!NtPrepareEnlistment + 1E 826803AD 10 Bytes [88, 45, DC, 84, C0, 74, 2B, ...]
PAGE ntoskrnl.exe!NtPrepareEnlistment + 29 826803B8 20 Bytes [85, C9, 74, 1C, A1, A4, 75, ...]
PAGE ntoskrnl.exe!NtPrepareEnlistment + 3E 826803CD 105 Bytes [41, 04, 89, 45, D8, 8D, 45, ...]
PAGE ntoskrnl.exe!NtPrepareEnlistment + A8 82680437 53 Bytes CALL 81644A03
PAGE ntoskrnl.exe!NtPrePrepareEnlistment + 1E 8268046E 170 Bytes [88, 45, DC, 84, C0, 74, 2B, ...]
PAGE ntoskrnl.exe!NtCommitEnlistment + 8 82680519 15 Bytes [FB, 66, DD, FF, 8B, 4D, 0C, ...]
PAGE ntoskrnl.exe!NtCommitEnlistment + 18 82680529 117 Bytes [8A, 80, E7, 00, 00, 00, 88, ...]
PAGE ntoskrnl.exe!NtCommitEnlistment + 8E 8268059F 28 Bytes [90, 90, 90, 90, 90, 8B, 45, ...]
PAGE ntoskrnl.exe!NtCommitEnlistment + AB 826805BC 13 Bytes [C7, 45, FC, FE, FF, FF, FF, ...] {MOV DWORD [EBP-0x4], 0xfffffffe; MOV EAX, [EBP-0x20]; JMP 0xffffffffffffffdb; INT 3 }
PAGE ntoskrnl.exe!NtCommitEnlistment + BC 826805CD 1 Byte [90]
PAGE ntoskrnl.exe!NtRollbackEnlistment 826805D2 14 Bytes [6A, 1C, 68, 58, 0E, 44, 82, ...]
PAGE ntoskrnl.exe!NtRollbackEnlistment + F 826805E1 20 Bytes [89, 4D, E4, 64, A1, 24, 01, ...]
PAGE ntoskrnl.exe!NtRollbackEnlistment + 24 826805F6 45 Bytes [2B, 83, 65, FC, 00, 85, C9, ...]
PAGE ntoskrnl.exe!NtRollbackEnlistment + 52 82680624 3 Bytes [8D, 45, 0C] {LEA EAX, [EBP+0xc]}
PAGE ntoskrnl.exe!NtRollbackEnlistment + 56 82680628 26 Bytes [FF, 75, DC, FF, 35, D8, FE, ...]
PAGE ...
PAGE ntoskrnl.exe!NtPrepareComplete + 70 82680703 109 Bytes [75, E4, FF, 75, 0C, E8, 52, ...]
PAGE ntoskrnl.exe!ZwPrePrepareComplete + 1E 82680772 26 Bytes [88, 45, DC, 84, C0, 74, 2B, ...]
PAGE ntoskrnl.exe!ZwPrePrepareComplete + 39 8268078D 22 Bytes [01, 89, 45, D4, 8B, 41, 04, ...]
PAGE ntoskrnl.exe!ZwPrePrepareComplete + 50 826807A4 77 Bytes [6A, 00, 8D, 45, 0C, 50, FF, ...]
PAGE ntoskrnl.exe!ZwPrePrepareComplete + 9E 826807F2 3 Bytes CALL 82599772 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwPrePrepareComplete + A2 826807F6 60 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
PAGE ntoskrnl.exe!NtCommitComplete + 1E 82680833 148 Bytes [88, 45, DC, 84, C0, 74, 2B, ...]
PAGE ntoskrnl.exe!NtCommitComplete + B3 826808C8 25 Bytes [45, E0, EB, CF, CC, CC, CC, ...]
PAGE ntoskrnl.exe!ZwSinglePhaseReject + C 826808E2 35 Bytes [8B, 4D, 0C, 89, 4D, E4, 64, ...]
PAGE ntoskrnl.exe!ZwSinglePhaseReject + 30 82680906 63 Bytes [52, 82, 3B, C8, 72, 02, 8B, ...]
PAGE ntoskrnl.exe!ZwSinglePhaseReject + 70 82680946 27 Bytes CALL 826817E6 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSinglePhaseReject + 8C 82680962 60 Bytes [90, 90, 90, 90, 90, 8B, 45, ...]
PAGE ntoskrnl.exe!ZwReadOnlyEnlistment + A 8268099F 5 Bytes [DD, FF, 8B, 4D, 0C]
PAGE ntoskrnl.exe!ZwReadOnlyEnlistment + 10 826809A5 102 Bytes [4D, E4, 64, A1, 24, 01, 00, ...]
PAGE ntoskrnl.exe!ZwReadOnlyEnlistment + 78 82680A0D 19 Bytes [8B, F0, 8B, 4D, 0C, E8, 61, ...]
PAGE ntoskrnl.exe!ZwReadOnlyEnlistment + 8C 82680A21 88 Bytes [90, 90, 90, 90, 90, 8B, 45, ...]
PAGE ntoskrnl.exe!ZwRollbackComplete + 26 82680A7A 48 Bytes [65, FC, 00, 85, C9, 74, 1C, ...]
PAGE ntoskrnl.exe!ZwRollbackComplete + 57 82680AAB 275 Bytes [75, DC, FF, 35, D8, FE, 4F, ...]
PAGE ntoskrnl.exe!NtGetNotificationResourceManager + 9B 82680BBF 61 Bytes [45, D8, EB, 63, 8B, 45, 14, ...]
PAGE ntoskrnl.exe!NtGetNotificationResourceManager + D9 82680BFD 128 Bytes [75, 20, FF, 75, E0, E8, B0, ...]
PAGE ntoskrnl.exe!NtQueryInformationResourceManager + 43 82680C7E 136 Bytes [00, 00, 88, 4D, A4, 84, C9, ...]
PAGE ntoskrnl.exe!NtQueryInformationResourceManager + CC 82680D07 36 Bytes [8B, 00, 89, 45, A8, E8, 60, ...]
PAGE ntoskrnl.exe!NtQueryInformationResourceManager + F2 82680D2D 50 Bytes [7D, CC, A5, A5, A5, A5, 0F, ...]
PAGE ntoskrnl.exe!NtQueryInformationResourceManager + 126 82680D61 33 Bytes [83, C0, 14, 89, 45, C0, 3B, ...]
PAGE ntoskrnl.exe!NtQueryInformationResourceManager + 148 82680D83 97 Bytes [B3, DC, 00, 00, 00, 8B, 45, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetInformationResourceManager + 7 82680E71 25 Bytes CALL 82456C18 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetInformationResourceManager + 21 82680E8B 117 Bytes [00, 64, A1, 24, 01, 00, 00, ...]
PAGE ntoskrnl.exe!NtSetInformationResourceManager + 97 82680F01 91 Bytes [00, 00, 8B, 75, 0C, 4E, F7, ...]
PAGE ntoskrnl.exe!NtSetInformationResourceManager + F3 82680F5D 61 Bytes CALL 825C7159 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetInformationResourceManager + 131 82680F9B 139 Bytes [C0, EB, 1A, 64, A1, 24, 01, ...]
PAGE ntoskrnl.exe!ZwOpenTransactionManager + 1C 82681027 173 Bytes [5D, 18, 33, C9, 89, 4D, C0, ...]
PAGE ntoskrnl.exe!ZwOpenTransactionManager + CA 826810D5 5 Bytes [68, 54, 6D, 43, 73] {PUSH 0x73436d54}
PAGE ntoskrnl.exe!ZwOpenTransactionManager + D0 826810DB 108 Bytes [B7, 45, B0, 50, 56, E8, F6, ...]
PAGE ntoskrnl.exe!ZwOpenTransactionManager + 13D 82681148 1 Byte [8B]
PAGE ntoskrnl.exe!ZwOpenTransactionManager + 13D 82681148 23 Bytes [8B, 00, 89, 45, 98, E8, 1F, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwRollforwardTransactionManager + 1C 82681296 21 Bytes [00, 00, 88, 45, DC, 84, C0, ...]
PAGE ntoskrnl.exe!ZwRollforwardTransactionManager + 32 826812AC 44 Bytes [3B, C8, 72, 02, 8B, C8, 8B, ...]
PAGE ntoskrnl.exe!ZwRollforwardTransactionManager + 5F 826812D9 49 Bytes [6A, 04, FF, 75, 08, E8, 78, ...]
PAGE ntoskrnl.exe!ZwRollforwardTransactionManager + 93 8268130D 5 Bytes [8B, 45, EC, 8B, 00] {MOV EAX, [EBP-0x14]; MOV EAX, [EAX]}
PAGE ntoskrnl.exe!ZwRollforwardTransactionManager + 9A 82681314 8 Bytes CALL 8259976E \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwSetInformationTransactionManager + 16 8268135B 34 Bytes [C0, EB, 5D, 33, DB, 39, 5D, ...]
PAGE ntoskrnl.exe!ZwSetInformationTransactionManager + 39 8268137E 24 Bytes [0A, 89, 5D, FC, C7, 45, FC, ...]
PAGE ntoskrnl.exe!ZwSetInformationTransactionManager + 52 82681397 53 Bytes [6A, 02, FF, 75, 08, E8, BA, ...]
PAGE ntoskrnl.exe!ZwSetInformationTransactionManager + 88 826813CD 77 Bytes [8B, 00, 89, 45, E4, E8, 9A, ...]
PAGE ntoskrnl.exe!ZwSetInformationTransactionManager + D6 8268141B 95 Bytes [46, 08, 83, C9, FF, F0, 0F, ...]
PAGE ...
PAGE ntoskrnl.exe!TmPullTransaction + 4 826814F0 13 Bytes [C0, C2, 20, 00, CC, CC, CC, ...] {ROL DL, 0x20; ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP }
PAGE ntoskrnl.exe!TmPullTransaction + 12 826814FE 8 Bytes [90, B8, 02, 00, 00, C0, C2, ...]
PAGE ntoskrnl.exe!TmPropagationComplete + 8 82681507 282 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!TmRecoverEnlistment + E7 82681622 1 Byte [40]
PAGE ntoskrnl.exe!TmRecoverEnlistment + E7 82681622 76 Bytes [40, 00, 00, B8, 02, 01, 00, ...]
PAGE ntoskrnl.exe!TmRecoverEnlistment + 134 8268166F 141 Bytes CALL 82416608 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!TmRollbackComplete + 46 826816FD 66 Bytes [45, C4, 50, 6A, 03, FF, 75, ...]
PAGE ntoskrnl.exe!TmReadOnlyEnlistment + 2 82681740 33 Bytes [55, 8B, EC, 83, EC, 50, B8, ...]
PAGE ntoskrnl.exe!TmReadOnlyEnlistment + 24 82681762 136 Bytes [89, 45, DC, 89, 45, F0, 89, ...]
PAGE ntoskrnl.exe!TmReadOnlyEnlistment + AD 826817EB 36 Bytes [55, 8B, EC, 53, 8B, 5D, 08, ...]
PAGE ntoskrnl.exe!TmReadOnlyEnlistment + D2 82681810 148 Bytes [7D, 0C, 8B, B0, D4, 00, 00, ...]
PAGE ntoskrnl.exe!TmReadOnlyEnlistment + 170 826818AE 82 Bytes [8B, FF, 53, 56, 57, 8B, F0, ...]
PAGE ...
PAGE ntoskrnl.exe!TmSetPreviousModeToKernel 82681B65 10 Bytes [64, A1, 24, 01, 00, 00, C6, ...]
PAGE ntoskrnl.exe!TmSetPreviousModeToKernel + B 82681B70 7 Bytes [00, 00, 33, C0, C3, 90, 90] {ADD [EAX], AL; XOR EAX, EAX; RET ; NOP ; NOP }
PAGE ntoskrnl.exe!TmSetPreviousModeToKernel + 13 82681B78 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ntoskrnl.exe!TmSetPreviousModeToKernel + 1A 82681B7F 123 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!TmSetPreviousModeToKernel + 96 82681BFB 12 Bytes [00, 89, B7, 38, 01, 00, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!TmDefaultTmOpenFileCount + 2 8268213A 48 Bytes [55, 8B, EC, 8B, 45, 08, 85, ...]
PAGE ntoskrnl.exe!TmDefaultTmOpenFileCount + 33 8268216B 15 Bytes [EC, 51, 53, 56, 57, 33, DB, ...]
PAGE ntoskrnl.exe!TmDefaultTmOpenFileCount + 43 8268217B 64 Bytes CALL 82466F93 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!TmDefaultTmOpenFileCount + 84 826821BC 67 Bytes [5B, C9, C3, 90, CC, CC, CC, ...]
PAGE ntoskrnl.exe!TmDefaultTmOpenFileCount + C8 82682200 147 Bytes [68, 97, 16, 4D, 82, 8D, 7E, ...]
PAGE ...
PAGE ntoskrnl.exe!NtVdmControl + E 82683AFE 24 Bytes [08, 83, FE, 0E, 75, 0D, 8B, ...]
PAGE ntoskrnl.exe!NtVdmControl + 27 82683B17 74 Bytes [8B, 40, 48, F7, 80, 28, 02, ...]
PAGE ntoskrnl.exe!NtVdmControl + 72 82683B62 53 Bytes [89, 5D, FC, 3B, F3, 75, 0E, ...]
PAGE ntoskrnl.exe!NtVdmControl + A8 82683B98 2 Bytes JMP 82683E51 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtVdmControl + AD 82683B9D 36 Bytes [83, FE, 06, 75, 11, 3B, C3, ...]
PAGE ...
PAGE ntoskrnl.exe!EtwWriteEndScenario + 127 826877EB 13 Bytes CALL 82536C7A \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!EtwWriteEndScenario + 136 826877FA 8 Bytes [00, 53, 6A, 00, 68, C0, B9, ...]
PAGE ntoskrnl.exe!EtwWriteEndScenario + 13F 82687803 14 Bytes CALL 824365C0 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!EtwWriteEndScenario + 14F 82687813 8 Bytes [50, 8B, F8, C7, 05, EC, B9, ...]
PAGE ntoskrnl.exe!EtwWriteEndScenario + 159 8268781D 195 Bytes [00, 02, 00, BE, C0, 26, 5C, ...]
PAGE ...
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + 4 82688733 34 Bytes [EC, 51, 53, 33, DB, 39, 1D, ...]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + 27 82688756 90 Bytes [3B, C3, 74, 2F, 83, 65, FC, ...]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + 82 826887B1 85 Bytes [C4, 0C, 85, DB, 75, 1D, 89, ...]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + D8 82688807 18 Bytes [00, CC, CC, CC, CC, CC, 90, ...]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 8 8268881A 110 Bytes [83, EC, 24, 53, 33, DB, 39, ...]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 78 8268888A 37 Bytes [74, 24, 14, 8D, 4C, 24, 14, ...]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 9E 826888B0 6 Bytes [3B, C3, 0F, 8C, C5, 01]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + A5 826888B7 80 Bytes [00, 39, 5D, 0C, 0F, 84, 90, ...]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + F6 82688908 72 Bytes [80, 89, 44, 24, 10, 74, 0B, ...]
PAGE ...
PAGE ntoskrnl.exe!IoWMIQuerySingleInstanceMultiple + 57 82688B9E 7 Bytes [00, 6A, 00, E8, 42, 06, 00]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstanceMultiple + 5F 82688BA6 17 Bytes [85, C0, 7C, 29, F6, 46, 2C, ...]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstanceMultiple + 73 82688BBA 86 Bytes [EB, 17, 8B, 4C, 24, 0C, 89, ...]
PAGE ntoskrnl.exe!IoWMISetSingleInstance + 1F 82688C12 46 Bytes [14, 57, 6A, 40, 59, E8, EB, ...]
PAGE ntoskrnl.exe!IoWMISetSingleInstance + 4E 82688C41 367 Bytes [8B, 45, F4, 89, 46, 30, 66, ...]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 36 82688DB1 203 Bytes [01, 00, 00, 8B, 75, FC, 8B, ...]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 102 82688E7D 239 Bytes [89, 08, BB, 23, 00, 00, C0, ...]
PAGE ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + 90 82688F6D 39 Bytes [8B, 45, 10, 8B, 4D, F8, 89, ...]
PAGE ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + B8 82688F95 50 Bytes [90, 90, 90, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + EB 82688FC8 19 Bytes [55, 8B, EC, 81, EC, 94, 00, ...] {PUSH EBP; MOV EBP, ESP; SUB ESP, 0x94; MOV EAX, [0x824ec64c]; XOR EAX, EBP; MOV [EBP-0x4], EAX}
PAGE ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + FF 82688FDC 159 Bytes [45, 0C, 89, 8D, 70, FF, FF, ...]
PAGE ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + 19F 8268907C 40 Bytes [FF, 89, 45, A4, 89, 8D, 74, ...]
PAGE ...
PAGE ntoskrnl.exe!NtShutdownSystem + 29 8268D852 51 Bytes CALL 826BD94C \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtShutdownSystem + 5D 8268D886 19 Bytes [CC, CC, CC, CC, 90, 90, 90, ...]
PAGE ntoskrnl.exe!NtShutdownSystem + 71 8268D89A 35 Bytes [B8, 98, 6A, 4F, 82, 83, C9, ...]
PAGE ntoskrnl.exe!NtShutdownSystem + 97 8268D8C0 17 Bytes [90, 6A, 38, 68, F0, 0C, 44, ...]
PAGE ntoskrnl.exe!ZwSetSystemTime + 11 8268D8D2 12 Bytes [3B, DF, 0F, 84, 67, 01, 00, ...]
PAGE ntoskrnl.exe!ZwSetSystemTime + 1E 8268D8DF 25 Bytes [00, 8A, 80, E7, 00, 00, 00, ...]
PAGE ntoskrnl.exe!ZwSetSystemTime + 38 8268D8F9 3 Bytes CALL 825DE3E5 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetSystemTime + 3F 8268D900 30 Bytes [0A, B8, 61, 00, 00, C0, E9, ...]
PAGE ntoskrnl.exe!ZwSetSystemTime + 5E 8268D91F 80 Bytes [00, CC, A1, A4, 75, 52, 82, ...]
PAGE ...
PAGE ntoskrnl.exe!ExSetTimerResolution + F 8268DB1A 3 Bytes CALL 82585705 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ExSetTimerResolution + 14 8268DB1F 29 Bytes [35, DC, 77, 52, 82, 33, C0, ...]
PAGE ntoskrnl.exe!ExSetTimerResolution + 32 8268DB3D 30 Bytes [75, 7D, FF, 0D, DC, 3E, 6F, ...]
PAGE ntoskrnl.exe!ExSetTimerResolution + 51 8268DB5C 38 Bytes [75, 06, FF, 05, DC, 3E, 6F, ...]
PAGE ntoskrnl.exe!ExSetTimerResolution + 78 8268DB83 7 Bytes [57, FF, 15, 78, 10, 40, 82] {PUSH EDI; CALL [0x82401078]}
PAGE ...
PAGE ntoskrnl.exe!ExSetLicenseTamperState + 4 8268E147 28 Bytes [EC, 83, EC, 0C, 53, 33, DB, ...]
PAGE ntoskrnl.exe!ExSetLicenseTamperState + 21 8268E164 67 Bytes [64, A1, 24, 01, 00, 00, 66, ...]
PAGE ntoskrnl.exe!ExSetLicenseTamperState + 65 8268E1A8 19 Bytes [88, 1D, 3B, F3, 6E, 82, E8, ...]
PAGE ntoskrnl.exe!ExSetLicenseTamperState + 79 8268E1BC 73 Bytes [A1, 80, 3C, 6F, 82, 3B, C3, ...]
PAGE ntoskrnl.exe!ExSetLicenseTamperState + C4 8268E207 7 Bytes [8D, 81, 80, 00, 00, 00, 66]
PAGE ...
PAGE ntoskrnl.exe!ZwSetEventBoostPriority 82690C97 74 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...]
PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 4B 82690CE2 18 Bytes [82, DD, FF, 8B, CE, E8, 8C, ...] {SBB CH, -0x1; MOV ECX, ESI; CALL 0xffffffffffdd9696; POP ESI; MOV EAX, EDI; POP EDI; LEAVE ; RET 0x4}
PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 62 82690CF9 1 Byte [90]
PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 65 82690CFC 34 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 88 82690D1F 92 Bytes [00, 53, 33, DB, 56, 89, 44, ...]
PAGE ...
PAGE ntoskrnl.exe!ExRaiseHardError + 68 82690E85 2 Bytes [04, 8A] {ADD AL, 0x8a}
PAGE ntoskrnl.exe!ExRaiseHardError + 6B 82690E88 31 Bytes [18, 89, 5C, CD, A8, 8B, 40, ...]
PAGE ntoskrnl.exe!ExRaiseHardError + 8B 82690EA8 456 Bytes [00, 8D, 45, E0, 50, 57, 8D, ...]
PAGE ntoskrnl.exe!ZwQuerySemaphore + A1 82691071 24 Bytes [00, 00, 83, 7D, 14, 08, 74, ...]
PAGE ntoskrnl.exe!ZwQuerySemaphore + BA 8269108A 64 Bytes [75, E4, FF, 35, 0C, 70, 52, ...]
PAGE ntoskrnl.exe!ZwQuerySemaphore + FB 826910CB 54 Bytes [85, C0, 74, 19, C7, 00, 08, ...]
PAGE ntoskrnl.exe!ZwQuerySemaphore + 132 82691102 11 Bytes CALL 82456C59 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQuerySemaphore + 144 82691114 33 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ...
PAGE ntoskrnl.exe!NtStartTm + 1 826911B4 78 Bytes [C0, C3, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!NtStartTm + 50 82691203 52 Bytes [85, C0, 74, 08, 6A, 00, 50, ...]
PAGE ntoskrnl.exe!NtStartTm + 85 82691238 97 Bytes [C0, 5E, C3, 8B, 06, 8B, 4E, ...]
PAGE ntoskrnl.exe!NtStartTm + E7 8269129A 7 Bytes [00, 66, FF, 88, 80, 00, 00]
PAGE ntoskrnl.exe!NtStartTm + EF 826912A2 15 Bytes [57, B9, 30, 55, 4F, 82, E8, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 128 82691DCF 51 Bytes [66, 89, 7D, CA, 53, 8D, 45, ...]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 15C 82691E03 6 Bytes [FF, FF, 56, BF, 00, 04]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 164 82691E0B 16 Bytes CALL 824E0003 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 175 82691E1C 65 Bytes CALL 824E0B2F \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 1B7 82691E5E 13 Bytes [8B, D8, 33, FF, 89, 3D, 04, ...] {MOV EBX, EAX; XOR EDI, EDI; MOV [0x824f5504], EDI; XOR ECX, ECX; INC ECX}
PAGE ...
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue 82691FB3 41 Bytes [6A, 38, 68, A0, 0B, 44, 82, ...]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 2A 82691FDD 4 Bytes [08, 0F, 84, C1] {OR [EDI], CL; TEST CL, AL}
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 2F 82691FE2 2 Bytes [00, 00] {ADD [EAX], AL}
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 32 82691FE5 56 Bytes [C8, A8, 03, 74, 06, E8, 0C, ...]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 6C 8269201F 23 Bytes [F6, C1, 01, 75, C6, 0F, B7, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValueEx + 7 826922BC 165 Bytes CALL 82456BC0 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValueEx + AD 82692362 116 Bytes [88, 19, 8B, 0D, A4, 75, 52, ...]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValueEx + 122 826923D7 87 Bytes [3A, C3, 75, 28, C7, 45, FC, ...]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValueEx + 17B 82692430 11 Bytes [B8, 9A, 00, 00, C0, E9, 8F, ...] {MOV EAX, 0xc000009a; JMP 0x199; PUSH ESI}
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValueEx + 187 8269243C 7 Bytes [75, AC, 57, E8, FC, 3A, DA]
PAGE ...
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValueEx + 19 826925F4 7 Bytes [55, C4, 33, DB, 89, 5D, CC]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValueEx + 21 826925FC 91 Bytes [3D, B0, 57, 4F, 82, 02, 74, ...]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValueEx + 7D 82692658 122 Bytes [FF, FF, B8, 05, 00, 00, C0, ...]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValueEx + F8 826926D3 66 Bytes [FF, FF, B8, 61, 00, 00, C0, ...]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValueEx + 13B 82692716 10 Bytes [11, C7, 45, FC, FE, FF, FF, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwEnumerateSystemEnvironmentValuesEx + 1E 8269289D 30 Bytes [00, 33, DB, 89, 5D, FC, 64, ...]
PAGE ntoskrnl.exe!ZwEnumerateSystemEnvironmentValuesEx + 3D 826928BC 1 Byte [0D]
PAGE ntoskrnl.exe!ZwEnumerateSystemEnvironmentValuesEx + 3D 826928BC 79 Bytes [0D, A4, 75, 52, 82, 3B, D1, ...]
PAGE ntoskrnl.exe!ZwEnumerateSystemEnvironmentValuesEx + 8D 8269290C 73 Bytes JMP 82692A6A \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwEnumerateSystemEnvironmentValuesEx + D7 82692956 27 Bytes [89, 5D, D8, 89, 5D, E0, 64, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwAddBootEntry + 12 82692A90 14 Bytes [C0, EB, 0D, FF, 75, 0C, FF, ...]
PAGE ntoskrnl.exe!ZwAddBootEntry + 21 82692A9F 1 Byte [00]
PAGE ntoskrnl.exe!ZwAddBootEntry + 21 82692A9F 4 Bytes [00, 5D, C2, 08]
PAGE ntoskrnl.exe!ZwAddBootEntry + 26 82692AA4 26 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
PAGE ntoskrnl.exe!ZwDeleteBootEntry + 10 82692ABF 11 Bytes [33, C4, 89, 44, 24, 20, 83, ...]
PAGE ntoskrnl.exe!ZwDeleteBootEntry + 1C 82692ACB 8 Bytes [02, 53, 56, 57, 74, 0A, B8, ...]
PAGE ntoskrnl.exe!ZwDeleteBootEntry + 26 82692AD5 103 Bytes JMP 82692C5E \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwDeleteBootEntry + 8E 82692B3D 2 Bytes [55, 4F] {PUSH EBP; DEC EDI}
PAGE ntoskrnl.exe!ZwDeleteBootEntry + 91 82692B40 25 Bytes [8B, C6, F0, 0F, BA, 30, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwEnumerateBootEntries + 43 82692CF3 18 Bytes [8A, 80, E7, 00, 00, 00, 88, ...] {MOV AL, [EAX+0xe7]; MOV [EBP-0x48], AL; TEST AL, AL; JZ 0x66; MOV EDX, [EBP+0xc]; MOV EAX, EDX}
PAGE ntoskrnl.exe!ZwEnumerateBootEntries + 56 82692D06 145 Bytes [0D, A4, 75, 52, 82, 3B, D1, ...]
PAGE ntoskrnl.exe!ZwEnumerateBootEntries + E8 82692D98 14 Bytes [00, 89, 5D, BC, 89, 5D, C4, ...] {ADD [ECX+0x5d89bc5d], CL; LES ECX, DWORD [EBX+0x7589bc5d]; OR [EBX], DH}
PAGE ntoskrnl.exe!ZwEnumerateBootEntries + F7 82692DA7 37 Bytes [85, F6, 0F, 95, C0, 89, 45, ...]
PAGE ntoskrnl.exe!ZwEnumerateBootEntries + 11D 82692DCD 54 Bytes [55, 4F, 82, 8B, C6, F0, 0F, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryBootEntryOrder + 42 826931A3 262 Bytes [3B, D1, 72, 02, 8B, C1, 8B, ...]
PAGE ntoskrnl.exe!ZwQueryBootEntryOrder + 149 826932AA 39 Bytes [D0, 8B, C1, F0, 0F, B1, 16, ...]
PAGE ntoskrnl.exe!ZwQueryBootEntryOrder + 171 826932D2 5 Bytes [66, 3B, C3, 75, 15] {CMP AX, BX; JNZ 0x1a}
PAGE ntoskrnl.exe!ZwQueryBootEntryOrder + 177 826932D8 3 Bytes [41, 38, 39] {INC ECX; CMP [ECX], BH}
PAGE ntoskrnl.exe!ZwQueryBootEntryOrder + 17B 826932DC 189 Bytes [74, 0E, 66, 39, 99, 82, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetBootEntryOrder + 2A 826933DA 60 Bytes [FF, FF, 3F, 76, 0A, B8, 0D, ...]
PAGE ntoskrnl.exe!ZwSetBootEntryOrder + 67 82693417 33 Bytes JMP 82693576 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetBootEntryOrder + 89 82693439 20 Bytes [FF, 8B, D0, 89, 55, E4, 3B, ...]
PAGE ntoskrnl.exe!ZwSetBootEntryOrder + 9E 8269344E 12 Bytes [7D, FC, 80, 7D, 0C, 00, 74, ...] {JGE 0xfffffffffffffffe; CMP BYTE [EBP+0xc], 0x0; JZ 0x2e; CMP ESI, EDI; JZ 0x2e}
PAGE ntoskrnl.exe!ZwSetBootEntryOrder + AB 8269345B 103 Bytes [4D, 08, F6, C1, 03, 74, 06, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryBootOptions + 24 826935E1 85 Bytes JMP 8269389F \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryBootOptions + 7A 82693637 22 Bytes [62, 6F, 82, FF, 35, 1C, 62, ...]
PAGE ntoskrnl.exe!ZwQueryBootOptions + 91 8269364E 16 Bytes [FF, FF, B8, 61, 00, 00, C0, ...]
PAGE ntoskrnl.exe!ZwQueryBootOptions + A3 82693660 29 Bytes [45, DC, 8B, 75, 08, 3B, F3, ...]
PAGE ntoskrnl.exe!ZwQueryBootOptions + C1 8269367E 6 Bytes [00, C0, 33, FF, 47, E9]
PAGE ...
PAGE ntoskrnl.exe!ZwSetBootOptions + 15 826938C7 36 Bytes [3D, B0, 57, 4F, 82, 02, 74, ...]
PAGE ntoskrnl.exe!ZwSetBootOptions + 3A 826938EC 51 Bytes [5D, 08, 84, C0, 74, 13, 8D, ...]
PAGE ntoskrnl.exe!ZwSetBootOptions + 6E 82693920 14 Bytes [00, 80, 7D, E0, 00, 74, 4B, ...] {ADD [EAX+0x7400e07d], AL; DEC EBX; CMP EAX, ESI; JZ 0x29; TEST BL, 0x3}
PAGE ntoskrnl.exe!ZwSetBootOptions + 7D 8269392F 113 Bytes CALL 82690DFA \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetBootOptions + EF 826939A1 20 Bytes [00, 00, 0F, 87, 6E, FF, FF, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryDriverEntryOrder + 18 82693AEB 34 Bytes JMP 82693D0E \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryDriverEntryOrder + 3B 82693B0E 17 Bytes [C2, 8B, 0D, A4, 75, 52, 82, ...] {RET 0xd8b; MOVSB ; JNZ 0x58; CMP BYTE [EBX], -0x2f; JB 0xd; MOV EAX, ECX; MOV ECX, [EAX]; MOV [EAX], ECX}
PAGE ntoskrnl.exe!ZwQueryDriverEntryOrder + 4D 82693B20 391 Bytes [02, C1, E0, 02, 89, 45, E4, ...]
PAGE ntoskrnl.exe!ZwQueryDriverEntryOrder + 1D5 82693CA8 99 Bytes [45, E4, C7, 45, FC, 01, 00, ...]
PAGE ntoskrnl.exe!ZwQueryDriverEntryOrder + 239 82693D0C 8 Bytes [FF, 8B, 45, D0, E8, 48, 2F, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwAddDriverEntry + 1D 82693D3F 63 Bytes CALL 82694E97 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwDeleteDriverEntry + 2C 82693D7F 5 Bytes [81, 7D, 08, FF, FF]
PAGE ntoskrnl.exe!ZwDeleteDriverEntry + 33 82693D86 331 Bytes [76, 0A, B8, 0D, 00, 00, C0, ...]
PAGE ntoskrnl.exe!ZwDeleteDriverEntry + 17F 82693ED2 10 Bytes [64, 8B, 0D, 24, 01, 00, 00, ...]
PAGE ntoskrnl.exe!ZwDeleteDriverEntry + 18A 82693EDD 42 Bytes [00, 00, 66, FF, 00, 0F, B7, ...]
PAGE ntoskrnl.exe!ZwDeleteDriverEntry + 1B5 82693F08 16 Bytes CALL 8246A618 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwModifyDriverEntry 82693F23 156 Bytes [8B, FF, 55, 8B, EC, 83, 3D, ...]
PAGE ntoskrnl.exe!ZwEnumerateDriverEntries + 6E 82693FC0 15 Bytes [33, F6, 89, 75, D4, 3B, F7, ...]
PAGE ntoskrnl.exe!ZwEnumerateDriverEntries + 7E 82693FD0 43 Bytes [F4, FF, FF, 75, B8, FF, 35, ...]
PAGE ntoskrnl.exe!ZwEnumerateDriverEntries + AA 82693FFC 2 Bytes [45, 0C]
PAGE ntoskrnl.exe!ZwEnumerateDriverEntries + AD 82693FFF 235 Bytes [30, 89, 75, D4, 3B, DF, 75, ...]
PAGE ntoskrnl.exe!ZwEnumerateDriverEntries + 199 826940EB 64 Bytes [41, FE, 8B, D0, 8B, C1, F0, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetDriverEntryOrder + 17 8269437A 6 Bytes [02, 74, 0A, B8, 02, 00] {ADD DH, [EDX+ECX-0x48]; ADD AL, [EAX]}
PAGE ntoskrnl.exe!ZwSetDriverEntryOrder + 1E 82694381 40 Bytes JMP 8269452A \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetDriverEntryOrder + 47 826943AA 24 Bytes [0C, 84, C0, 74, 22, FF, 75, ...]
PAGE ntoskrnl.exe!ZwSetDriverEntryOrder + 60 826943C3 12 Bytes [84, C0, 75, 0A, B8, 61, 00, ...]
PAGE ntoskrnl.exe!ZwSetDriverEntryOrder + 6D 826943D0 5 Bytes [00, 3B, DF, 0F, 84]
PAGE ...
PAGE ntoskrnl.exe!ZwTranslateFilePath + 3D 826945AC 14 Bytes [55, 08, 84, C0, 74, 13, 8D, ...]
PAGE ntoskrnl.exe!ZwTranslateFilePath + 4C 826945BB 6 Bytes [3B, C1, 72, 02, 8B, C1] {CMP EAX, ECX; JB 0x6; MOV EAX, ECX}
PAGE ntoskrnl.exe!ZwTranslateFilePath + 53 826945C2 21 Bytes [18, EB, 06, 8B, 45, 08, 8B, ...]
PAGE ntoskrnl.exe!ZwTranslateFilePath + 6A 826945D9 4 Bytes [FF, B8, 0D, 00]
PAGE ntoskrnl.exe!ZwTranslateFilePath + 6F 826945DE 50 Bytes CALL 82456C5C \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwOpenTimer + AE 8269725A 1 Byte [65]
PAGE ntoskrnl.exe!ZwOpenTimer + AE 8269725A 60 Bytes CALL 8165B826
PAGE ntoskrnl.exe!ZwQueryTimer + 18 82697297 19 Bytes JMP 826973C9 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryTimer + 2D 826972AC 58 Bytes [64, A1, 24, 01, 00, 00, 8A, ...]
PAGE ntoskrnl.exe!ZwQueryTimer + 68 826972E7 25 Bytes [4D, 18, 3B, CE, 74, 0F, A1, ...]
PAGE ntoskrnl.exe!ZwQueryTimer + 83 82697302 36 Bytes [FF, EB, 2D, 90, 90, 90, 90, ...]
PAGE ntoskrnl.exe!ZwQueryTimer + A8 82697327 71 Bytes JMP 826973C6 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwCreateEventPair + 40 8269743D 38 Bytes [2D, 90, 90, 90, 90, 90, 8B, ...]
PAGE ntoskrnl.exe!ZwCreateEventPair + 67 82697464 2 Bytes JMP 82697520 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwCreateEventPair + 6B 82697468 83 Bytes [8B, 75, 08, 8B, 45, D4, 89, ...]
PAGE ntoskrnl.exe!ZwCreateEventPair + BF 826974BC 55 Bytes [09, C6, 40, 14, 01, 88, 58, ...]
PAGE ntoskrnl.exe!ZwCreateEventPair + F7 826974F4 79 Bytes [00, 00, 8B, 45, DC, 89, 06, ...]
PAGE ntoskrnl.exe!ZwOpenEventPair + 11 82697544 5 Bytes [00, 8A, 98, E7, 00]
PAGE ntoskrnl.exe!ZwOpenEventPair + 17 8269754A 38 Bytes [00, 88, 5D, DC, 84, DB, 74, ...]
PAGE ntoskrnl.exe!ZwOpenEventPair + 3E 82697571 113 Bytes [EB, 2C, 90, 90, 90, 90, 90, ...]
PAGE ntoskrnl.exe!ZwOpenEventPair + B0 826975E3 1 Byte [65]
PAGE ntoskrnl.exe!ZwOpenEventPair + B0 826975E3 23 Bytes CALL 8165BBAF
PAGE ...
PAGE ntoskrnl.exe!ZwWaitHighEventPair + 17 82697688 5 Bytes [FC, 33, F6, 56, 8D]
PAGE ntoskrnl.exe!ZwWaitHighEventPair + 1D 8269768E 12 Bytes [F8, 50, FF, 75, FC, FF, 35, ...]
PAGE ntoskrnl.exe!ZwWaitHighEventPair + 2A 8269769B 22 Bytes [00, 10, 00, FF, 75, 08, E8, ...]
PAGE ntoskrnl.exe!ZwWaitHighEventPair + 41 826976B2 43 Bytes [75, F8, 6A, 0E, 8D, 46, 14, ...]
PAGE ntoskrnl.exe!ZwSetLowWaitHighEventPair + 4 826976DE 15 Bytes [EC, 51, 51, 64, A1, 24, 01, ...]
PAGE ntoskrnl.exe!ZwSetLowWaitHighEventPair + 14 826976EE 98 Bytes [57, 6A, 00, 8D, 45, F8, 50, ...]
PAGE ntoskrnl.exe!ZwSetHighWaitLowEventPair + D 82697752 5 Bytes [53, 8A, 98, E7, 00]
PAGE ntoskrnl.exe!ZwSetHighWaitLowEventPair + 13 82697758 14 Bytes [00, 57, 6A, 00, 8D, 45, F8, ...] {ADD [EDI+0x6a], DL; ADD [EBP-0x77af07bb], CL; POP EBP; CLD ; PUSH DWORD [EBP-0x4]}
PAGE ntoskrnl.exe!ZwSetHighWaitLowEventPair + 22 82697767 47 Bytes [35, 04, 70, 52, 82, 68, 00, ...]
PAGE ntoskrnl.exe!ZwSetHighWaitLowEventPair + 52 82697797 36 Bytes CALL 8246A377 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetLowEventPair + C 826977BC 28 Bytes [00, 8A, 80, E7, 00, 00, 00, ...]
PAGE ntoskrnl.exe!ZwSetLowEventPair + 29 826977D9 1 Byte [10]
PAGE ntoskrnl.exe!ZwSetLowEventPair + 29 826977D9 9 Bytes [10, 00, FF, 75, 08, E8, 78, ...]
PAGE ntoskrnl.exe!ZwSetLowEventPair + 33 826977E3 38 Bytes [8B, F8, 85, FF, 7C, 19, 56, ...]
PAGE ntoskrnl.exe!ZwSetLowEventPair + 5A 8269780A 4 Bytes [CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ...
PAGE ntoskrnl.exe!ZwSetHighEventPair + 3 82697816 13 Bytes [8B, EC, 51, 51, 64, A1, 24, ...]
PAGE ntoskrnl.exe!ZwSetHighEventPair + 11 82697824 4 Bytes [00, 00, 57, 6A]
PAGE ntoskrnl.exe!ZwSetHighEventPair + 16 82697829 129 Bytes [88, 45, FC, 8D, 45, F8, 50, ...]
PAGE ntoskrnl.exe!ZwQueryMutant + 29 826978AB 9 Bytes CALL 82456C5B \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryMutant + 33 826978B5 4 Bytes [64, A1, 24, 01]
PAGE ntoskrnl.exe!ZwQueryMutant + 39 826978BB 74 Bytes [8A, 80, E7, 00, 00, 00, 88, ...]
PAGE ntoskrnl.exe!ZwQueryMutant + 84 82697906 62 Bytes [89, 45, DC, 33, C0, 40, C3, ...]
PAGE ntoskrnl.exe!ZwQueryMutant + C3 82697945 58 Bytes [8C, D2, 00, 00, 00, 39, 75, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateProfile + 7 82697A8E 25 Bytes CALL 82456C18 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwCreateProfile + 21 82697AA8 24 Bytes [00, 8B, 7D, 18, 3B, FB, 75, ...]
PAGE ntoskrnl.exe!ZwCreateProfile + 3A 82697AC1 120 Bytes [E0, 89, 5D, 10, 33, C9, 8B, ...]
PAGE ntoskrnl.exe!ZwCreateProfile + B3 82697B3A 80 Bytes [3B, C1, 72, 02, 8B, C1, 8B, ...]
PAGE ntoskrnl.exe!ZwCreateProfile + 104 82697B8B 9 Bytes [0A, B8, 61, 00, 00, C0, E9, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwStartProfile + 7 82697CCD 10 Bytes CALL 82456C18 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwStartProfile + 12 82697CD8 71 Bytes [8A, 80, E7, 00, 00, 00, 88, ...]
PAGE ntoskrnl.exe!ZwStartProfile + 5A 82697D20 84 Bytes CALL 824702A6 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwStartProfile + AF 82697D75 10 Bytes [C8, 8B, 57, 10, 8D, 8C, 11, ...]
PAGE ntoskrnl.exe!ZwStartProfile + BA 82697D80 92 Bytes JMP 0F760A91
PAGE ...
PAGE ntoskrnl.exe!ZwStopProfile + 44 82697ED9 36 Bytes CALL 82466F93 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwStopProfile + 69 82697EFE 9 Bytes [8B, C6, 5F, 5E, 5B, 8B, E5, ...]
PAGE ntoskrnl.exe!ZwStopProfile + 73 82697F08 31 Bytes CALL 824155CC \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwStopProfile + 93 82697F28 204 Bytes CALL 824702A8 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryIntervalProfile + 7A 82697FF5 203 Bytes [84, DB, 74, 25, C7, 45, FC, ...]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 81 826980C1 2 Bytes CALL 82690DFC \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSystemDebugControl + 85 826980C5 8 Bytes [CC, 03, C3, 8B, 0D, A4, 75, ...]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 8E 826980CE 47 Bytes [3B, C1, 77, 04, 3B, C3, 73, ...]
PAGE ntoskrnl.exe!ZwSystemDebugControl + BE 826980FE 75 Bytes [C1, 8B, 08, 89, 08, EB, 06, ...]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 10A 8269814A 67 Bytes CALL 824AC593 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 34 8269846D 68 Bytes [A1, A4, 75, 52, 82, 3B, D8, ...]
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 7E 826984B7 2 Bytes [45, EC] {INC EBP; IN AL, DX }
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 81 826984BA 58 Bytes [00, 8B, 00, 89, 45, DC, E8, ...]
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + BC 826984F5 56 Bytes CALL 8165CAC1
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + F5 8269852E 24 Bytes [FF, 55, 8B, EC, 68, 50, 66, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwAcquireCMFViewOwnership + C 8269857A 100 Bytes [33, DB, 89, 5D, D4, 33, C0, ...]
PAGE ntoskrnl.exe!ZwAcquireCMFViewOwnership + 71 826985DF 103 Bytes CALL 82540240 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwAcquireCMFViewOwnership + D9 82698647 35 Bytes [D4, 2B, C8, 8B, 45, D8, 1B, ...]
PAGE ntoskrnl.exe!ZwAcquireCMFViewOwnership + FD 8269866B 7 Bytes [8B, 45, D8, A3, 84, 4E, 4F]
PAGE ntoskrnl.exe!ZwAcquireCMFViewOwnership + 105 82698673 5 Bytes [89, 35, 88, 4E, 4F]
PAGE ...
PAGE ntoskrnl.exe!ZwReleaseCMFViewOwnership + 48 8269877F 151 Bytes [01, FF, 35, 64, 4E, 4F, 82, ...]
PAGE ntoskrnl.exe!ZwReleaseCMFViewOwnership + E0 82698817 74 Bytes [4B, 04, 8B, C7, 25, FF, 0F, ...]
PAGE ntoskrnl.exe!ZwReleaseCMFViewOwnership + 12B 82698862 29 Bytes CALL 824359FD \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwReleaseCMFViewOwnership + 149 82698880 35 Bytes [00, 33, FF, 0B, C7, 74, 05, ...]
PAGE ntoskrnl.exe!ZwReleaseCMFViewOwnership + 16D 826988A4 53 Bytes [D9, FF, 0B, C2, 75, 0B, 39, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwGetMUIRegistryInfo + A 826990D9 11 Bytes [DB, FF, 33, DB, 88, 5D, E7, ...]
PAGE ntoskrnl.exe!ZwGetMUIRegistryInfo + 16 826990E5 6 Bytes [00, 38, 98, E7, 00, 00]
PAGE ntoskrnl.exe!ZwGetMUIRegistryInfo + 1D 826990EC 11 Bytes [75, 0A, BE, 01, 00, 00, C0, ...]
PAGE ntoskrnl.exe!ZwGetMUIRegistryInfo + 29 826990F8 99 Bytes [39, 1D, 40, 6E, 52, 82, 75, ...]
PAGE ntoskrnl.exe!ZwGetMUIRegistryInfo + 8D 8269915C 72 Bytes [FF, 75, AE, 39, 1D, 78, 4E, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwFlushInstallUILanguage + 1E 826994E1 7 Bytes [00, 00, 39, 1D, A4, 6A, 6F]
PAGE ntoskrnl.exe!ZwFlushInstallUILanguage + 26 826994E9 8 Bytes [74, 1A, 0F, B7, 0D, 9C, 6A, ...]
PAGE ntoskrnl.exe!ZwFlushInstallUILanguage + 2F 826994F2 39 Bytes [8B, 45, 08, 2B, C1, F7, D8, ...]
PAGE ntoskrnl.exe!ZwFlushInstallUILanguage + 57 8269951A 11 Bytes [00, C0, 8B, D0, 23, D1, 3B, ...]
PAGE ntoskrnl.exe!ZwFlushInstallUILanguage + 63 82699526 77 Bytes [00, 00, 64, A1, 24, 01, 00, ...]
PAGE ...
PAGELK ntoskrnl.exe!WheaRegisterErrSrcInitializer + 167 826AE16C 144 Bytes [74, 24, 24, 89, 47, 0C, 8B, ...]
PAGELK ntoskrnl.exe!WheaRegisterErrSrcInitializer + 1F8 826AE1FD 148 Bytes [DF, FF, A3, 08, 00, DF, FF, ...]
PAGELK ntoskrnl.exe!WheaRegisterErrSrcInitializer + 28D 826AE292 29 Bytes [C2, 04, 00, 90, 90, 90, 90, ...]
PAGELK ntoskrnl.exe!WheaRegisterErrSrcInitializer + 2AB 826AE2B0 175 Bytes [45, FC, C1, E1, 03, 03, C1, ...]
PAGELK ntoskrnl.exe!WheaRegisterErrSrcInitializer + 35B 826AE360 12 Bytes [78, 52, 82, 8A, 9E, 8C, 1F, ...] {JS 0x54; OR BYTE [EDX+0x1f8c9e], 0x0; MOVZX EAX, BL}
PAGELK ...
PAGELK ntoskrnl.exe!MmAllocatePagesForMdlEx + 1 826AEDE4 70 Bytes [FF, 55, 8B, EC, 83, E4, F8, ...]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdlEx + 48 826AEE2B 20 Bytes [E5, 5D, C2, 24, 00, 90, 90, ...]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdlEx + 5D 826AEE40 63 Bytes [0A, 89, 50, 0C, C7, 40, 08, ...]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdlEx + 9F 826AEE82 37 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdlEx + C5 826AEEA8 44 Bytes [75, 22, 8B, 45, 08, C7, 40, ...]
PAGELK ...
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification 826B0684 26 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...]
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + 1B 826B069F 11 Bytes [11, 40, 82, 8B, 35, 20, 58, ...]
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + 27 826B06AB 37 Bytes [88, 45, FF, BB, 20, 58, 52, ...]
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + 4D 826B06D1 91 Bytes [6A, 00, FF, 75, 08, E8, 55, ...]
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + A9 826B072D 41 Bytes [81, 67, 1C, FF, F7, FF, FF, ...]
PAGELK ...
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 8 826B1746 15 Bytes [52, 82, 83, EC, 18, 53, 8B, ...]
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 18 826B1756 37 Bytes JMP 826B1994 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 3E 826B177C 21 Bytes [64, 8B, 35, 24, 01, 00, 00, ...]
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 54 826B1792 69 Bytes [4D, FC, 75, 0B, FF, 35, 30, ...]
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 9B 826B17D9 32 Bytes [20, 74, 0C, C7, 45, FC, 0A, ...]
PAGELK ...
PAGELK ntoskrnl.exe!RtlCompressBuffer + 19 826B1A01 75 Bytes [74, 07, B8, 5F, 02, 00, C0, ...]
PAGELK ntoskrnl.exe!RtlCompressBuffer + 66 826B1A4E 202 Bytes [C7, 00, 10, 80, 00, 00, 8B, ...]
PAGELK ntoskrnl.exe!RtlCompressBuffer + 131 826B1B19 92 Bytes [0C, 3B, C3, 72, DC, 8D, 43, ...]
PAGELK ntoskrnl.exe!RtlCompressBuffer + 18E 826B1B76 19 Bytes [85, C9, 75, 12, 8D, 48, FD, ...]
PAGELK ntoskrnl.exe!RtlCompressBuffer + 1A3 826B1B8B 48 Bytes [00, 83, F9, 01, 75, 12, 8D, ...]
PAGELK ...
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 82 826B3204 55 Bytes [10, 8B, 10, 83, CA, FF, F0, ...]
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + BA 826B323C 125 Bytes [85, C0, 74, 06, 50, E8, E4, ...]
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 138 826B32BA 7 Bytes [7C, 24, 0C, F7, 5C, 24, 0C] {JL 0x26; OR AL, 0xf7; POP ESP; AND AL, 0xc}
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 140 826B32C2 44 Bytes [44, 24, 0C, B9, C8, 8C, 50, ...]
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 16E 826B32F0 114 Bytes [74, 43, 8B, C8, 03, C7, 3D, ...]
PAGELK ...
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 55 826B6063 203 Bytes [04, 75, D5, 5F, 5E, 33, C0, ...]
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 121 826B612F 47 Bytes [0F, B6, C0, 89, 45, F0, A0, ...]
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 15A 826B6168 82 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 1AD 826B61BB 89 Bytes [00, 80, 0F, 82, F3, 00, 00, ...]
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 207 826B6215 38 Bytes [0A, 2B, CB, C6, 45, FF, 02, ...]
PAGELK ...
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + 45 826B8290 85 Bytes CALL 824BC657 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + 9B 826B82E6 41 Bytes [41, 14, 83, EC, 24, 3B, 05, ...]
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + C5 826B8310 45 Bytes [F8, 83, C1, 1C, 89, 7C, 24, ...]
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + F3 826B833E 156 Bytes [35, 00, 76, 52, 82, 0B, 35, ...]
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + 190 826B83DB 22 Bytes CALL 824365BD \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGELK ...
PAGELK ntoskrnl.exe!PoSetFixedWakeSource + 3A 826BB22D 6 Bytes [F7, 43, 14, 00, F0, FF]
PAGELK ntoskrnl.exe!PoSetFixedWakeSource + 41 826BB234 120 Bytes [0F, 31, 89, 45, F0, 89, 55, ...]
PAGELK ntoskrnl.exe!PoSetFixedWakeSource + BB 826BB2AE 15 Bytes [8B, F8, 85, FF, 75, 09, C7, ...] {MOV EDI, EAX; TEST EDI, EDI; JNZ 0xf; MOV DWORD [EBX+0x68], 0xc000009a; JMP 0x22}
PAGELK ntoskrnl.exe!PoSetFixedWakeSource + CB 826BB2BE 11 Bytes [75, 0C, C1, E6, 0C, 56, 57, ...]
PAGELK ntoskrnl.exe!PoSetFixedWakeSource + D7 826BB2CA 45 Bytes CALL 826BB389 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGELK ...
PAGELK ntoskrnl.exe!PoSetHiberRange + 24 826BB3AE 70 Bytes [FA, FF, 85, C0, 7D, 23, A1, ...]
PAGELK ntoskrnl.exe!PoSetHiberRange + 6B 826BB3F5 95 Bytes [18, 81, E1, FF, BF, FF, FF, ...]
PAGELK ntoskrnl.exe!PoSetHiberRange + CB 826BB455 39 Bytes [14, C1, E7, 0C, 29, 74, 24, ...]
PAGELK ntoskrnl.exe!PoSetHiberRange + F3 826BB47D 32 Bytes [18, 75, 14, FF, 44, 24, 10, ...]
PAGELK ntoskrnl.exe!PoSetHiberRange + 114 826BB49E 14 Bytes [20, 8B, 4D, 08, FF, 75, 0C, ...]
PAGELK ...
? System32\Drivers\spym.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8DA42FEB 5 Bytes JMP 858B41D8
.text aanh4gh0.SYS 8EEAE000 22 Bytes [8E, B1, 79, 82, 78, B0, 79, ...]
.text aanh4gh0.SYS 8EEAE017 45 Bytes [00, 99, 47, 48, 80, A4, 45, ...]
.text aanh4gh0.SYS 8EEAE045 49 Bytes [A4, 44, 82, A9, 02, 47, 82, ...]
.text aanh4gh0.SYS 8EEAE077 41 Bytes [82, A0, E6, 40, 82, 21, F4, ...]
.text aanh4gh0.SYS 8EEAE0A1 43 Bytes [5F, 43, 82, A0, 39, 44, 82, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 83FC45E0
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [87B31C4C] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [87B31CA0] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [87B016D6] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [87B01042] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [87B01800] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [87B010C0] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [87B0113E] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 83FC52D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 858B42D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [87B10E9C] \SystemRoot\System32\Drivers\spym.sys
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortWritePortUchar] 838EED3F
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 100D8BA5
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8EED10
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 8B108910
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 000CF491
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortMoveMemory] 04508900
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortReadPortUshort] 053C7980
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 560C558B
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C6127557
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D
IAT \SystemRoot\System32\Drivers\aanh4gh0.SYS[NTOSKRNL.exe!KeTickCount] 8B118920
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 858A35A0

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [743FFBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [743CB9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743BA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [743BCBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743B8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [743CCF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743B7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743B7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743B6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7444C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [743D7F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743B90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [743C2179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743C21A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743C7F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743C7D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [743F83D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[12] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6C84DE6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00070002
IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00070000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8495F1F8

AttachedDevice \FileSystem\Ntfs \Ntfs tblewdsk.sys

Device \FileSystem\fastfat \FatCdrom 868161F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 83FC71F8
Device \Driver\usbohci \Device\USBPDO-0 858131F8
Device \Driver\sptd \Device\2857554726 spym.sys
Device \Driver\usbohci \Device\USBPDO-1 858131F8
Device \Driver\usbohci \Device\USBPDO-2 858131F8
Device \Driver\usbohci \Device\USBPDO-3 858131F8
Device \Driver\usbohci \Device\USBPDO-4 858131F8

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbehci \Device\USBPDO-5 857F71F8
Device \Driver\volmgr \Device\HarddiskVolume1 83FC71F8
Device \Driver\volmgr \Device\HarddiskVolume2 83FC71F8
Device \Driver\cdrom \Device\CdRom0 8580F1F8
Device \Driver\volmgr \Device\HarddiskVolume3 83FC71F8
Device \Driver\cdrom \Device\CdRom1 8580F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8495E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 8495E1F8
Device \Driver\atapi \Device\Ide\IdePort0 8495E1F8
Device \Driver\atapi \Device\Ide\IdePort1 8495E1F8
Device \Driver\atapi \Device\Ide\IdePort2 8495E1F8
Device \Driver\atapi \Device\Ide\IdePort3 8495E1F8
Device \Driver\volmgr \Device\HarddiskVolume4 83FC71F8
Device \Driver\cdrom \Device\CdRom2 8580F1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{F81A5D8E-A50A-430C-8B22-D8E0FD82D933} 85F4C1F8
Device \Driver\PCI_PNP0976 \Device\00000069 spym.sys
Device \Driver\netbt \Device\NetBt_Wins_Export 85F4C1F8
Device \Driver\Smb \Device\NetbiosSmb 85F1B1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{F9E91FCF-55CD-4686-A93E-05A8FB035EA2} 85F4C1F8
Device \Driver\iScsiPrt \Device\RaidPort0 858A51F8

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 858131F8
Device \Driver\usbohci \Device\USBFDO-1 858131F8
Device \Driver\usbohci \Device\USBFDO-2 858131F8
Device \Driver\usbohci \Device\USBFDO-3 858131F8
Device \Driver\usbohci \Device\USBFDO-4 858131F8
Device \Driver\usbehci \Device\USBFDO-5 857F71F8
Device \Driver\aanh4gh0 \Device\Scsi\aanh4gh01 8580C1F8
Device \Driver\aanh4gh0 \Device\Scsi\aanh4gh01Port5Path0Target0Lun0 8580C1F8
Device \Driver\aanh4gh0 \Device\Scsi\aanh4gh01Port5Path0Target1Lun0 8580C1F8
Device \FileSystem\fastfat \Fat 868161F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat tblewdsk.sys

Device \FileSystem\cdfs \Cdfs 868661F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xED 0xF6 0x9A 0x74 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF9 0x16 0x2B 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xD2 0xDF 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x7C 0xD2 0xDF 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB0 0xB4 0x6A 0x44 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xED 0xF6 0x9A 0x74 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF9 0x16 0x2B 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xD2 0xDF 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x7C 0xD2 0xDF 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB0 0xB4 0x6A 0x44 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\bifidde.dll 253952 bytes executable
File C:\Windows\System32\midixapp 0 bytes
File C:\Windows\System32\midixapp\01822A1FD3DB076DC4188CD0AD8A79DAEDEBEC44.vzf 5203853 bytes
File C:\Windows\System32\midixapp\12ED002D125899A7C181F19BB9B9DE04F8EECC45.vzf 14473 bytes
File C:\Windows\System32\midixapp\16AC9DDEF9D3DB37B3F4D69142CECDA1D19C3FD2.vzf 22410667 bytes
File C:\Windows\System32\midixapp\19D01D2D87E559E3392E070AE149FC194B73D6CA.vzf 707 bytes
File C:\Windows\System32\midixapp\27A20ABE1E1677E605B32AFDA69266F8FA2685F8.vzf 2981 bytes
File C:\Windows\System32\midixapp\28409CF6412A456F5538449F351365375569F4C5.vzf 4607805 bytes
File C:\Windows\System32\midixapp\4057205B052816AFFCB71C6277BF066FDF7451AE.vzf 12624708 bytes
File C:\Windows\System32\midixapp\44504DB45C033167407A3CB76FEED395822377D3.vzf 5129673 bytes
File C:\Windows\System32\midixapp\4524AD1AC57853773D501B9156FE14DE01F0F5B5.vzf 2994419 bytes
File C:\Windows\System32\midixapp\4952264099749828CB7C0C1A0AD038CDBEEA1400.vzf 7543582 bytes
File C:\Windows\System32\midixapp\5F2BD06811D69D70AEE80DE89EFA3322766806AF.vzf 197925 bytes
File C:\Windows\System32\midixapp\63BBE2E7772F309CA336942921B0F37332FE3221.vzf 462912 bytes
File C:\Windows\System32\midixapp\71A9C146F21037E8332608DBEB841A1E4575797B.vzf 23433420 bytes
File C:\Windows\System32\midixapp\80E689E0CE98ED9433D76C78070A106EDEC97961.vzf 1964467 bytes
File C:\Windows\System32\midixapp\8528958804A4B6BA55AFB652928858A62F42235F.vzf 7662889 bytes
File C:\Windows\System32\midixapp\9487BA4E42E8612EDAC4BB9A08100ABB61460FB1.vzf 12149769 bytes
File C:\Windows\System32\midixapp\95D7011E52F4C3B57B6FEDD3AF4FFD6DD582A2F3.vzf 170945 bytes
File C:\Windows\System32\midixapp\9C7BF5387B9482D6FC5BAF553F9DFC816C9C8420.vzf 3328797 bytes
File C:\Windows\System32\midixapp\9E7DFB5E34C096B36030D9461FC693580A8ABD39.vzf 33796 bytes
File C:\Windows\System32\midixapp\A92503356147B9A1DF07F15BDDAE7420CA9C3BA2.vzf 142257 bytes
File C:\Windows\System32\midixapp\BE09AA80B36A2B992DE42E96C3043E241951FE36.vzf 846647 bytes
File C:\Windows\System32\midixapp\C3DAAF0A5CA8584AB4AA7A1C68B46020F55D4DCB.vzf 8602253 bytes
File C:\Windows\System32\midixapp\CBAB8FC629516FFC2E50D88551F187A270526AD7.vzf 8442900 bytes
File C:\Windows\System32\midixapp\CDAD5E11C45E905EC91F97D36E60E0ADA3165B0B.vzf 2754989 bytes
File C:\Windows\System32\midixapp\CF5CA3EB62D463A0B4C724498A968DB0411A9BA0.vzf 1020911 bytes
File C:\Windows\System32\midixapp\DF2B4B8487DE48B1A2960B7D2C070963BB56B265.vzf 58191 bytes
File C:\Windows\System32\midixapp\E22359246A997C57281D2DF8617FF66843BC13EE.vzf 16722279 bytes
File C:\Windows\System32\midixapp\E4849E660FDCAD5368E66F1549F30403DB53B856.vzf 2314539 bytes
File C:\Windows\System32\midixapp\E67653F50C53F25FF5677370FA0535B24D5092EB.vzf 12763205 bytes
File C:\Windows\System32\midixapp\EC44B82C473FF07BE7379ACEB799B0DB8D28760C.vzf 1263169 bytes
File C:\Windows\System32\midixapp\EE3440D806B779E768E474E5F32A063EA5D1636C.vzf 8801899 bytes
File C:\Windows\System32\magoraud.dll 107 bytes
File C:\Windows\System32\micixtmp.dll 1806336 bytes executable
File C:\Windows\System32\sapucime.dll 159744 bytes executable
File C:\Windows\System32\setaljob.dll 17447 bytes
File C:\Windows\System32\vbaxibat.exe 10129408 bytes executable

---- EOF - GMER 1.0.15 ----

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:51 PM

Posted 23 November 2009 - 06:42 PM

Gmer is clean.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#11 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 24 November 2009 - 05:16 AM

Hiya - ran combofix and saved it as comfix.exe as you said.

Took quite a long time to run - pretty much about 5 hours from install to reboot.

Attached is combofix.txt.

Also to note, a new folder was created called c:\Qoobox

It includes:

ComboFix-quarantined-files.txt
Add-Remove Programs.txt
SnapShot@2009-11-24_09.24.54.dat
Quarantine (folder)
BackEnv (folder)

Thanks

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:51 PM

Posted 24 November 2009 - 07:54 AM

That's normal, Combofix created that folder. :(

We need to run Combofix again but slightly differently now.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\bifidde.dll
c:\windows\system32\midixapp
c:\windows\system32\magoraud.dll
c:\windows\system32\sapucime.dll
c:\windows\system32\setaljob.dll
c:\windows\system32\vbaxibat.exe
c:\windows\system32\micixtmp.dll

MBR::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#13 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 24 November 2009 - 09:50 AM

Afternoon,

I followed your instructions and program ran much faster. Attached are the results.

Thanks

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:51 PM

Posted 24 November 2009 - 02:45 PM

That was Combofix removing the MBR rootkit :(

Can you now run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

If that's looking good we're almost there :(
Posted Image
m0le is a proud member of UNITE

#15 K_Town

K_Town
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 24 November 2009 - 03:33 PM

So I've been infected to the MBR rootkit - is that right?

I will run MBAM later this evening and hopefully have results for you in the morning.

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users