Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"hooked by service api" Image path WRkrn.sys


  • Please log in to reply
3 replies to this topic

#1 skibelle

skibelle

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 27 August 2012 - 01:55 PM

Hello,
I am only moderately savy with the computer, but I am able to read and follow instructions. I have in the past had Dos alureon I followed instructions from someone elses forum and it seemed to be taken care of. Then after auto update, Microsoft Security said Dos Alureon partially removed. Antimalware and Superantispyware do not find anything. My computer seems slower and because of my lack of expertise I am concerned. I ran Trend Micro Rootkit buster. Am I infected? My system is windows XP version 2002 svc pk 3. Webroot is my security and has never found anything (it ends Sept.7). This is the log: Thank you ahead of time for your input.

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1061
| Computer Name: DON-BETTY
| OS version: 5.1-2600
| User Name: Administrator
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
MBR unsupported disk type
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : ZwAllocateVirtualMemory
Image Path : WRkrn.sys
OriginalHandler : 0x805a8ac2
CurrentHandler : 0xf71c3c60
ServiceNumber : 0x11
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAssignProcessToJobObject
Image Path : WRkrn.sys
OriginalHandler : 0x805d66a0
CurrentHandler : 0xf71c3e10
ServiceNumber : 0x13
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateThread
Image Path : WRkrn.sys
OriginalHandler : 0x805d1038
CurrentHandler : 0xf71c3e90
ServiceNumber : 0x35
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDebugActiveProcess
Image Path : WRkrn.sys
OriginalHandler : 0x80643a1c
CurrentHandler : 0xf71c3d10
ServiceNumber : 0x39
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteKey
Image Path : WRkrn.sys
OriginalHandler : 0x80624472
CurrentHandler : 0xf71c4530
ServiceNumber : 0x3f
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteValueKey
Image Path : WRkrn.sys
OriginalHandler : 0x80624642
CurrentHandler : 0xf71c4630
ServiceNumber : 0x41
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDuplicateObject
Image Path : WRkrn.sys
OriginalHandler : 0x805be010
CurrentHandler : 0xf71c3a70
ServiceNumber : 0x44
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenProcess
Image Path : WRkrn.sys
OriginalHandler : 0x805cb456
CurrentHandler : 0xf71c4250
ServiceNumber : 0x7a
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenSection
Image Path : WRkrn.sys
OriginalHandler : 0x805aa3f4
CurrentHandler : 0xf71c4360
ServiceNumber : 0x7d
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenThread
Image Path : WRkrn.sys
OriginalHandler : 0x805cb6e2
CurrentHandler : 0xf71c4120
ServiceNumber : 0x80
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwProtectVirtualMemory
Image Path : WRkrn.sys
OriginalHandler : 0x805b8426
CurrentHandler : 0xf71c3f20
ServiceNumber : 0x89
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetContextThread
Image Path : WRkrn.sys
OriginalHandler : 0x805d2c1a
CurrentHandler : 0xf71c3d90
ServiceNumber : 0xd5
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetValueKey
Image Path : WRkrn.sys
OriginalHandler : 0x80622548
CurrentHandler : 0xf71c4750
ServiceNumber : 0xf7
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSystemDebugControl
Image Path : WRkrn.sys
OriginalHandler : 0x80617faa
CurrentHandler : 0xf71c44d0
ServiceNumber : 0xff
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwTerminateProcess
Image Path : C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
OriginalHandler : 0x805d22d8
CurrentHandler : 0xaa0c6640
ServiceNumber : 0x101
ModuleName : SASKUTIL.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwTerminateThread
Image Path : WRkrn.sys
OriginalHandler : 0x805d24d2
CurrentHandler : 0xf71c3fa0
ServiceNumber : 0x102
ModuleName : WRkrn.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwWriteVirtualMemory
Image Path : WRkrn.sys
OriginalHandler : 0x805b43d4
CurrentHandler : 0xf71c4020
ServiceNumber : 0x115
ModuleName : WRkrn.sys
SDTType : 0x0
No hidden operating system service hooks found.

--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:36 AM

Posted 27 August 2012 - 01:58 PM

wrkrn.sys is a Webroot antivirus driver.

Trend Micro RootkitBuster detection is a false positive.

good luck

Edited by narenxp, 27 August 2012 - 02:05 PM.


#3 skibelle

skibelle
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 27 August 2012 - 02:08 PM

Thank you. Thank you.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:36 AM

Posted 27 August 2012 - 02:08 PM

You're welcome :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users