Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

got infected with ssdt hooks help


  • This topic is locked This topic is locked
7 replies to this topic

#1 a7medsalim

a7medsalim

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 31 December 2014 - 03:40 AM

got infected with ssdt hooks for a few months now and im sure about it can you please help?

they are slowing and blocking the internet connection i used trials of many av's (kaspersky,bitdefender) but it i dint help its still slow :(

tell me where to start to remove'em



BC AdBot (Login to Remove)

 


m

#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:32 AM

Posted 31 December 2014 - 05:52 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

  • Double-click mb3-setup-1878.1878-3.3.1.2183.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.



If you already have MBAM 2.0 installed:

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


How to get logs:
(Export log to save as txt)


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.



(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.


p22002970.gifDownload 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 a7medsalim

a7medsalim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 03 January 2015 - 10:05 AM

Here you go:


Results of screen317's Security Check version 0.99.93  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player 16.0.0.235  
 Mozilla Firefox (34.0.5)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbam.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 7%
````````````````````End of Log``````````````````````



Farbar Service Scanner Version: 21-07-2014
Ran by finding nemo (administrator) on 03-01-2015 at 00:04:31
Running from "C:\Users\finding nemo\Downloads\Programs"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



MiniToolBox by Farbar  Version: 30-11-2014
Ran by finding nemo (administrator) on 03-01-2015 at 00:10:18
Running from "C:\Users\finding nemo\Downloads\Programs"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


========================= IP Configuration: ================================

Wireless Data Device Ethernet Adapter = Local Area Connection 3 (Connected)
Atheros AR5B91 Wireless Network Adapter = Wireless Network Connection (Media disconnected)
Atheros AR8132 PCI-E Fast Ethernet Controller (NDIS 6.20) = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add address name="Wireless Network Connection" address=192.168.137.1 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : findingnemo-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : LTE-MIFI

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : LTE-MIFI
   Description . . . . . . . . . . . : Wireless Data Device Ethernet Adapter
   Physical Address. . . . . . . . . : 00-A0-C6-00-00-00
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f547:8545:d879:6a0e%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.36(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, January 02, 2015 11:52:31 PM
   Lease Expires . . . . . . . . . . : Saturday, January 03, 2015 11:52:30 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 436248774
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-36-9D-E1-00-26-22-10-7D-93
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR8132 PCI-E Fast Ethernet Controller (NDIS 6.20)
   Physical Address. . . . . . . . . : 00-26-22-10-7D-93
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR5B91 Wireless Network Adapter
   Physical Address. . . . . . . . . : 00-17-C4-A1-64-44
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{9B387577-F3E2-4603-A129-3AB54D39A404}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{0A184DA4-68C3-4536-A684-90A9560F5FAE}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:303f:3f03:3f57:fedb(Preferred)
   Link-local IPv6 Address . . . . . : fe80::303f:3f03:3f57:fedb%15(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.LTE-MIFI:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : LTE-MIFI
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  LTE-MIFI.LTE-MIFI
Address:  192.168.1.1

Name:    google.com
Addresses:  2a00:1450:4009:800::1004
      74.125.230.64
      74.125.230.68
      74.125.230.65
      74.125.230.72
      74.125.230.78
      74.125.230.70
      74.125.230.71
      74.125.230.73
      74.125.230.67
      74.125.230.69
      74.125.230.66


Pinging google.com [74.125.230.66] with 32 bytes of data:
Reply from 74.125.230.66: bytes=32 time=142ms TTL=50
Reply from 74.125.230.66: bytes=32 time=154ms TTL=50

Ping statistics for 74.125.230.66:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 142ms, Maximum = 154ms, Average = 148ms
Server:  LTE-MIFI.LTE-MIFI
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  64:ff9b::628b:b718
      64:ff9b::cebe:242d
      64:ff9b::628a:fd6d
      98.139.183.24
      206.190.36.45
      98.138.253.109


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=300ms TTL=47
Reply from 206.190.36.45: bytes=32 time=302ms TTL=47

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 300ms, Maximum = 302ms, Average = 301ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...00 a0 c6 00 00 00 ......Wireless Data Device Ethernet Adapter
 12...00 26 22 10 7d 93 ......Atheros AR8132 PCI-E Fast Ethernet Controller (NDIS 6.20)
 11...00 17 c4 a1 64 44 ......Atheros AR5B91 Wireless Network Adapter
  1...........................Software Loopback Interface 1
 36...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.36     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.36    276
     192.168.1.36  255.255.255.255         On-link      192.168.1.36    276
    192.168.1.255  255.255.255.255         On-link      192.168.1.36    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.36    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.36    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 15     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 15     58 2001::/32                On-link
 15    306 2001:0:5ef5:79fb:303f:3f03:3f57:fedb/128
                                    On-link
 14    276 fe80::/64                On-link
 15    306 fe80::/64                On-link
 15    306 fe80::303f:3f03:3f57:fedb/128
                                    On-link
 14    276 fe80::f547:8545:d879:6a0e/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    306 ff00::/8                 On-link
 14    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/02/2015 11:53:45 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 11:35:17 PM) (Source: Application Error) (User: )
Description: Faulting application name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Faulting module name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Exception code: 0xc0000005
Fault offset: 0x000011aa
Faulting process id: 0x1214
Faulting application start time: 0xpzwr98vp.exe0
Faulting application path: pzwr98vp.exe1
Faulting module path: pzwr98vp.exe2
Report Id: pzwr98vp.exe3

Error: (01/02/2015 11:34:38 PM) (Source: Application Error) (User: )
Description: Faulting application name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Faulting module name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Exception code: 0xc0000005
Fault offset: 0x000011aa
Faulting process id: 0x10a8
Faulting application start time: 0xpzwr98vp.exe0
Faulting application path: pzwr98vp.exe1
Faulting module path: pzwr98vp.exe2
Report Id: pzwr98vp.exe3

Error: (01/02/2015 11:27:14 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 10:09:12 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 09:13:50 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 09:04:25 PM) (Source: Application Error) (User: )
Description: Faulting application name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Faulting module name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Exception code: 0xc0000005
Fault offset: 0x000011aa
Faulting process id: 0xecc
Faulting application start time: 0xpzwr98vp.exe0
Faulting application path: pzwr98vp.exe1
Faulting module path: pzwr98vp.exe2
Report Id: pzwr98vp.exe3

Error: (01/02/2015 09:03:59 PM) (Source: Application Error) (User: )
Description: Faulting application name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Faulting module name: pzwr98vp.exe, version: 2.1.19357.0, time stamp: 0x52e7ea83
Exception code: 0xc0000005
Fault offset: 0x000011aa
Faulting process id: 0x1180
Faulting application start time: 0xpzwr98vp.exe0
Faulting application path: pzwr98vp.exe1
Faulting module path: pzwr98vp.exe2
Report Id: pzwr98vp.exe3

Error: (01/02/2015 01:19:57 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 11:48:41 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (01/02/2015 10:07:46 PM) (Source: BugCheck) (User: )
Description: 0x00000050 (0xfffffa80fdd8a835, 0x0000000000000000, 0xfffff80002b93a71, 0x0000000000000005)C:\Windows\MEMORY.DMP010215-28080-01

Error: (01/02/2015 10:07:37 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 10:06:15 PM on ?1/?2/?2015 was unexpected.

Error: (01/02/2015 10:02:11 PM) (Source: ipnathlp) (User: )
Description:

Error: (01/02/2015 10:02:07 PM) (Source: ipnathlp) (User: )
Description: 0.0.0.0

Error: (01/02/2015 10:01:55 PM) (Source: ipnathlp) (User: )
Description:

Error: (01/02/2015 06:41:48 PM) (Source: ipnathlp) (User: )
Description:

Error: (01/02/2015 06:41:32 PM) (Source: ipnathlp) (User: )
Description:

Error: (01/02/2015 06:41:32 PM) (Source: ipnathlp) (User: )
Description:

Error: (01/02/2015 11:59:35 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Windows 7 for x64-based Systems (KB2847077).

Error: (01/02/2015 11:59:35 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800706be: Windows Malicious Software Removal Tool x64 - December 2014 (KB890830).


Microsoft Office Sessions:
=========================
Error: (01/02/2015 11:53:45 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 11:35:17 PM) (Source: Application Error)(User: )
Description: pzwr98vp.exe2.1.19357.052e7ea83pzwr98vp.exe2.1.19357.052e7ea83c0000005000011aa121401d026cb999334c0C:\Users\finding nemo\Downloads\Programs\pzwr98vp.exeC:\Users\finding nemo\Downloads\Programs\pzwr98vp.exedc6972f4-92be-11e4-8f3b-00a0c6000000

Error: (01/02/2015 11:34:38 PM) (Source: Application Error)(User: )
Description: pzwr98vp.exe2.1.19357.052e7ea83pzwr98vp.exe2.1.19357.052e7ea83c0000005000011aa10a801d026cb82aebba1C:\Users\finding nemo\Downloads\Programs\pzwr98vp.exeC:\Users\finding nemo\Downloads\Programs\pzwr98vp.exec536d8af-92be-11e4-8f3b-00a0c6000000

Error: (01/02/2015 11:27:14 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 10:09:12 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 09:13:50 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 09:04:25 PM) (Source: Application Error)(User: )
Description: pzwr98vp.exe2.1.19357.052e7ea83pzwr98vp.exe2.1.19357.052e7ea83c0000005000011aaecc01d026b686a36c21C:\Users\finding nemo\Downloads\Programs\pzwr98vp.exeC:\Users\finding nemo\Downloads\Programs\pzwr98vp.exec8e57d68-92a9-11e4-97f5-002622107d93

Error: (01/02/2015 09:03:59 PM) (Source: Application Error)(User: )
Description: pzwr98vp.exe2.1.19357.052e7ea83pzwr98vp.exe2.1.19357.052e7ea83c0000005000011aa118001d026b66f6d0771C:\Users\finding nemo\Downloads\Programs\pzwr98vp.exeC:\Users\finding nemo\Downloads\Programs\pzwr98vp.exeb96b919d-92a9-11e4-97f5-002622107d93

Error: (01/02/2015 01:19:57 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/02/2015 11:48:41 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003



=========================== Installed Programs ============================
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
LTE Hotspot 1.0.0.0 (HKLM-x32\...\LTE Hotspot 1.0.0.0) (Version: 1.0.0.0 - )
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 34.0.5 - Mozilla)
MPC-HC 1.7.7 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.7 - MPC-HC Team)
Virtual Router Plus (HKLM-x32\...\{0AEE4D51-3657-4F40-A689-533429CAEE0C}) (Version: 2.6.0 - Runxia Electronics)
WinRAR 5.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.20.0 - win.rar GmbH)
Zain Broadband (HKLM-x32\...\{3C4CCAD4-9259-460B-9B55-65DBB4CFEB75}) (Version: 1.0.19 - COMPANY)

========================= Devices: ================================

Name: Video WebCam
Description: USB Video Device
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Microsoft
Service: usbvideo
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 51%
Total physical RAM: 3001.98 MB
Available physical RAM: 1448.76 MB
Total Pagefile: 6002.13 MB
Available Pagefile: 4294.26 MB
Total Virtual: 4095.88 MB
Available Virtual: 3978.65 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:96.68 GB) (Free:71.11 GB) NTFS

========================= Users: ========================================

User accounts for \\FINDINGNEMO-PC

Administrator            finding nemo             Guest                    

========================= Restore Points ==================================

01-01-2015 19:12:25 Windows Update
02-01-2015 00:00:14 Windows Update
02-01-2015 08:58:58 Windows Update
02-01-2015 10:24:06 Windows Update

**** End of log ****




Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/3/2015
Scan Time: 12:13:22 AM
Logfile: mbam.txt
Administrator: No

Version: 2.00.4.1028
Malware Database: v2015.01.02.08
Rootkit Database: v2014.12.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: finding nemo

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312398
Time Elapsed: 9 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



Had to run safe mode cuz it said cant load dda driver because of rootkit activity, restart failed too




Malwarebytes Anti-Rootkit BETA 1.08.2.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 11.0.9600.16428

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3147800576, free: 2338205696

Could not load protection driver
=======================================
Initializing...
------------ Kernel report ------------
     01/03/2015 01:06:28
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\tmusbnet.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80032d7240
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa8002e0b060
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80032d7240, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80032d8b20, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80032d7240, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8002d85520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8002e0b060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: AAF6AAF6

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 202747904

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished



Rkill 2.6.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/03/2015 01:18:48 AM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 01/03/2015 01:20:29 AM
Execution time: 0 hours(s), 1 minute(s), and 40 seconds(s)





Rogue Killer log: (im pretty sure i found two red marked entries and yellow ones in anti rootkit tab couple of scans before this one)

RogueKiller V10.1.1.0 (x64) [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : finding nemo [Administrator]
Mode : Delete -- Date : 01/03/2015  01:35:47

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kxrcrpoc -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kxrcrpoc -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 ATA Device +++++
--- User ---
[MBR] 150820921488a634184027a1c6231c24
[BSP] d8866f2a02f0bc853c16bd01f3682f6d : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 98998 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_01012015_162209.log - RKreport_DEL_01012015_162236.log - RKreport_DEL_01012015_162553.log - RKreport_DEL_01022015_191939.log
RKreport_DEL_01022015_233410.log - RKreport_DEL_01022015_233457.log - RKreport_DEL_01022015_233642.log - RKreport_DEL_01032015_004548.log
RKreport_SCN_01012015_162137.log - RKreport_SCN_01012015_162253.log - RKreport_SCN_01012015_162547.log - RKreport_SCN_01012015_162915.log
RKreport_SCN_01012015_195617.log - RKreport_SCN_01012015_195859.log - RKreport_SCN_01022015_191838.log - RKreport_SCN_01022015_205700.log
RKreport_SCN_01022015_233249.log - RKreport_SCN_01032015_004242.log - RKreport_SCN_01032015_013130.log - RKreport_SCN_01032015_013528.log





# AdwCleaner v4.106 - Report created 02/01/2015 at 21:10:54
# Updated 21/12/2014 by Xplode
# Database : 2015-01-01.1 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : finding nemo - FINDINGNEMO-PC
# Running from : C:\Users\finding nemo\Downloads\Programs\AdwCleaner_2.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Key Deleted : HKLM64\SOFTWARE\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Key Deleted : HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}




most of these registry keys get back on reboot
and im sure i spotted kernel hooks and keyloggers in rogue killer before.

gmer partial log



GMER 2.1.19357 - http://www.gmer.net
3rd party scan 2015-01-03 02:16:49
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298.09GB
Running: pzwr98vp.exe; Driver: C:\Users\FINDIN~1\AppData\Local\Temp\kxrcrpoc.sys


---- System - GMER 2.1 ----

SSDT  ZwAcceptConnectPort                                 fffff80002d87b70 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAccessCheck                                       fffff80002a90474 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwAccessCheckAndAuditAlarm                          fffff80002db2d50 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAccessCheckByType                                 fffff80002aa8e34 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwAccessCheckByTypeAndAuditAlarm                    fffff80002d6e63c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAccessCheckByTypeResultList                       fffff80002bedab0 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwAccessCheckByTypeResultListAndAuditAlarm          fffff80002ef95b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAccessCheckByTypeResultListAndAuditAlarmByHandle  fffff80002ef94f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAddAtom                                           fffff80002d25d2c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAddBootEntry                                      fffff80002f16070 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAddDriverEntry                                    fffff80002f15dd0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAdjustGroupsToken                                 fffff80002d4dc00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAdjustPrivilegesToken                             fffff80002d82ae0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlertResumeThread                                 fffff80002efb0d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlertThread                                       fffff80002db6a18 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAllocateLocallyUniqueId                           fffff80002d647b8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAllocateReserveObject                             fffff80002eb2030 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAllocateUserPhysicalPages                         fffff80002f294d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAllocateUuids                                     fffff80002d23070 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAllocateVirtualMemory                             fffff80002dc6a00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcAcceptConnectPort                             fffff80002dabe50 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcCancelMessage                                 fffff80002d36cc4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcConnectPort                                   fffff80002db0e48 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcCreatePort                                    fffff80002db70e0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcCreatePortSection                             fffff80002d6a204 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcCreateResourceReserve                         fffff80002db7524 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcCreateSectionView                             fffff80002d69470 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcCreateSecurityContext                         fffff80002d6dfb0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcDeletePortSection                             fffff80002d615a8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcDeleteResourceReserve                         fffff80002ea32e0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcDeleteSectionView                             fffff80002d87074 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcDeleteSecurityContext                         fffff80002d6e17c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcDisconnectPort                                fffff80002d86ae8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcImpersonateClientOfPort                       fffff80002da1b40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcOpenSenderProcess                             fffff80002db1ba8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcOpenSenderThread                              fffff80002d89668 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcQueryInformation                              fffff80002d5eaa0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcQueryInformationMessage                       fffff80002da16a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcRevokeSecurityContext                         fffff80002ea3160 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcSendWaitReceivePort                           fffff80002dddb70 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAlpcSetInformation                                fffff80002db615c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwApphelpCacheControl                               fffff80002daf164 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAreMappedFilesTheSame                             fffff80002d22da0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwAssignProcessToJobObject                          fffff80002d85544 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCallbackReturn                                    fffff80002ac6700 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwCancelIoFile                                      fffff80002ee6e20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCancelIoFileEx                                    fffff80002df2080 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCancelSynchronousIoFile                           fffff80002efbec0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCancelTimer                                       fffff80002a8361c \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwClearEvent                                        fffff80002db9230 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwClose                                             fffff80002dc6880 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCloseObjectAuditAlarm                             fffff80002da4c0c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCommitComplete                                    fffff80002efd4c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCommitEnlistment                                  fffff80002f24050 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCommitTransaction                                 fffff80002d5bb6c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCompactKeys                                       fffff80002f00f40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCompareTokens                                     fffff80002d93690 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCompleteConnectPort                               fffff80002d58340 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCompressKey                                       fffff80002f52280 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwConnectPort                                       fffff80002d7b720 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwContinue                                          fffff80002ad0640 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwCreateDebugObject                                 fffff80002eb1db0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateDirectoryObject                             fffff80002d6420c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateEnlistment                                  fffff80002d546c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateEvent                                       fffff80002d93dc0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateEventPair                                   fffff80002eb1f30 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateFile                                        fffff80002dd891c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateIoCompletion                                fffff80002db15b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateJobObject                                   fffff80002eb26b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateJobSet                                      fffff80002ef73a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateKey                                         fffff80002d81918 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateKeyTransacted                               fffff80002d57224 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateKeyedEvent                                  fffff80002d80a38 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateMailslotFile                                fffff80002d41d20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateMutant                                      fffff80002d739d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateNamedPipeFile                               fffff80002d8e298 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreatePagingFile                                  fffff80002f3c250 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreatePort                                        fffff80002d89610 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreatePrivateNamespace                            fffff80002d3f570 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateProcess                                     fffff80002f45040 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateProcessEx                                   fffff80002f44fb0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateProfile                                     fffff80002ef93b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateProfileEx                                   fffff80002ef9480 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateResourceManager                             fffff80002d58534 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateSection                                     fffff80002da99bc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateSemaphore                                   fffff80002d73ec8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateSymbolicLinkObject                          fffff80002d64834 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateThread                                      fffff80002eb2b80 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateThreadEx                                    fffff80002dbedcc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateTimer                                       fffff80002d61a98 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateToken                                       fffff80002d637b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateTransaction                                 fffff80002d5193c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateTransactionManager                          fffff80002d5792c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateUserProcess                                 fffff80002d78970 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateWaitablePort                                fffff80002ef2db0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwCreateWorkerFactory                               fffff80002db16c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDebugActiveProcess                                fffff80002f22240 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDebugContinue                                     fffff80002ef9be0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDelayExecution                                    fffff80002dc5734 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeleteAtom                                        fffff80002f0bf40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeleteBootEntry                                   fffff80002ec4fc0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeleteDriverEntry                                 fffff80002ec4aa0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeleteFile                                        fffff80002d2cf40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeleteKey                                         fffff80002d4eaec \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeleteObjectAuditAlarm                            fffff80002ef8720 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeletePrivateNamespace                            fffff80002deed20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeleteValueKey                                    fffff80002d4d430 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDeviceIoControlFile                               fffff80002dec670 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDisableLastKnownGood                              fffff80002ea2ed0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDisplayString                                     fffff80002f2b8e0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDrawText                                          fffff80002bf4f40 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwDuplicateObject                                   fffff80002da7be0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwDuplicateToken                                    fffff80002d73698 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwEnableLastKnownGood                               fffff80002eef7c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwEnumerateBootEntries                              fffff80002f31410 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwEnumerateDriverEntries                            fffff80002f309f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwEnumerateKey                                      fffff80002d85ed0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwEnumerateSystemEnvironmentValuesEx                fffff80002f319d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwEnumerateTransactionObject                        fffff80002ef6e50 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwEnumerateValueKey                                 fffff80002daee90 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwExtendSection                                     fffff80002f03cc0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFilterToken                                       fffff80002df2410 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFindAtom                                          fffff80002dc18a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFlushBuffersFile                                  fffff80002d6c180 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFlushInstallUILanguage                            fffff80002f076f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFlushInstructionCache                             fffff80002d3f17c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFlushKey                                          fffff80002d6d134 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFlushProcessWriteBuffers                          fffff80002a744cc \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwFlushVirtualMemory                                fffff80002d33410 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFlushWriteBuffer                                  fffff80002e40e50 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFreeUserPhysicalPages                             fffff80002efdbb0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFreeVirtualMemory                                 fffff80002abadc0 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwFreezeRegistry                                    fffff80002bcf930 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwFreezeTransactions                                fffff80002efafe0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwFsControlFile                                     fffff80002da883c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetContextThread                                  fffff80002d23a94 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetCurrentProcessorNumber                         fffff80002d5dafc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetDevicePowerState                               fffff80002ef5e00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetMUIRegistryInfo                                fffff80002d8084c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetNextProcess                                    fffff80002f042f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetNextThread                                     fffff80002f04000 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetNlsSectionPtr                                  fffff80002f02f40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetNotificationResourceManager                    fffff80002efae60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetPlugPlayEvent                                  fffff80002d38934 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwGetWriteWatch                                     fffff80002a744e0 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwImpersonateAnonymousToken                         fffff80002d61c78 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwImpersonateClientOfPort                           fffff80002f115c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwImpersonateThread                                 fffff80002d74270 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwInitializeNlsFiles                                fffff80002d74dac \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwInitializeRegistry                                fffff80002d2bf00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwInitiatePowerAction                               fffff80002f1d190 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwIsProcessInJob                                    fffff80002ee7fe0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwIsSystemResumeAutomatic                           fffff80002e3f620 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwIsUILanguageComitted                              fffff80002d8dddc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwListenPort                                        fffff80002f01300 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLoadDriver                                        fffff80002f4d580 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLoadKey                                           fffff80002d4be8c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLoadKey2                                          fffff80002f52a30 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLoadKeyEx                                         fffff80002d4aea0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLockFile                                          fffff80002d42470 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLockProductActivationKeys                         fffff80002ee8ae0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLockRegistryKey                                   fffff80002f00630 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwLockVirtualMemory                                 fffff80002be9e60 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwMakePermanentObject                               fffff80002f09910 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwMakeTemporaryObject                               fffff80002d665b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwMapCMFModule                                      fffff80002d761c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwMapUserPhysicalPages                              fffff80002ee34c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwMapUserPhysicalPagesScatter                       fffff80002ee2cb0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwMapViewOfSection                                  fffff80002dea8c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwModifyBootEntry                                   fffff80002f16040 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwModifyDriverEntry                                 fffff80002f15da0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwNotifyChangeDirectoryFile                         fffff80002d34d70 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwNotifyChangeKey                                   fffff80002d838d4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwNotifyChangeMultipleKeys                          fffff80002d83014 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwNotifyChangeSession                               fffff80002efbb00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenDirectoryObject                               fffff80002deb7d4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenEnlistment                                    fffff80002ef3ee0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenEvent                                         fffff80002db0574 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenEventPair                                     fffff80002eb9db0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenFile                                          fffff80002db7d80 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenIoCompletion                                  fffff80002eb9a30 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenJobObject                                     fffff80002eb9f20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenKey                                           fffff80002da88d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenKeyEx                                         fffff80002d9fc60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenKeyTransacted                                 fffff80002ef78f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenKeyTransactedEx                               fffff80002d5763c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenKeyedEvent                                    fffff80002eb9d00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenMutant                                        fffff80002deace4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenObjectAuditAlarm                              fffff80002ef8830 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenPrivateNamespace                              fffff80002d658bc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenProcess                                       fffff80002da12d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenProcessToken                                  fffff80002d73b00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenProcessTokenEx                                fffff80002da9c40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenResourceManager                               fffff80002df1998 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenSection                                       fffff80002deac60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenSemaphore                                     fffff80002d36ad0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenSession                                       fffff80002eb99a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenSymbolicLinkObject                            fffff80002d73bf0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenThread                                        fffff80002dc146c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenThreadToken                                   fffff80002da2314 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenThreadTokenEx                                 fffff80002da1d70 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenTimer                                         fffff80002eb9e70 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenTransaction                                   fffff80002ef3c40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwOpenTransactionManager                            fffff80002ef6b30 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPlugPlayControl                                   fffff80002d92a94 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPowerInformation                                  fffff80002d89efc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPrePrepareComplete                                fffff80002efd620 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPrePrepareEnlistment                              fffff80002f24100 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPrepareComplete                                   fffff80002efd6d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPrepareEnlistment                                 fffff80002f241b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPrivilegeCheck                                    fffff80002d66a94 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPrivilegeObjectAuditAlarm                         fffff80002ef9020 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPrivilegedServiceAuditAlarm                       fffff80002d37d74 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPropagationComplete                               fffff80002f2a630 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPropagationFailed                                 fffff80002efb650 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwProtectVirtualMemory                              fffff80002de94f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwPulseEvent                                        fffff80002d3325c \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryAttributesFile                               fffff80002da9e20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryBootEntryOrder                               fffff80002f31170 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryBootOptions                                  fffff80002ec4ca0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryDebugFilterState                             fffff80002b08e20 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwQueryDefaultLocale                                fffff80002d7b924 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryDefaultUILanguage                            fffff80002e7f490 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryDirectoryFile                                fffff80002db8450 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryDirectoryObject                              fffff80002deb224 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryDriverEntryOrder                             fffff80002f30ed0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryEaFile                                       fffff80002f39520 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryEvent                                        fffff80002d66cd8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryFullAttributesFile                           fffff80002d5f9e4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationAtom                              fffff80002ec6a10 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationEnlistment                        fffff80002ef21a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationFile                              fffff80002daca90 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationJobObject                         fffff80002f13750 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationPort                              fffff80002ea2e00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationProcess                           fffff80002de18c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationResourceManager                   fffff80002ef1870 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationThread                            fffff80002dbc6cc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationToken                             fffff80002d94520 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationTransaction                       fffff80002ef1ae0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationTransactionManager                fffff80002df1508 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryInformationWorkerFactory                     fffff80002bec1a0 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwQueryInstallUILanguage                            fffff80002d8c290 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryIntervalProfile                              fffff80002e510a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryIoCompletion                                 fffff80002ee7120 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryKey                                          fffff80002d9e2b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryLicenseValue                                 fffff80002db3bd8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryMultipleValueKey                             fffff80002d824f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryMutant                                       fffff80002ee76a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryObject                                       fffff80002dafc60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryOpenSubKeys                                  fffff80002f1ef20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryOpenSubKeysEx                                fffff80002f1eb30 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryPerformanceCounter                           fffff80002d7e4f8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryPortInformationProcess                       fffff80002e3f3c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryQuotaInformationFile                         fffff80002f38830 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySection                                      fffff80002dedca0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySecurityAttributesToken                      fffff80002d92898 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySecurityObject                               fffff80002d61da0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySemaphore                                    fffff80002ee7850 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySymbolicLinkObject                           fffff80002d78710 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySystemEnvironmentValue                       fffff80002f16410 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySystemEnvironmentValueEx                     fffff80002f3aa30 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySystemInformation                            fffff80002ddae20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySystemInformationEx                          fffff80002db1510 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQuerySystemTime                                   fffff80002ee2cb0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryTimer                                        fffff80002ee7530 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryTimerResolution                              fffff80002d35380 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryValueKey                                     fffff80002d9f4a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryVirtualMemory                                fffff80002da88f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueryVolumeInformationFile                        fffff80002de5650 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueueApcThread                                    fffff80002db3bac \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwQueueApcThreadEx                                  fffff80002db3a70 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRaiseException                                    fffff80002ad0880 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwRaiseHardError                                    fffff80002f032f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReadFile                                          fffff80002db8720 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReadFileScatter                                   fffff80002d37240 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReadOnlyEnlistment                                fffff80002efd570 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReadRequestData                                   fffff80002f387b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReadVirtualMemory                                 fffff80002d74550 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRecoverEnlistment                                 fffff80002f230a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRecoverResourceManager                            fffff80002d55178 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRecoverTransactionManager                         fffff80002d54d58 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRegisterProtocolAddressInformation                fffff80002f2a740 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRegisterThreadTerminatePort                       fffff80002ee80d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReleaseKeyedEvent                                 fffff80002db64ec \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReleaseMutant                                     fffff80002dc5164 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReleaseSemaphore                                  fffff80002d839b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReleaseWorkerFactoryWorker                        fffff80002aba38c \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwRemoveIoCompletion                                fffff80002d89d50 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRemoveIoCompletionEx                              fffff80002d6bda8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRemoveProcessDebug                                fffff80002ee73c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRenameKey                                         fffff80002f25490 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRenameTransactionManager                          fffff80002f13580 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReplaceKey                                        fffff80002f51b40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReplacePartitionUnit                              fffff80002bfab20 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwReplyPort                                         fffff80002eb2a50 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReplyWaitReceivePort                              fffff80002de4644 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReplyWaitReceivePortEx                            fffff80002de4660 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwReplyWaitReplyPort                                fffff80002ec2cf0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRequestPort                                       fffff80002dc1614 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRequestWaitReplyPort                              fffff80002de4040 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwResetEvent                                        fffff80002ee7a10 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwResetWriteWatch                                   fffff80002a74074 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwRestoreKey                                        fffff80002f51e20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwResumeProcess                                     fffff80002f205b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwResumeThread                                      fffff80002dbfe60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRollbackComplete                                  fffff80002efb6f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRollbackEnlistment                                fffff80002f1c3f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRollbackTransaction                               fffff80002f22740 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwRollforwardTransactionManager                     fffff80002f24260 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSaveKey                                           fffff80002f4fd90 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSaveKeyEx                                         fffff80002f4fae0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSaveMergedKeys                                    fffff80002f4f910 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSecureConnectPort                                 fffff80002d79ad0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSerializeBoot                                     fffff80002ea6c20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetBootEntryOrder                                 fffff80002f15e00 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetBootOptions                                    fffff80002ec7070 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetContextThread                                  fffff80002d23760 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetDebugFilterState                               fffff80002ea2fd0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetDefaultHardErrorPort                           fffff80002ea7160 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetDefaultLocale                                  fffff80002e7f510 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetDefaultUILanguage                              fffff80002e80bf0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetDriverEntryOrder                               fffff80002f15b60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetEaFile                                         fffff80002f390a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetEvent                                          fffff80002db7cb4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetEventBoostPriority                             fffff80002ee7990 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetHighEventPair                                  fffff80002efa9f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetHighWaitLowEventPair                           fffff80002efb1a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationDebugObject                         fffff80002ef7720 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationEnlistment                          fffff80002ef70f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationFile                                fffff80002dad3e0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationJobObject                           fffff80002f1f240 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationKey                                 fffff80002d6ef70 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationObject                              fffff80002d693c8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationProcess                             fffff80002dbd234 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationResourceManager                     fffff80002f2a310 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationThread                              fffff80002d976e0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationToken                               fffff80002d62204 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationTransaction                         fffff80002f2bab0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationTransactionManager                  fffff80002f134e0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetInformationWorkerFactory                       fffff80002abd6e0 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwSetIntervalProfile                                fffff80002e7cb30 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetIoCompletion                                   fffff80002d5f920 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetIoCompletionEx                                 fffff80002ee6fe0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetLdtEntries                                     fffff80002b5cd00 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwSetLowEventPair                                   fffff80002efaa60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetLowWaitHighEventPair                           fffff80002efb220 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetQuotaInformationFile                           fffff80002f3b150 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetSecurityObject                                 fffff80002d68f98 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetSystemEnvironmentValue                         fffff80002f160a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetSystemEnvironmentValueEx                       fffff80002f3a710 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetSystemInformation                              fffff80002f48230 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetSystemPowerState                               fffff80002d1f3a0 \SystemRoot\system32\ntoskrnl.exe [PAGELK]
SSDT  ZwSetSystemTime                                     fffff80002eee2c0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetThreadExecutionState                           fffff80002f18690 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetTimer                                          fffff80002aba98c \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwSetTimerEx                                        fffff80002a7dec4 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwSetTimerResolution                                fffff80002ef97f0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetUuidSeed                                       fffff80002f29f50 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetValueKey                                       fffff80002d81954 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSetVolumeInformationFile                          fffff80002df10f4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwShutdownSystem                                    fffff80002f53e40 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwShutdownWorkerFactory                             fffff80002d84654 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSignalAndWaitForSingleObject                      fffff80002be6b70 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwSinglePhaseReject                                 fffff80002f23fa0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwStartProfile                                      fffff80002f32b20 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwStopProfile                                       fffff80002efe3b0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSuspendProcess                                    fffff80002f21c80 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSuspendThread                                     fffff80002d238dc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwSystemDebugControl                                fffff80002d5f3cc \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwTerminateJobObject                                fffff80002d2eeb0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwTerminateProcess                                  fffff80002d86e10 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwTerminateThread                                   fffff80002da44f4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwTestAlert                                         fffff80002dc14a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwThawRegistry                                      fffff80002bcfbc0 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwThawTransactions                                  fffff80002ea85d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwTraceControl                                      fffff80002d72b10 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwTraceEvent                                        fffff80002ab3584 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwTranslateFilePath                                 fffff80002ef8410 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwUmsThreadYield                                    fffff80002e59470 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwUnloadDriver                                      fffff80002ebade0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwUnloadKey                                         fffff80002d5a4a0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwUnloadKey2                                        fffff80002d527f4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwUnloadKeyEx                                       fffff80002f23780 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwUnlockFile                                        fffff80002d420d0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwUnlockVirtualMemory                               fffff80002be60a0 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwUnmapViewOfSection                                fffff80002de8494 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwVdmControl                                        fffff80002f37a80 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWaitForDebugEvent                                 fffff80002f0b410 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWaitForKeyedEvent                                 fffff80002db6780 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWaitForMultipleObjects                            fffff80002dc5cb8 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWaitForMultipleObjects32                          fffff80002df3040 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWaitForSingleObject                               fffff80002dc5620 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWaitForWorkViaWorkerFactory                       fffff80002ab9b80 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwWaitHighEventPair                                 fffff80002ef1650 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWaitLowEventPair                                  fffff80002ef16e0 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWorkerFactoryWorkerReady                          fffff80002ac2060 \SystemRoot\system32\ntoskrnl.exe [.text]
SSDT  ZwWriteFile                                         fffff80002de2e60 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWriteFileGather                                   fffff80002f2af80 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWriteRequestData                                  fffff80002f38730 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwWriteVirtualMemory                                fffff80002d743e4 \SystemRoot\system32\ntoskrnl.exe [PAGE]
SSDT  ZwYieldExecution                                    fffff80002a9cf90 \SystemRoot\system32\ntoskrnl.exe [.text]


ill make the same logs when things get worse again....




 



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:32 AM

Posted 03 January 2015 - 11:33 AM

p22002970.gif RogueKiller is not allowed in this forum.

Please do NOT run tools I don't ask for.

 

p22002970.gif I don't see any AV program running.

Install ONE of these:

- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
Note for Windows 8 users: Microsoft Security Essentials comes preinstalled and renamed as Windows Defender.
You can keep it or you have to disable it before installing another AV program.  How to...

- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php

Update, run full scan, report on any findings.
 

Then...

 

p22002970.gif Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

p22002970.gif Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


p22002970.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


p22002970.gif Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 a7medsalim

a7medsalim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 03 January 2015 - 02:59 PM

I just installed comodo av and i couldnt update my database i had an error also there were processes interferring and it asked me to terminate them they were scvhost.exe and explorer.exe i think it is dll injection and it couldnt fix it i have a log but cant attach it how do i attach files ?? :S


Edited by a7medsalim, 03 January 2015 - 02:59 PM.


#6 a7medsalim

a7medsalim
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 03 January 2015 - 03:04 PM

yeah it says defense+ isnt working and it cant fix it



#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:32 AM

Posted 03 January 2015 - 03:45 PM

Uninstall Comodo and try Avast.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:32 AM

Posted 04 January 2015 - 01:57 AM

Hello,

I have merged your two topics in the log forum and the merged topic can be found here: http://www.bleepingcomputer.com/forums/t/561503/got-infected-with-ssdt-hooks-help/ Because you have a roguekiller log posted in that topic, I am keeping that one open and will close this one to avoid any further potential confusion.


Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possibleI advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.  Good luck with your log.

Orange Blossom :cherry:

Edited by Orange Blossom, 04 January 2015 - 02:00 AM.
Restoring stripped out content. ~ OB

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users