Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It Is Still In Here....


  • Please log in to reply
13 replies to this topic

#1 midgie

midgie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 06 July 2007 - 03:49 PM

I have thrown out most of the stuff in this pc after this last reformat...
But something is still (like always!0 in here.

Yesterday after being off for awhile I turned it on to find another lan line set up.
I simply disabled it and it disappeared overnight - but the adapters are stil there in the device manqger.

Also, as always, I had to delete NETWORK SERVICES in the taskmanager to move online...

None of the scanners found anything serious.... The new Adaware a couple of mri's and that alexis thing.....
spybot
that DSO as usual.... Panda only 3 (not illegal but should be) rootkit type files always put in by darned HP!...
RoodtktUnhooker always finds files hooked by ntoskernl.exe....

I have other scans and/or screenshots if they will help....

Sure do appreciate your help as I cannot make heads or tails of this stuff....yet....

Thanks!!!

Midgie


Something took over my pc about 2 months ago.I have run every legit scan I could find and nothing really was detected except a win32 something that was taken care of by Norton, at the beginning of this - and some coolweb files also deleted. The first forced reformat cost me tons of personal stuff. I have reformatted a couple of doz times since then and restored uncountable times, A low leval format is not possible right now as this is off the shelf compac/hp piece of junk - out of waranty, with no true dos and no pure winXP.... I have got to find and get rid of this thing... guess it is a rootkit hacker....

It started by putting SpamSubtract (HP junk) over my windsock which locked me out of the net for over 2 weeks till I discovered the trick. Since I use ZA and block server and forbid anything out of here that I am not using and have never used any sharing software or networking stuff - was shocked to find it setting up a LAN connection and family network portoco, messinger (which I had disabled) a RAZ phone, and netmeeting with this last fresh reformat when I tossed out everything but the bare bones win - and a few freshly set up utilities. I could not delete those files and had to go to safe to do it. It has managed to d/l in spite of my warrieness loads of crap into this computer- and modified spybot and other such helpers, which often had to be set up fresh!

RkUnhooker was reporting for a time two pages of files hooked by a kernel file - and spybot that DSO exploit which I modified in regedit. Found 4 xcludes in spybot, where I had excluded nothing - SideStep, NewNet, MySearch and LSP.NewNet! But unchecked it found nothing, so may have still been excluding them.....
It was putting files linked to Cloacker into the run - till I was finally able to shread that and it's clones...
It again locked me out of the net for a long period till I discovered that a *scvhost NETWORK SERVICES* WAS doing the blocking and by bringing up task manager and tossing that I am then able to access the web -
and that is how it still stands, if I want to get on and get my mail etc. But my getting on I fear gives it access as it emulates my profile.............

Now I am the only user of this machine and have never had any viruses or problems since I was a newbee - nearly 10 years ago - and I have no idea how this SOB ever got into my machine!

I am sure hoping that some of you good folks might recognize some of those ploys and give me some clues as to what this thing is and what rootkit files it might be using. I will as soon as I am able get a HJ log up for the pros to look at hopefull get somebody to look at some other suspect stuff I have collected...

I am so glad I found this board - I know so little about this stuff and have just been boxing in the dark...
Much to learn here, as time permits.....

Thanks for listening and for any help you might have to offer!

Midgie
......................................................................................................................................


Logfile of HijackThis v1.99.1
Scan saved at 9:24:58 AM, on 7/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\+3AA\AdAware\aawservice.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner\+3AA\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Owner\+3AA\NoteTab Light\NoteTab.exe
C:\Documents and Settings\Owner\+3AA\HIJACK\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Owner\_3AA~1\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Documents and Settings\Owner\+3AA\ZoneAlarm\zonealarm.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Documents and Settings\Owner\+3AA\AdAware\aawservice.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 07 July 2007 - 03:56 PM

Suspected Kernal Rootkit Trojan... :thumbsup: :flowers:
Might be on backup HD too - not on now...

More info in first post - yesterday....

Sure do hope you can help.....

Midgie
........................................................................................

Logfile of HijackThis v1.99.1
Scan saved at 1:39:27 PM, on 7/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\+3AA\AdAware\aawservice.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner\+3AA\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Owner\+3AA\NoteTab Light\NoteTab.exe
C:\Documents and Settings\Owner\+3AA\HIJACK\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Owner\_3AA~1\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Documents and Settings\Owner\+3AA\ZoneAlarm\zonealarm.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Documents and Settings\Owner\+3AA\AdAware\aawservice.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
........................................................................................


RkUnhooker report generator v0.6
==============================================
Rootkit Unhooker kernel version: 3.31.150.420
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x80E869D0

Process: C:\Documents and Settings\Owner\+3AA\ZoneAlarm\zonealarm.exe
Process Id: 156
EPROCESS Address: 0xFFBA5DA8

Process: C:\WINDOWS\system32\smss.exe
Process Id: 364
EPROCESS Address: 0x80D99DA8

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 428
EPROCESS Address: 0xFFBA12D0

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 452
EPROCESS Address: 0xFFB3C2D0

Process: C:\WINDOWS\system32\services.exe
Process Id: 496
EPROCESS Address: 0x80DA9358

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 508
EPROCESS Address: 0xFFB4B280

Process: C:\WINDOWS\regedit.exe
Process Id: 548
EPROCESS Address: 0x80CC21D8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 672
EPROCESS Address: 0x80D0F5C0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 716
EPROCESS Address: 0x80D7F020

Process: C:\WINDOWS\System32\svchost.exe
Process Id: 868
EPROCESS Address: 0xFFAE0868

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 932
EPROCESS Address: 0xFFB8B720

Process: C:\Documents and Settings\Owner\+3AA\AdAware\aawservice.exe
Process Id: 1032
EPROCESS Address: 0xFFB35320

Process: C:\WINDOWS\system32\alg.exe
Process Id: 1044
EPROCESS Address: 0xFFB155D8

Process: C:\Documents and Settings\Owner\+3AA\NoteTab Light\NoteTab.exe
Process Id: 1084
EPROCESS Address: 0xFFB2D778

Process: C:\Program Files\Softex\OmniPass\omniServ.exe
Process Id: 1104
EPROCESS Address: 0xFFAED468

Process: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Process Id: 1148
EPROCESS Address: 0xFFB51468

Process: C:\Documents and Settings\Owner\+3AA\HIJACK\New Folder\HijackThis.exe
Process Id: 1212
EPROCESS Address: 0xFFAE5B00

Process: C:\WINDOWS\system32\ZoneLabs\minilog.exe
Process Id: 1336
EPROCESS Address: 0x80CE6300

Process: C:\WINDOWS\system32\osk.exe
Process Id: 1496
EPROCESS Address: 0xFFA58490

Process: C:\Program Files\Softex\OmniPass\OPXPApp.exe
Process Id: 1532
EPROCESS Address: 0xFFB04448

Process: C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\SpybotSD.exe
Process Id: 1556
EPROCESS Address: 0xFFB762F0

Process: C:\WINDOWS\explorer.exe
Process Id: 1720
EPROCESS Address: 0x80CE0958

Process: C:\WINDOWS\system32\msswchx.exe
Process Id: 1848
EPROCESS Address: 0x80CC5AF0

Process: C:\WINDOWS\system32\rundll32.exe
Process Id: 1892
EPROCESS Address: 0xFFB3E900

Process: C:\hp\KBD\kbd.exe
Process Id: 1904
EPROCESS Address: 0xFFAF0DA8

Process: C:\Program Files\mozilla.org\Mozilla\mozilla.exe
Process Id: 1952
EPROCESS Address: 0xFFB82888

Process: C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\TeaTimer.exe
Process Id: 2036
EPROCESS Address: 0xFFB195D8

Process: C:\Documents and Settings\Owner\+3AA\RK\RkUnhooker\Oupy1py.exe
Process Id: 1744
EPROCESS Address: 0xFFAF24A8

==============================================
>Drivers
Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D4000
Size: 2042240 bytes

Driver: PnpManager
Address: 0x804D4000
Size: 2042240 bytes

Driver: RAW
Address: 0x804D4000
Size: 2042240 bytes

Driver: WMIxWDM
Address: 0x804D4000
Size: 2042240 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1814528 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1814528 bytes

Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xFC42B000
Size: 737280 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
Address: 0xFC512000
Size: 610304 bytes

Driver: Ntfs.sys
Address: 0xFC67D000
Size: 565248 bytes

Driver: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA18000
Size: 483328 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF40CF000
Size: 409600 bytes

Driver: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF4182000
Size: 335872 bytes

Driver: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xF3B97000
Size: 331776 bytes

Driver: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBF9EA000
Size: 188416 bytes

Driver: ACPI.sys
Address: 0xFC79B000
Size: 180224 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xF3D16000
Size: 176128 bytes

Driver: NDIS.sys
Address: 0xFC654000
Size: 167936 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF4133000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF3400000
Size: 159744 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF415B000
Size: 159744 bytes

Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF40AB000
Size: 147456 bytes

Driver: fasttx2k.sys
Address: 0xFC743000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9C8000
Size: 139264 bytes

Driver: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xFC3C1000
Size: 139264 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xFC5A7000
Size: 139264 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF3EF9000
Size: 135168 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xFC40A000
Size: 135168 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xFC4DF000
Size: 131072 bytes

Driver: ACPI_HAL
Address: 0x806C7000
Size: 127872 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806C7000
Size: 127872 bytes

Driver: ftdisk.sys
Address: 0xFC77C000
Size: 126976 bytes

Driver: C:\WINDOWS\system32\drivers\ialmsbw.sys
Address: 0xF4249000
Size: 114688 bytes

Driver: Mup.sys
Address: 0xFC63A000
Size: 106496 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
Address: 0xFC5DB000
Size: 94208 bytes

Driver: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Address: 0xFC72C000
Size: 94208 bytes

Driver: atapi.sys
Address: 0xFC766000
Size: 90112 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4095000
Size: 90112 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xFC3F4000
Size: 90112 bytes

Driver: C:\WINDOWS\System32\vsdatant.sys
Address: 0xF3BE8000
Size: 90112 bytes

Driver: C:\WINDOWS\system32\drivers\ialmkchw.sys
Address: 0xF4265000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF3A2C000
Size: 81920 bytes

Driver: KSecDD.sys
Address: 0xFC707000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xFC4FF000
Size: 77824 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF3951000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xFC5C9000
Size: 73728 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBFF80000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xFC3E3000
Size: 69632 bytes

Driver: sr.sys
Address: 0xFC71B000
Size: 69632 bytes

Driver: pci.sys
Address: 0xFC7E8000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xFC8F8000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF389F000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xFC948000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xFCA08000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xFC938000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF3C46000
Size: 57344 bytes

Driver: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xFC908000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9BB000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xFC9E8000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xFC928000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xFC838000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xFC958000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xFC978000
Size: 49152 bytes

Driver: VolSnap.sys
Address: 0xFC818000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xFC918000
Size: 40960 bytes

Driver: MountMgr.sys
Address: 0xFC808000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xFC9C8000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xFC968000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xFC9B8000
Size: 40960 bytes

Driver: disk.sys
Address: 0xFC828000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xFCA28000
Size: 36864 bytes

Driver: isapnp.sys
Address: 0xFC7F8000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xFC988000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xFCA18000
Size: 36864 bytes

Driver: SISAGPX.sys
Address: 0xFC848000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xFCA38000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xFCB30000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xFCB88000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\processr.sys
Address: 0xFCB18000
Size: 32768 bytes

Driver: agp440.sys
Address: 0xFCA90000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xFCB38000
Size: 28672 bytes

Driver: viaagp1.sys
Address: 0xFCA88000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xFCB48000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xFCB50000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xFCA68000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\PS2.sys
Address: 0xFCB40000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xFCB68000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xFCB80000
Size: 20480 bytes

Driver: nv_agp.sys
Address: 0xFCA80000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xFCA70000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xFCB58000
Size: 20480 bytes

Driver: PxHelp20.sys
Address: 0xFCA78000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xFCB60000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv31.SYS
Address: 0xFCAE8000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xFCB28000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xFCB20000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xFCB78000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\asyncmac.sys
Address: 0xF3A68000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xFCCB0000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xFCCBC000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xFC2F9000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xFCBF8000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xFCCE4000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xFCCB8000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF3F8A000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xFC5F6000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\srvkp.sys
Address: 0xFCC80000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xFCD04000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFCD1E000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xFCD02000
Size: 8192 bytes

Driver: intelide.sys
Address: 0xFCCEC000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xFCCE8000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xFCD06000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xFCD70000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xFCD08000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xFCD00000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xFCCEA000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xFCEE1000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xFCEE5000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xFCE39000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\socketlock.sys
Address: 0xFCDDB000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xFCE2E000
Size: 4096 bytes

==============================================
>Files
==============================================
>Hooks

ntoskrnl.exe-->atoi, Type: EAT modification at address 0x8065E43C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->atol, Type: EAT modification at address 0x8065E440 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isdigit, Type: EAT modification at address 0x8065E444 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->islower, Type: EAT modification at address 0x8065E448 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isprint, Type: EAT modification at address 0x8065E44C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isspace, Type: EAT modification at address 0x8065E450 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isupper, Type: EAT modification at address 0x8065E454 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isxdigit, Type: EAT modification at address 0x8065E458 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->mbstowcs, Type: EAT modification at address 0x8065E45C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->mbtowc, Type: EAT modification at address 0x8065E460 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memchr, Type: EAT modification at address 0x8065E464 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memcpy, Type: EAT modification at address 0x8065E468 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memmove, Type: EAT modification at address 0x8065E46C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memset, Type: EAT modification at address 0x8065E470 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->qsort, Type: EAT modification at address 0x8065E474 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->rand, Type: EAT modification at address 0x8065E478 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeFieldsToTime, Type: EAT modification at address 0x8065E000 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToElapsedTimeFields, Type: EAT modification at address 0x8065E004 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToSecondsSince1970, Type: EAT modification at address 0x8065E008 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToSecondsSince1980, Type: EAT modification at address 0x8065E00C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToTimeFields, Type: EAT modification at address 0x8065E010 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseAdd, Type: EAT modification at address 0x8065E014 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseCreate, Type: EAT modification at address 0x8065E018 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseDestroy, Type: EAT modification at address 0x8065E01C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseEnumerate, Type: EAT modification at address 0x8065E020 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseFind, Type: EAT modification at address 0x8065E024 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseLock, Type: EAT modification at address 0x8065E028 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseUnlock, Type: EAT modification at address 0x8065E02C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseValidate, Type: EAT modification at address 0x8065E030 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToAnsiSize, Type: EAT modification at address 0x8065E034 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToAnsiString, Type: EAT modification at address 0x8065E038 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToCountedOemString, Type: EAT modification at address 0x8065E03C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToInteger, Type: EAT modification at address 0x8065E040 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToOemSize, Type: EAT modification at address 0x8065E044 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToOemString, Type: EAT modification at address 0x8065E048 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToCustomCPN, Type: EAT modification at address 0x8065E04C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToMultiByteN, Type: EAT modification at address 0x8065E050 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToMultiByteSize, Type: EAT modification at address 0x8065E054 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToOemN, Type: EAT modification at address 0x8065E058 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnlockBootStatusData, Type: EAT modification at address 0x8065E05C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnwind, Type: EAT modification at address 0x8065E060 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeChar, Type: EAT modification at address 0x8065E064 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeString, Type: EAT modification at address 0x8065E068 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeStringToAnsiString, Type: EAT modification at address 0x8065E06C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeStringToCountedOemString, Type: EAT modification at address 0x8065E070 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeStringToOemString, Type: EAT modification at address 0x8065E074 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeToCustomCPN, Type: EAT modification at address 0x8065E078 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeToMultiByteN, Type: EAT modification at address 0x8065E07C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeToOemN, Type: EAT modification at address 0x8065E080 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpperChar, Type: EAT modification at address 0x8065E084 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpperString, Type: EAT modification at address 0x8065E088 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlValidRelativeSecurityDescriptor, Type: EAT modification at address 0x8065E08C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlValidSecurityDescriptor, Type: EAT modification at address 0x8065E090 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlValidSid, Type: EAT modification at address 0x8065E094 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlVerifyVersionInfo, Type: EAT modification at address 0x8065E098 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlVolumeDeviceToDosName, Type: EAT modification at address 0x8065E09C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlWalkFrameChain, Type: EAT modification at address 0x8065E0A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlWriteRegistryValue, Type: EAT modification at address 0x8065E0A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxAnsiStringToUnicodeSize, Type: EAT modification at address 0x8065E0B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxOemStringToUnicodeSize, Type: EAT modification at address 0x8065E0B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxUnicodeStringToAnsiSize, Type: EAT modification at address 0x8065E0B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxUnicodeStringToOemSize, Type: EAT modification at address 0x8065E0BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlZeroHeap, Type: EAT modification at address 0x8065E0A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlZeroMemory, Type: EAT modification at address 0x8065E0AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAccessCheck, Type: EAT modification at address 0x8065E0C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAppendPrivileges, Type: EAT modification at address 0x8065E0C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAssignSecurity, Type: EAT modification at address 0x8065E0C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAssignSecurityEx, Type: EAT modification at address 0x8065E0CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditHardLinkCreation, Type: EAT modification at address 0x8065E0D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditingFileEvents, Type: EAT modification at address 0x8065E0D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditingFileOrGlobalEvents, Type: EAT modification at address 0x8065E0D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditingHardLinkEvents, Type: EAT modification at address 0x8065E0DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCaptureSecurityDescriptor, Type: EAT modification at address 0x8065E0E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCaptureSubjectContext, Type: EAT modification at address 0x8065E0E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCloseObjectAuditAlarm, Type: EAT modification at address 0x8065E0E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCreateAccessState, Type: EAT modification at address 0x8065E0EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCreateClientSecurity, Type: EAT modification at address 0x8065E0F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCreateClientSecurityFromSubjectContext, Type: EAT modification at address 0x8065E0F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeDeassignSecurity, Type: EAT modification at address 0x8065E0F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeDeleteAccessState, Type: EAT modification at address 0x8065E0FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeDeleteObjectAuditAlarm, Type: EAT modification at address 0x8065E100 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeExports, Type: EAT modification at address 0x8065E104 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeFilterToken, Type: EAT modification at address 0x8065E108 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeFreePrivileges, Type: EAT modification at address 0x8065E10C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeImpersonateClient, Type: EAT modification at address 0x8065E110 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeImpersonateClientEx, Type: EAT modification at address 0x8065E114 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeLockSubjectContext, Type: EAT modification at address 0x8065E118 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeMarkLogonSessionForTerminationNotification, Type: EAT modification at address 0x8065E11C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeOpenObjectAuditAlarm, Type: EAT modification at address 0x8065E120 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeOpenObjectForDeleteAuditAlarm, Type: EAT modification at address 0x8065E124 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SePrivilegeCheck, Type: EAT modification at address 0x8065E128 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SePrivilegeObjectAuditAlarm, Type: EAT modification at address 0x8065E12C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SePublicDefaultDacl, Type: EAT modification at address 0x8065E130 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQueryAuthenticationIdToken, Type: EAT modification at address 0x8065E134 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQueryInformationToken, Type: EAT modification at address 0x8065E138 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQuerySecurityDescriptorInfo, Type: EAT modification at address 0x8065E13C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQuerySessionIdToken, Type: EAT modification at address 0x8065E140 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeRegisterLogonSessionTerminatedRoutine, Type: EAT modification at address 0x8065E144 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeReleaseSecurityDescriptor, Type: EAT modification at address 0x8065E148 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeReleaseSubjectContext, Type: EAT modification at address 0x8065E14C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSetAccessStateGenericMapping, Type: EAT modification at address 0x8065E150 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSetSecurityDescriptorInfo, Type: EAT modification at address 0x8065E154 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSetSecurityDescriptorInfoEx, Type: EAT modification at address 0x8065E158 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSinglePrivilegeCheck, Type: EAT modification at address 0x8065E15C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSystemDefaultDacl, Type: EAT modification at address 0x8065E160 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenImpersonationLevel, Type: EAT modification at address 0x8065E164 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenIsAdmin, Type: EAT modification at address 0x8065E168 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenIsRestricted, Type: EAT modification at address 0x8065E16C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenObjectType, Type: EAT modification at address 0x8065E170 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenType, Type: EAT modification at address 0x8065E174 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeUnlockSubjectContext, Type: EAT modification at address 0x8065E178 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeUnregisterLogonSessionTerminatedRoutine, Type: EAT modification at address 0x8065E17C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeValidSecurityDescriptor, Type: EAT modification at address 0x8065E180 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->sprintf, Type: EAT modification at address 0x8065E47C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->srand, Type: EAT modification at address 0x8065E480 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strcat, Type: EAT modification at address 0x8065E484 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strchr, Type: EAT modification at address 0x8065E488 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strcmp, Type: EAT modification at address 0x8065E48C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strcpy, Type: EAT modification at address 0x8065E490 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strlen, Type: EAT modification at address 0x8065E494 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strncat, Type: EAT modification at address 0x8065E498 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strncmp, Type: EAT modification at address 0x8065E49C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strncpy, Type: EAT modification at address 0x8065E4A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strrchr, Type: EAT modification at address 0x8065E4A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strspn, Type: EAT modification at address 0x8065E4A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strstr, Type: EAT modification at address 0x8065E4AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->swprintf, Type: EAT modification at address 0x8065E4B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->tolower, Type: EAT modification at address 0x8065E4B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->toupper, Type: EAT modification at address 0x8065E4B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->towlower, Type: EAT modification at address 0x8065E4BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->towupper, Type: EAT modification at address 0x8065E4C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->vDbgPrintEx, Type: EAT modification at address 0x8065E4C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->vDbgPrintExWithPrefix, Type: EAT modification at address 0x8065E4C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VerSetConditionMask, Type: EAT modification at address 0x8065E184 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfFailDeviceNode, Type: EAT modification at address 0x8065E188 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfFailDriver, Type: EAT modification at address 0x8065E18C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfFailSystemBIOS, Type: EAT modification at address 0x8065E190 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfIsVerificationEnabled, Type: EAT modification at address 0x8065E194 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->vsprintf, Type: EAT modification at address 0x8065E4CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscat, Type: EAT modification at address 0x8065E4D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcschr, Type: EAT modification at address 0x8065E4D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscmp, Type: EAT modification at address 0x8065E4D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscpy, Type: EAT modification at address 0x8065E4DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscspn, Type: EAT modification at address 0x8065E4E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcslen, Type: EAT modification at address 0x8065E4E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsncat, Type: EAT modification at address 0x8065E4E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsncmp, Type: EAT modification at address 0x8065E4EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsncpy, Type: EAT modification at address 0x8065E4F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsrchr, Type: EAT modification at address 0x8065E4F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsspn, Type: EAT modification at address 0x8065E4F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsstr, Type: EAT modification at address 0x8065E4FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcstombs, Type: EAT modification at address 0x8065E500 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wctomb, Type: EAT modification at address 0x8065E504 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiFlushTrace, Type: EAT modification at address 0x8065E1B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiQueryTrace, Type: EAT modification at address 0x8065E1B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiQueryTraceInformation, Type: EAT modification at address 0x8065E1B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiStartTrace, Type: EAT modification at address 0x8065E1BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiStopTrace, Type: EAT modification at address 0x8065E1C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiTraceMessage, Type: EAT modification at address 0x8065E1C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiTraceMessageVa, Type: EAT modification at address 0x8065E1C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiUpdateTrace, Type: EAT modification at address 0x8065E1CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_BUFFER_UCHAR, Type: EAT modification at address 0x8065E198 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_BUFFER_ULONG, Type: EAT modification at address 0x8065E19C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_BUFFER_USHORT, Type: EAT modification at address 0x8065E1A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_UCHAR, Type: EAT modification at address 0x8065E1A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_ULONG, Type: EAT modification at address 0x8065E1A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_USHORT, Type: EAT modification at address 0x8065E1AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->XIPDispatch, Type: EAT modification at address 0x8065E1D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAccessCheckAndAuditAlarm, Type: EAT modification at address 0x8065E1D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAddBootEntry, Type: EAT modification at address 0x8065E1D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAdjustPrivilegesToken, Type: EAT modification at address 0x8065E1DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAlertThread, Type: EAT modification at address 0x8065E1E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAllocateVirtualMemory, Type: EAT modification at address 0x8065E1E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAssignProcessToJobObject, Type: EAT modification at address 0x8065E1E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCancelIoFile, Type: EAT modification at address 0x8065E1EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCancelTimer, Type: EAT modification at address 0x8065E1F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwClearEvent, Type: EAT modification at address 0x8065E1F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwClose, Type: EAT modification at address 0x8065E1F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCloseObjectAuditAlarm, Type: EAT modification at address 0x8065E1FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwConnectPort, Type: EAT modification at address 0x8065E200 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateDirectoryObject, Type: EAT modification at address 0x8065E204 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateEvent, Type: EAT modification at address 0x8065E208 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateFile, Type: EAT modification at address 0x8065E20C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateJobObject, Type: EAT modification at address 0x8065E210 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateKey, Type: EAT modification at address 0x8065E214 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateSection, Type: EAT modification at address 0x8065E218 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateSymbolicLinkObject, Type: EAT modification at address 0x8065E21C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateTimer, Type: EAT modification at address 0x8065E220 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteBootEntry, Type: EAT modification at address 0x8065E224 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteFile, Type: EAT modification at address 0x8065E228 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteKey, Type: EAT modification at address 0x8065E22C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteValueKey, Type: EAT modification at address 0x8065E230 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeviceIoControlFile, Type: EAT modification at address 0x8065E234 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDisplayString, Type: EAT modification at address 0x8065E238 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDuplicateObject, Type: EAT modification at address 0x8065E23C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDuplicateToken, Type: EAT modification at address 0x8065E240 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwEnumerateBootEntries, Type: EAT modification at address 0x8065E244 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwEnumerateKey, Type: EAT modification at address 0x8065E248 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwEnumerateValueKey, Type: EAT modification at address 0x8065E24C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFlushInstructionCache, Type: EAT modification at address 0x8065E250 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFlushKey, Type: EAT modification at address 0x8065E254 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFlushVirtualMemory, Type: EAT modification at address 0x8065E258 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFreeVirtualMemory, Type: EAT modification at address 0x8065E25C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFsControlFile, Type: EAT modification at address 0x8065E260 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwInitiatePowerAction, Type: EAT modification at address 0x8065E264 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwIsProcessInJob, Type: EAT modification at address 0x8065E268 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwLoadDriver, Type: EAT modification at address 0x8065E26C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwLoadKey, Type: EAT modification at address 0x8065E270 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwMakeTemporaryObject, Type: EAT modification at address 0x8065E274 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwMapViewOfSection, Type: EAT modification at address 0x8065E278 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwNotifyChangeKey, Type: EAT modification at address 0x8065E27C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenDirectoryObject, Type: EAT modification at address 0x8065E280 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenEvent, Type: EAT modification at address 0x8065E284 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenFile, Type: EAT modification at address 0x8065E288 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenJobObject, Type: EAT modification at address 0x8065E28C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenKey, Type: EAT modification at address 0x8065E290 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenProcess, Type: EAT modification at address 0x8065E294 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenProcessToken, Type: EAT modification at address 0x8065E298 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenProcessTokenEx, Type: EAT modification at address 0x8065E29C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenSection, Type: EAT modification at address 0x8065E2A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenSymbolicLinkObject, Type: EAT modification at address 0x8065E2A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenThread, Type: EAT modification at address 0x8065E2A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenThreadToken, Type: EAT modification at address 0x8065E2AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenThreadTokenEx, Type: EAT modification at address 0x8065E2B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenTimer, Type: EAT modification at address 0x8065E2B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwPowerInformation, Type: EAT modification at address 0x8065E2B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwPulseEvent, Type: EAT modification at address 0x8065E2BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryBootEntryOrder, Type: EAT modification at address 0x8065E2C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryBootOptions, Type: EAT modification at address 0x8065E2C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDefaultLocale, Type: EAT modification at address 0x8065E2C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDefaultUILanguage, Type: EAT modification at address 0x8065E2CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDirectoryFile, Type: EAT modification at address 0x8065E2D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDirectoryObject, Type: EAT modification at address 0x8065E2D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryEaFile, Type: EAT modification at address 0x8065E2D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryFullAttributesFile, Type: EAT modification at address 0x8065E2DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationFile, Type: EAT modification at address 0x8065E2E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationJobObject, Type: EAT modification at address 0x8065E2E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationProcess, Type: EAT modification at address 0x8065E2E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationThread, Type: EAT modification at address 0x8065E2EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationToken, Type: EAT modification at address 0x8065E2F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInstallUILanguage, Type: EAT modification at address 0x8065E2F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryKey, Type: EAT modification at address 0x8065E2F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryObject, Type: EAT modification at address 0x8065E2FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySection, Type: EAT modification at address 0x8065E300 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySecurityObject, Type: EAT modification at address 0x8065E304 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySymbolicLinkObject, Type: EAT modification at address 0x8065E308 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySystemInformation, Type: EAT modification at address 0x8065E30C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryValueKey, Type: EAT modification at address 0x8065E310 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryVolumeInformationFile, Type: EAT modification at address 0x8065E314 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwReadFile, Type: EAT modification at address 0x8065E318 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwReplaceKey, Type: EAT modification at address 0x8065E31C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwRequestWaitReplyPort, Type: EAT modification at address 0x8065E320 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwResetEvent, Type: EAT modification at address 0x8065E324 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwRestoreKey, Type: EAT modification at address 0x8065E328 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSaveKey, Type: EAT modification at address 0x8065E32C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSaveKeyEx, Type: EAT modification at address 0x8065E330 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetBootEntryOrder, Type: EAT modification at address 0x8065E334 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetBootOptions, Type: EAT modification at address 0x8065E338 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetDefaultLocale, Type: EAT modification at address 0x8065E33C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetDefaultUILanguage, Type: EAT modification at address 0x8065E340 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetEaFile, Type: EAT modification at address 0x8065E344 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetEvent, Type: EAT modification at address 0x8065E348 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationFile, Type: EAT modification at address 0x8065E34C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationJobObject, Type: EAT modification at address 0x8065E350 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationObject, Type: EAT modification at address 0x8065E354 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationProcess, Type: EAT modification at address 0x8065E358 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationThread, Type: EAT modification at address 0x8065E35C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetSecurityObject, Type: EAT modification at address 0x8065E360 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetSystemInformation, Type: EAT modification at address 0x8065E364 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetSystemTime, Type: EAT modification at address 0x8065E368 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetTimer, Type: EAT modification at address 0x8065E36C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetValueKey, Type: EAT modification at address 0x8065E370 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetVolumeInformationFile, Type: EAT modification at address 0x8065E374 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwTerminateJobObject, Type: EAT modification at address 0x8065E378 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwTerminateProcess, Type: EAT modification at address 0x8065E37C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwTranslateFilePath, Type: EAT modification at address 0x8065E380 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwUnloadDriver, Type: EAT modification at address 0x8065E384 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwUnloadKey, Type: EAT modification at address 0x8065E388 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwUnmapViewOfSection, Type: EAT modification at address 0x8065E38C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwWaitForMultipleObjects, Type: EAT modification at address 0x8065E390 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwWaitForSingleObject, Type: EAT modification at address 0x8065E394 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwWriteFile, Type: EAT modification at address 0x8065E398 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwYieldExecution, Type: EAT modification at address 0x8065E39C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_abnormal_termination, Type: EAT modification at address 0x8065E3AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_alldiv, Type: EAT modification at address 0x8065E3B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_alldvrm, Type: EAT modification at address 0x8065E3B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allmul, Type: EAT modification at address 0x8065E3B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_alloca_probe, Type: EAT modification at address 0x8065E3BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allrem, Type: EAT modification at address 0x8065E3C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allshl, Type: EAT modification at address 0x8065E3C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allshr, Type: EAT modification at address 0x8065E3C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aulldiv, Type: EAT modification at address 0x8065E3CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aulldvrm, Type: EAT modification at address 0x8065E3D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aullrem, Type: EAT modification at address 0x8065E3D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aullshr, Type: EAT modification at address 0x8065E3D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_CIcos, Type: EAT modification at address 0x8065E3A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_CIsin, Type: EAT modification at address 0x8065E3A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_CIsqrt, Type: EAT modification at address 0x8065E3A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_except_handler2, Type: EAT modification at address 0x8065E3DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_except_handler3, Type: EAT modification at address 0x8065E3E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_global_unwind2, Type: EAT modification at address 0x8065E3E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_itoa, Type: EAT modification at address 0x8065E3E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_itow, Type: EAT modification at address 0x8065E3EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_local_unwind2, Type: EAT modification at address 0x8065E3F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_purecall, Type: EAT modification at address 0x8065E3F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_snprintf, Type: EAT modification at address 0x8065E3F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_snwprintf, Type: EAT modification at address 0x8065E3FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_stricmp, Type: EAT modification at address 0x8065E400 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strlwr, Type: EAT modification at address 0x8065E404 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strnicmp, Type: EAT modification at address 0x8065E408 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strnset, Type: EAT modification at address 0x8065E40C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strrev, Type: EAT modification at address 0x8065E410 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strset, Type: EAT modification at address 0x8065E414 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strupr, Type: EAT modification at address 0x8065E418 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_vsnprintf, Type: EAT modification at address 0x8065E41C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_vsnwprintf, Type: EAT modification at address 0x8065E420 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsicmp, Type: EAT modification at address 0x8065E424 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcslwr, Type: EAT modification at address 0x8065E428 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsnicmp, Type: EAT modification at address 0x8065E42C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsnset, Type: EAT modification at address 0x8065E430 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsrev, Type: EAT modification at address 0x8065E434 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsupr, Type: EAT modification at address 0x8065E438 hook handler located in [ntoskrnl.exe]

...........................................................................................

StartupList report, 7/7/2007, 1:42:32 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\+3AA\HIJACK\New Folder\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\+3AA\AdAware\aawservice.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner\+3AA\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Owner\+3AA\NoteTab Light\NoteTab.exe
C:\Documents and Settings\Owner\+3AA\HIJACK\New Folder\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm.lnk = C:\Documents and Settings\Owner\+3AA\ZoneAlarm\zonealarm.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

KBD = C:\HP\KBD\KBD.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Documents and Settings\Owner\+3AA\spybot\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\DOCUME~1\Owner\_3AA~1\spybot\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: C:\Documents and Settings\Owner\+3AA\AdAware\aawservice.exe (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Lucent Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TrueVector Basic Logging Client: C:\WINDOWS\system32\ZoneLabs\minilog.exe -service (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Softex OmniPass Service: C:\Program Files\Softex\OmniPass\Omniserv.exe (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: \SystemRoot\System32\DRIVERS\pciide.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
Raw Socket Lock Driver: \??\C:\WINDOWS\System32\socketlock.sys (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{E9FAE58C-7E2C-46A9-BC4A-0DEC332F3ACC} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 30,073 bytes
Report generated in 0.344 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:52 AM

Posted 18 July 2007 - 02:48 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.

#4 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 19 July 2007 - 10:31 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.




Fresh reformat - tossed a lot of stuff - allowed generic host process access for a couple of days then blocked it again. it is suspect!!!!!!!!!!!!
Seemed to be no problem -ran lots more scans....

Just found backweb which I deleted from windows from the start - it had been used = cleaned out the whole file...
Just now netmeeting which had also been removed! - IT WAS BEING USED~~~~~!!!!! Cannot delete or shred or change any of it!!!! Has done this with rasphone, messinger - altered scanners, forced ZA to allow access - I lost track of all the crap pulled!!! If I do not toss all shreds of SpamSubtract the minuite a new reformat comes up it puts it over my windsock and I am totally blocked from the net.... Same with cloaker which is used often in an attempt to hide stuff...... Panda found only simi-legal rootkit files put in this thing by danged HP and suggested I delete them... Spybot only that DNS thing and I changed it in the reg..... AVG keeps finding this phony trojan - AHeur.apy everywhere!!! BOclean appears to be a piece of junk!.... but then this damned thing is immitatin both owner and administrator ............ It uses danged IE -I don't! - and I tried to set high security on everything and block it ..........but............ I finally found and disabled NETWORK SERVICES which was blocking me from the net!

On one occasion it blocked me with an admin password - on another it changed the visual settings.... The idiot SOB behind this thing needs to be hung!!!! If only I could find a way to block all networking crap other then the internet and mail!!!!!

Here is the latest HiJack log..... and others....

Midgie - way beyond frustration!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:43 PM, on 7/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\11111\AA\aawservice.exe
C:\11111\AVG\avgamsvr.exe
C:\11111\AVG\avgupsvc.exe
C:\11111\AVG\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\11111\AVG\avgcc.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\11111\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\OSK.exe
C:\WINDOWS\System32\MSSWCHX.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\11111\AVG\avgvv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\11111\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\11111\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\11111\AVG\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\11111\AVG\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\11111\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk.disabled
O4 - Global Startup: ZoneAlarm.lnk = C:\11111\ZoneAlarm\zonealarm.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{256FB944-9EE2-4A4E-9454-D6D6372A2063}: NameServer = 205.208.227.13 205.208.227.14
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\11111\AA\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\11111\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\11111\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\11111\AVG\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5884 bytes

.......................................................

StartupList report, 7/19/2007, 8:17:31 PM
StartupList version: 1.52.2
Started from : C:\11111\HJ\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\11111\AA\aawservice.exe
C:\11111\AVG\avgamsvr.exe
C:\11111\AVG\avgupsvc.exe
C:\11111\AVG\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\11111\AVG\avgcc.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\11111\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\OSK.exe
C:\WINDOWS\System32\MSSWCHX.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\11111\AVG\avgvv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\11111\HJ\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Compaq Connections.lnk.disabled
ZoneAlarm.lnk = C:\11111\ZoneAlarm\zonealarm.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
KBD = C:\HP\KBD\KBD.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
ccApp = "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
PS2 = C:\WINDOWS\system32\ps2.exe
AVG7_CC = C:\11111\AVG\avgcc.exe /STARTUP
BOC-424 = C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
mmtask = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
NAV CfgWiz = c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: C:\11111\AA\aawservice.exe (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (disabled)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\11111\AVG\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\11111\AVG\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\11111\AVG\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BOClean Kernel Monitor.: \??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys (manual start)
BOCore: C:\Program Files\Comodo\CBOClean\BOCORE.exe (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (manual start)
Symantec Password Validation Service: "c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Lucent Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TrueVector Basic Logging Client: C:\WINDOWS\system32\ZoneLabs\minilog.exe -service (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Norton AntiVirus Auto Protect Service: "c:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030610.007\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030610.007\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Softex OmniPass Service: C:\Program Files\Softex\OmniPass\Omniserv.exe (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: \SystemRoot\System32\DRIVERS\pciide.sys (disabled)
Padus ASPI Shell: \??\C:\WINDOWS\System32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\WINDOWS\System32\Drivers\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
Raw Socket Lock Driver: \??\C:\WINDOWS\System32\socketlock.sys (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{E9FAE58C-7E2C-46A9-BC4A-0DEC332F3ACC} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (manual start)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32,580 bytes
Report generated in 1.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
.................................................................


.......................................

RKUnhook........... hooked and hidden files only..................

RkUnhooker report generator v0.6
==============================================
Rootkit Unhooker kernel version: 3.31.150.420
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x80E869D0

Process: C:\WINDOWS\system\hpsysdrv.exe
Process Id: 320
EPROCESS Address: 0xFF86D790

Process: C:\WINDOWS\system32\smss.exe
Process Id: 376
EPROCESS Address: 0x80CC1C80

Process: C:\hp\KBD\kbd.exe
Process Id: 416
EPROCESS Address: 0x80CCC720

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 432
EPROCESS Address: 0x80E59C18

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 456
EPROCESS Address: 0x80DBFDA8

Process: C:\WINDOWS\system32\services.exe
Process Id: 500
EPROCESS Address: 0x80D7B020

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 512
EPROCESS Address: 0x80DB7A78

Process: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
Process Id: 544
EPROCESS Address: 0xFF9B3020

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 676
EPROCESS Address: 0x80D96020

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 720
EPROCESS Address: 0x80DBCDA8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 796
EPROCESS Address: 0xFFBB2820

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 904
EPROCESS Address: 0xFFAE66D8

Process: C:\11111\AA\aawservice.exe
Process Id: 1000
EPROCESS Address: 0xFFADA020

Process: C:\WINDOWS\system32\alg.exe
Process Id: 1016
EPROCESS Address: 0xFFAD75C8

Process: C:\11111\AVG\avgamsvr.exe
Process Id: 1032
EPROCESS Address: 0xFFAD3020

Process: C:\11111\AVG\avgupsvc.exe
Process Id: 1048
EPROCESS Address: 0xFFAD6598

Process: C:\11111\AVG\avgemc.exe
Process Id: 1076
EPROCESS Address: 0xFFACD398

Process: C:\Program Files\Comodo\CBOClean\BOCore.exe
Process Id: 1112
EPROCESS Address: 0xFFAC8BC8

Process: C:\WINDOWS\system32\cisvc.exe
Process Id: 1132
EPROCESS Address: 0xFFAC3718

Process: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Process Id: 1184
EPROCESS Address: 0x80DE6DA8

Process: C:\Program Files\Norton AntiVirus\Navapsvc.exe
Process Id: 1188
EPROCESS Address: 0xFFAB6A80

Process: C:\Program Files\Softex\OmniPass\omniServ.exe
Process Id: 1240
EPROCESS Address: 0xFFAAFB30

Process: C:\11111\AVG\avgcc.exe
Process Id: 1288
EPROCESS Address: 0x80DE6500

Process: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Process Id: 1336
EPROCESS Address: 0xFFA9D350

Process: C:\WINDOWS\system32\ZoneLabs\minilog.exe
Process Id: 1468
EPROCESS Address: 0xFFA579B8

Process: C:\PROGRA~1\Comodo\CBOClean\BOC424.EXE
Process Id: 1548
EPROCESS Address: 0x80DEA640

Process: C:\Program Files\Softex\OmniPass\OPXPApp.exe
Process Id: 1692
EPROCESS Address: 0xFFA1D020

Process: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Process Id: 1756
EPROCESS Address: 0xFF84A020

Process: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Process Id: 1792
EPROCESS Address: 0x80DE4818

Process: C:\WINDOWS\system32\osk.exe
Process Id: 1820
EPROCESS Address: 0x80E00998

Process: C:\WINDOWS\explorer.exe
Process Id: 1960
EPROCESS Address: 0xFF9ED448

Process: C:\11111\ZoneAlarm\zonealarm.exe
Process Id: 2012
EPROCESS Address: 0xFF6B8AD8

Process: C:\WINDOWS\system32\msswchx.exe
Process Id: 2064
EPROCESS Address: 0xFF617270

Process: C:\WINDOWS\system32\cidaemon.exe
Process Id: 2344
EPROCESS Address: 0xFF5E29C0

Process: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Process Id: 2508
EPROCESS Address: 0xFF561DA8

Process: C:\Program Files\mozilla.org\Mozilla\mozilla.exe
Process Id: 2520
EPROCESS Address: 0xFF46A4A8

Process: C:\WINDOWS\system32\rundll32.exe
Process Id: 2856
EPROCESS Address: 0xFF4099C8

Process: C:\Program Files\NoteTab Light\NoteTab.exe
Process Id: 3000
EPROCESS Address: 0xFF7E7020

Process: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for HiJackThis_v2.zip\HiJackThis_v2.exe
Process Id: 3288
EPROCESS Address: 0xFF411440

Process: C:\11111\AVG\avgvv.exe
Process Id: 3676
EPROCESS Address: 0xFF7E0020

Process: C:\11111\RK\RkUnhooker\Tos1gp8mc67u.exe
Process Id: 292
EPROCESS Address: 0xFFADB020

==============================================
>Drivers
Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D4000
Size: 2042240 bytes

Driver: PnpManager
Address: 0x804D4000
Size: 2042240 bytes

Driver: RAW
Address: 0x804D4000
Size: 2042240 bytes

Driver: WMIxWDM
Address: 0x804D4000
Size: 2042240 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1814528 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1814528 bytes

Driver: C:\WINDOWS\System32\Drivers\avg7core.sys
Address: 0xF3B68000
Size: 823296 bytes

Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xFBF8D000
Size: 737280 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
Address: 0xFC074000
Size: 610304 bytes

Driver: Ntfs.sys
Address: 0xFC67D000
Size: 565248 bytes

Driver: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030610.007\NavEx15.Sys
Address: 0xF29B8000
Size: 528384 bytes

Driver: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA18000
Size: 483328 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF3C31000
Size: 409600 bytes

Driver: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF3CE4000
Size: 335872 bytes

Driver: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xF347A000
Size: 331776 bytes

Driver: C:\WINDOWS\System32\Drivers\SAVRT.SYS
Address: 0xF319D000
Size: 262144 bytes

Driver: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBF9EA000
Size: 188416 bytes

Driver: ACPI.sys
Address: 0xFC79B000
Size: 180224 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xF3784000
Size: 176128 bytes

Driver: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xF389F000
Size: 176128 bytes

Driver: NDIS.sys
Address: 0xFC654000
Size: 167936 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF3C95000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF2530000
Size: 159744 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF3CBD000
Size: 159744 bytes

Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF3AA4000
Size: 147456 bytes

Driver: fasttx2k.sys
Address: 0xFC743000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9C8000
Size: 139264 bytes

Driver: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xFBF23000
Size: 139264 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xFC109000
Size: 139264 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF3992000
Size: 135168 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xFBF6C000
Size: 135168 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xFC041000
Size: 131072 bytes

Driver: ACPI_HAL
Address: 0x806C7000
Size: 127872 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806C7000
Size: 127872 bytes

Driver: ftdisk.sys
Address: 0xFC77C000
Size: 126976 bytes

Driver: C:\WINDOWS\system32\drivers\ialmsbw.sys
Address: 0xF3DAB000
Size: 114688 bytes

Driver: Mup.sys
Address: 0xFC63A000
Size: 106496 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
Address: 0xFC13D000
Size: 94208 bytes

Driver: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Address: 0xFC72C000
Size: 94208 bytes

Driver: atapi.sys
Address: 0xFC766000
Size: 90112 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3A66000
Size: 90112 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xFBF56000
Size: 90112 bytes

Driver: C:\WINDOWS\system32\drivers\ialmkchw.sys
Address: 0xF3DC7000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF3337000
Size: 81920 bytes

Driver: KSecDD.sys
Address: 0xFC707000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xFC061000
Size: 77824 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF3162000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xFC12B000
Size: 73728 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBFF80000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xFBF45000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS
Address: 0xF34F3000
Size: 69632 bytes

Driver: sr.sys
Address: 0xFC71B000
Size: 69632 bytes

Driver: C:\Program Files\Symantec\SYMEVENT.SYS
Address: 0xF3286000
Size: 69632 bytes

Driver: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030610.007\NAVENG.Sys
Address: 0xF2D60000
Size: 65536 bytes

Driver: pci.sys
Address: 0xFC7E8000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xFC908000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\vsdatant.sys
Address: 0xF36FC000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF3B18000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xFC958000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xFCA08000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xFC948000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF32F7000
Size: 57344 bytes

Driver: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xFC918000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9BB000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xFC9E8000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xFC938000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xFC838000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xFC968000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xFC988000
Size: 49152 bytes

Driver: VolSnap.sys
Address: 0xFC818000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xFC928000
Size: 40960 bytes

Driver: MountMgr.sys
Address: 0xFC808000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xFC9C8000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xFC978000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xFC9A8000
Size: 40960 bytes

Driver: disk.sys
Address: 0xFC828000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xFCA38000
Size: 36864 bytes

Driver: isapnp.sys
Address: 0xFC7F8000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xFC998000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xFCA18000
Size: 36864 bytes

Driver: SISAGPX.sys
Address: 0xFC848000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xFCA28000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xFCAF0000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xFCB50000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\processr.sys
Address: 0xFCAD8000
Size: 32768 bytes

Driver: agp440.sys
Address: 0xFCA90000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\Drivers\avg7rsxp.sys
Address: 0xFCB68000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xFCAF8000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xFCB18000
Size: 28672 bytes

Driver: viaagp1.sys
Address: 0xFCA88000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xFCB08000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xFCB10000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xFCA68000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\PS2.sys
Address: 0xFCB00000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xFCB70000
Size: 24576 bytes

Driver: C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
Address: 0xFCBD8000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xFCB30000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xFCB48000
Size: 20480 bytes

Driver: nv_agp.sys
Address: 0xFCA80000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xFCA70000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xFCB20000
Size: 20480 bytes

Driver: PxHelp20.sys
Address: 0xFCA78000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xFCB28000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv31.SYS
Address: 0xFCB98000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xFCAE8000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xFCAE0000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xFCB40000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\asyncmac.sys
Address: 0xF39DF000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xFCC8C000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xFCC9C000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xF3D5A000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xFCBF8000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF3D52000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xFCC98000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF3A17000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\pfc.sys
Address: 0xFCC90000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xFCCE4000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\srvkp.sys
Address: 0xFC15C000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
Address: 0xF3272000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\avg7rsw.sys
Address: 0xFCD10000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\avgtdi.sys
Address: 0xFCD86000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xFCD06000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFCD20000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xFCD04000
Size: 8192 bytes

Driver: intelide.sys
Address: 0xFCCEC000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xFCCE8000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xFCD08000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xFCD74000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xFCD0A000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xFCD00000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xFCCEA000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xFCE3E000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\avgclean.sys
Address: 0xFCE6B000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xFCEF4000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xFCE6A000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\socketlock.sys
Address: 0xFCE9F000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xFCE4D000
Size: 4096 bytes

==============================================
>Files

Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\System Volume Information\catalog.wci\00010013.ci Status: Hidden


Suspect File: C:\System Volume Information\catalog.wci\00010013.dir Status: Hidden


Suspect File: C:\System Volume Information\catalog.wci\00010014.ci Status: Hidden


Suspect File: C:\System Volume Information\catalog.wci\00010014.dir Status: Hidden


Suspect File: C:\System Volume Information\catalog.wci\00010015.ci Status: Hidden


Suspect File: C:\System Volume Information\catalog.wci\00010015.dir Status: Hidden


Suspect File: C:\System Volume Information\catalog.wci\00010016.ci Status: Hidden


Suspect File: C:\System Volume Information\catalog.wci\00010016.dir Status: Hidden

==============================================
>Hooks

ntoskrnl.exe-->atoi, Type: EAT modification at address 0x8065E43C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->atol, Type: EAT modification at address 0x8065E440 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isdigit, Type: EAT modification at address 0x8065E444 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->islower, Type: EAT modification at address 0x8065E448 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isprint, Type: EAT modification at address 0x8065E44C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isspace, Type: EAT modification at address 0x8065E450 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isupper, Type: EAT modification at address 0x8065E454 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->isxdigit, Type: EAT modification at address 0x8065E458 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->mbstowcs, Type: EAT modification at address 0x8065E45C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->mbtowc, Type: EAT modification at address 0x8065E460 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memchr, Type: EAT modification at address 0x8065E464 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memcpy, Type: EAT modification at address 0x8065E468 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memmove, Type: EAT modification at address 0x8065E46C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->memset, Type: EAT modification at address 0x8065E470 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->qsort, Type: EAT modification at address 0x8065E474 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->rand, Type: EAT modification at address 0x8065E478 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeFieldsToTime, Type: EAT modification at address 0x8065E000 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToElapsedTimeFields, Type: EAT modification at address 0x8065E004 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToSecondsSince1970, Type: EAT modification at address 0x8065E008 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToSecondsSince1980, Type: EAT modification at address 0x8065E00C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTimeToTimeFields, Type: EAT modification at address 0x8065E010 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseAdd, Type: EAT modification at address 0x8065E014 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseCreate, Type: EAT modification at address 0x8065E018 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseDestroy, Type: EAT modification at address 0x8065E01C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseEnumerate, Type: EAT modification at address 0x8065E020 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseFind, Type: EAT modification at address 0x8065E024 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseLock, Type: EAT modification at address 0x8065E028 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseUnlock, Type: EAT modification at address 0x8065E02C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlTraceDatabaseValidate, Type: EAT modification at address 0x8065E030 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToAnsiSize, Type: EAT modification at address 0x8065E034 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToAnsiString, Type: EAT modification at address 0x8065E038 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToCountedOemString, Type: EAT modification at address 0x8065E03C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToInteger, Type: EAT modification at address 0x8065E040 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToOemSize, Type: EAT modification at address 0x8065E044 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeStringToOemString, Type: EAT modification at address 0x8065E048 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToCustomCPN, Type: EAT modification at address 0x8065E04C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToMultiByteN, Type: EAT modification at address 0x8065E050 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToMultiByteSize, Type: EAT modification at address 0x8065E054 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnicodeToOemN, Type: EAT modification at address 0x8065E058 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnlockBootStatusData, Type: EAT modification at address 0x8065E05C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUnwind, Type: EAT modification at address 0x8065E060 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeChar, Type: EAT modification at address 0x8065E064 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeString, Type: EAT modification at address 0x8065E068 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeStringToAnsiString, Type: EAT modification at address 0x8065E06C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeStringToCountedOemString, Type: EAT modification at address 0x8065E070 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeStringToOemString, Type: EAT modification at address 0x8065E074 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeToCustomCPN, Type: EAT modification at address 0x8065E078 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeToMultiByteN, Type: EAT modification at address 0x8065E07C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpcaseUnicodeToOemN, Type: EAT modification at address 0x8065E080 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpperChar, Type: EAT modification at address 0x8065E084 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlUpperString, Type: EAT modification at address 0x8065E088 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlValidRelativeSecurityDescriptor, Type: EAT modification at address 0x8065E08C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlValidSecurityDescriptor, Type: EAT modification at address 0x8065E090 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlValidSid, Type: EAT modification at address 0x8065E094 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlVerifyVersionInfo, Type: EAT modification at address 0x8065E098 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlVolumeDeviceToDosName, Type: EAT modification at address 0x8065E09C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlWalkFrameChain, Type: EAT modification at address 0x8065E0A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlWriteRegistryValue, Type: EAT modification at address 0x8065E0A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxAnsiStringToUnicodeSize, Type: EAT modification at address 0x8065E0B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxOemStringToUnicodeSize, Type: EAT modification at address 0x8065E0B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxUnicodeStringToAnsiSize, Type: EAT modification at address 0x8065E0B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlxUnicodeStringToOemSize, Type: EAT modification at address 0x8065E0BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlZeroHeap, Type: EAT modification at address 0x8065E0A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->RtlZeroMemory, Type: EAT modification at address 0x8065E0AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAccessCheck, Type: EAT modification at address 0x8065E0C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAppendPrivileges, Type: EAT modification at address 0x8065E0C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAssignSecurity, Type: EAT modification at address 0x8065E0C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAssignSecurityEx, Type: EAT modification at address 0x8065E0CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditHardLinkCreation, Type: EAT modification at address 0x8065E0D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditingFileEvents, Type: EAT modification at address 0x8065E0D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditingFileOrGlobalEvents, Type: EAT modification at address 0x8065E0D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeAuditingHardLinkEvents, Type: EAT modification at address 0x8065E0DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCaptureSecurityDescriptor, Type: EAT modification at address 0x8065E0E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCaptureSubjectContext, Type: EAT modification at address 0x8065E0E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCloseObjectAuditAlarm, Type: EAT modification at address 0x8065E0E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCreateAccessState, Type: EAT modification at address 0x8065E0EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCreateClientSecurity, Type: EAT modification at address 0x8065E0F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeCreateClientSecurityFromSubjectContext, Type: EAT modification at address 0x8065E0F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeDeassignSecurity, Type: EAT modification at address 0x8065E0F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeDeleteAccessState, Type: EAT modification at address 0x8065E0FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeDeleteObjectAuditAlarm, Type: EAT modification at address 0x8065E100 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeExports, Type: EAT modification at address 0x8065E104 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeFilterToken, Type: EAT modification at address 0x8065E108 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeFreePrivileges, Type: EAT modification at address 0x8065E10C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeImpersonateClient, Type: EAT modification at address 0x8065E110 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeImpersonateClientEx, Type: EAT modification at address 0x8065E114 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeLockSubjectContext, Type: EAT modification at address 0x8065E118 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeMarkLogonSessionForTerminationNotification, Type: EAT modification at address 0x8065E11C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeOpenObjectAuditAlarm, Type: EAT modification at address 0x8065E120 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeOpenObjectForDeleteAuditAlarm, Type: EAT modification at address 0x8065E124 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SePrivilegeCheck, Type: EAT modification at address 0x8065E128 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SePrivilegeObjectAuditAlarm, Type: EAT modification at address 0x8065E12C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SePublicDefaultDacl, Type: EAT modification at address 0x8065E130 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQueryAuthenticationIdToken, Type: EAT modification at address 0x8065E134 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQueryInformationToken, Type: EAT modification at address 0x8065E138 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQuerySecurityDescriptorInfo, Type: EAT modification at address 0x8065E13C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeQuerySessionIdToken, Type: EAT modification at address 0x8065E140 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeRegisterLogonSessionTerminatedRoutine, Type: EAT modification at address 0x8065E144 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeReleaseSecurityDescriptor, Type: EAT modification at address 0x8065E148 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeReleaseSubjectContext, Type: EAT modification at address 0x8065E14C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSetAccessStateGenericMapping, Type: EAT modification at address 0x8065E150 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSetSecurityDescriptorInfo, Type: EAT modification at address 0x8065E154 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSetSecurityDescriptorInfoEx, Type: EAT modification at address 0x8065E158 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSinglePrivilegeCheck, Type: EAT modification at address 0x8065E15C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeSystemDefaultDacl, Type: EAT modification at address 0x8065E160 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenImpersonationLevel, Type: EAT modification at address 0x8065E164 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenIsAdmin, Type: EAT modification at address 0x8065E168 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenIsRestricted, Type: EAT modification at address 0x8065E16C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenObjectType, Type: EAT modification at address 0x8065E170 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeTokenType, Type: EAT modification at address 0x8065E174 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeUnlockSubjectContext, Type: EAT modification at address 0x8065E178 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeUnregisterLogonSessionTerminatedRoutine, Type: EAT modification at address 0x8065E17C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->SeValidSecurityDescriptor, Type: EAT modification at address 0x8065E180 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->sprintf, Type: EAT modification at address 0x8065E47C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->srand, Type: EAT modification at address 0x8065E480 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strcat, Type: EAT modification at address 0x8065E484 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strchr, Type: EAT modification at address 0x8065E488 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strcmp, Type: EAT modification at address 0x8065E48C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strcpy, Type: EAT modification at address 0x8065E490 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strlen, Type: EAT modification at address 0x8065E494 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strncat, Type: EAT modification at address 0x8065E498 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strncmp, Type: EAT modification at address 0x8065E49C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strncpy, Type: EAT modification at address 0x8065E4A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strrchr, Type: EAT modification at address 0x8065E4A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strspn, Type: EAT modification at address 0x8065E4A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->strstr, Type: EAT modification at address 0x8065E4AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->swprintf, Type: EAT modification at address 0x8065E4B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->tolower, Type: EAT modification at address 0x8065E4B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->toupper, Type: EAT modification at address 0x8065E4B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->towlower, Type: EAT modification at address 0x8065E4BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->towupper, Type: EAT modification at address 0x8065E4C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->vDbgPrintEx, Type: EAT modification at address 0x8065E4C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->vDbgPrintExWithPrefix, Type: EAT modification at address 0x8065E4C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VerSetConditionMask, Type: EAT modification at address 0x8065E184 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfFailDeviceNode, Type: EAT modification at address 0x8065E188 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfFailDriver, Type: EAT modification at address 0x8065E18C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfFailSystemBIOS, Type: EAT modification at address 0x8065E190 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->VfIsVerificationEnabled, Type: EAT modification at address 0x8065E194 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->vsprintf, Type: EAT modification at address 0x8065E4CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscat, Type: EAT modification at address 0x8065E4D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcschr, Type: EAT modification at address 0x8065E4D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscmp, Type: EAT modification at address 0x8065E4D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscpy, Type: EAT modification at address 0x8065E4DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcscspn, Type: EAT modification at address 0x8065E4E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcslen, Type: EAT modification at address 0x8065E4E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsncat, Type: EAT modification at address 0x8065E4E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsncmp, Type: EAT modification at address 0x8065E4EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsncpy, Type: EAT modification at address 0x8065E4F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsrchr, Type: EAT modification at address 0x8065E4F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsspn, Type: EAT modification at address 0x8065E4F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcsstr, Type: EAT modification at address 0x8065E4FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wcstombs, Type: EAT modification at address 0x8065E500 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->wctomb, Type: EAT modification at address 0x8065E504 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiFlushTrace, Type: EAT modification at address 0x8065E1B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiQueryTrace, Type: EAT modification at address 0x8065E1B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiQueryTraceInformation, Type: EAT modification at address 0x8065E1B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiStartTrace, Type: EAT modification at address 0x8065E1BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiStopTrace, Type: EAT modification at address 0x8065E1C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiTraceMessage, Type: EAT modification at address 0x8065E1C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiTraceMessageVa, Type: EAT modification at address 0x8065E1C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WmiUpdateTrace, Type: EAT modification at address 0x8065E1CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_BUFFER_UCHAR, Type: EAT modification at address 0x8065E198 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_BUFFER_ULONG, Type: EAT modification at address 0x8065E19C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_BUFFER_USHORT, Type: EAT modification at address 0x8065E1A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_UCHAR, Type: EAT modification at address 0x8065E1A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_ULONG, Type: EAT modification at address 0x8065E1A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->WRITE_REGISTER_USHORT, Type: EAT modification at address 0x8065E1AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->XIPDispatch, Type: EAT modification at address 0x8065E1D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAccessCheckAndAuditAlarm, Type: EAT modification at address 0x8065E1D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAddBootEntry, Type: EAT modification at address 0x8065E1D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAdjustPrivilegesToken, Type: EAT modification at address 0x8065E1DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAlertThread, Type: EAT modification at address 0x8065E1E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAllocateVirtualMemory, Type: EAT modification at address 0x8065E1E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwAssignProcessToJobObject, Type: EAT modification at address 0x8065E1E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCancelIoFile, Type: EAT modification at address 0x8065E1EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCancelTimer, Type: EAT modification at address 0x8065E1F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwClearEvent, Type: EAT modification at address 0x8065E1F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwClose, Type: EAT modification at address 0x8065E1F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCloseObjectAuditAlarm, Type: EAT modification at address 0x8065E1FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwConnectPort, Type: EAT modification at address 0x8065E200 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateDirectoryObject, Type: EAT modification at address 0x8065E204 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateEvent, Type: EAT modification at address 0x8065E208 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateFile, Type: EAT modification at address 0x8065E20C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateJobObject, Type: EAT modification at address 0x8065E210 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateKey, Type: EAT modification at address 0x8065E214 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateSection, Type: EAT modification at address 0x8065E218 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateSymbolicLinkObject, Type: EAT modification at address 0x8065E21C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwCreateTimer, Type: EAT modification at address 0x8065E220 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteBootEntry, Type: EAT modification at address 0x8065E224 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteFile, Type: EAT modification at address 0x8065E228 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteKey, Type: EAT modification at address 0x8065E22C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeleteValueKey, Type: EAT modification at address 0x8065E230 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDeviceIoControlFile, Type: EAT modification at address 0x8065E234 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDisplayString, Type: EAT modification at address 0x8065E238 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDuplicateObject, Type: EAT modification at address 0x8065E23C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwDuplicateToken, Type: EAT modification at address 0x8065E240 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwEnumerateBootEntries, Type: EAT modification at address 0x8065E244 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwEnumerateKey, Type: EAT modification at address 0x8065E248 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwEnumerateValueKey, Type: EAT modification at address 0x8065E24C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFlushInstructionCache, Type: EAT modification at address 0x8065E250 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFlushKey, Type: EAT modification at address 0x8065E254 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFlushVirtualMemory, Type: EAT modification at address 0x8065E258 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFreeVirtualMemory, Type: EAT modification at address 0x8065E25C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwFsControlFile, Type: EAT modification at address 0x8065E260 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwInitiatePowerAction, Type: EAT modification at address 0x8065E264 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwIsProcessInJob, Type: EAT modification at address 0x8065E268 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwLoadDriver, Type: EAT modification at address 0x8065E26C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwLoadKey, Type: EAT modification at address 0x8065E270 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwMakeTemporaryObject, Type: EAT modification at address 0x8065E274 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwMapViewOfSection, Type: EAT modification at address 0x8065E278 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwNotifyChangeKey, Type: EAT modification at address 0x8065E27C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenDirectoryObject, Type: EAT modification at address 0x8065E280 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenEvent, Type: EAT modification at address 0x8065E284 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenFile, Type: EAT modification at address 0x8065E288 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenJobObject, Type: EAT modification at address 0x8065E28C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenKey, Type: EAT modification at address 0x8065E290 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenProcess, Type: EAT modification at address 0x8065E294 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenProcessToken, Type: EAT modification at address 0x8065E298 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenProcessTokenEx, Type: EAT modification at address 0x8065E29C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenSection, Type: EAT modification at address 0x8065E2A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenSymbolicLinkObject, Type: EAT modification at address 0x8065E2A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenThread, Type: EAT modification at address 0x8065E2A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenThreadToken, Type: EAT modification at address 0x8065E2AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenThreadTokenEx, Type: EAT modification at address 0x8065E2B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwOpenTimer, Type: EAT modification at address 0x8065E2B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwPowerInformation, Type: EAT modification at address 0x8065E2B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwPulseEvent, Type: EAT modification at address 0x8065E2BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryBootEntryOrder, Type: EAT modification at address 0x8065E2C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryBootOptions, Type: EAT modification at address 0x8065E2C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDefaultLocale, Type: EAT modification at address 0x8065E2C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDefaultUILanguage, Type: EAT modification at address 0x8065E2CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDirectoryFile, Type: EAT modification at address 0x8065E2D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryDirectoryObject, Type: EAT modification at address 0x8065E2D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryEaFile, Type: EAT modification at address 0x8065E2D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryFullAttributesFile, Type: EAT modification at address 0x8065E2DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationFile, Type: EAT modification at address 0x8065E2E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationJobObject, Type: EAT modification at address 0x8065E2E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationProcess, Type: EAT modification at address 0x8065E2E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationThread, Type: EAT modification at address 0x8065E2EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInformationToken, Type: EAT modification at address 0x8065E2F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryInstallUILanguage, Type: EAT modification at address 0x8065E2F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryKey, Type: EAT modification at address 0x8065E2F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryObject, Type: EAT modification at address 0x8065E2FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySection, Type: EAT modification at address 0x8065E300 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySecurityObject, Type: EAT modification at address 0x8065E304 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySymbolicLinkObject, Type: EAT modification at address 0x8065E308 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQuerySystemInformation, Type: EAT modification at address 0x8065E30C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryValueKey, Type: EAT modification at address 0x8065E310 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwQueryVolumeInformationFile, Type: EAT modification at address 0x8065E314 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwReadFile, Type: EAT modification at address 0x8065E318 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwReplaceKey, Type: EAT modification at address 0x8065E31C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwRequestWaitReplyPort, Type: EAT modification at address 0x8065E320 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwResetEvent, Type: EAT modification at address 0x8065E324 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwRestoreKey, Type: EAT modification at address 0x8065E328 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSaveKey, Type: EAT modification at address 0x8065E32C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSaveKeyEx, Type: EAT modification at address 0x8065E330 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetBootEntryOrder, Type: EAT modification at address 0x8065E334 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetBootOptions, Type: EAT modification at address 0x8065E338 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetDefaultLocale, Type: EAT modification at address 0x8065E33C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetDefaultUILanguage, Type: EAT modification at address 0x8065E340 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetEaFile, Type: EAT modification at address 0x8065E344 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetEvent, Type: EAT modification at address 0x8065E348 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationFile, Type: EAT modification at address 0x8065E34C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationJobObject, Type: EAT modification at address 0x8065E350 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationObject, Type: EAT modification at address 0x8065E354 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationProcess, Type: EAT modification at address 0x8065E358 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetInformationThread, Type: EAT modification at address 0x8065E35C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetSecurityObject, Type: EAT modification at address 0x8065E360 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetSystemInformation, Type: EAT modification at address 0x8065E364 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetSystemTime, Type: EAT modification at address 0x8065E368 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetTimer, Type: EAT modification at address 0x8065E36C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetValueKey, Type: EAT modification at address 0x8065E370 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwSetVolumeInformationFile, Type: EAT modification at address 0x8065E374 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwTerminateJobObject, Type: EAT modification at address 0x8065E378 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwTerminateProcess, Type: EAT modification at address 0x8065E37C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwTranslateFilePath, Type: EAT modification at address 0x8065E380 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwUnloadDriver, Type: EAT modification at address 0x8065E384 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwUnloadKey, Type: EAT modification at address 0x8065E388 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwUnmapViewOfSection, Type: EAT modification at address 0x8065E38C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwWaitForMultipleObjects, Type: EAT modification at address 0x8065E390 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwWaitForSingleObject, Type: EAT modification at address 0x8065E394 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwWriteFile, Type: EAT modification at address 0x8065E398 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->ZwYieldExecution, Type: EAT modification at address 0x8065E39C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_abnormal_termination, Type: EAT modification at address 0x8065E3AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_alldiv, Type: EAT modification at address 0x8065E3B0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_alldvrm, Type: EAT modification at address 0x8065E3B4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allmul, Type: EAT modification at address 0x8065E3B8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_alloca_probe, Type: EAT modification at address 0x8065E3BC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allrem, Type: EAT modification at address 0x8065E3C0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allshl, Type: EAT modification at address 0x8065E3C4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_allshr, Type: EAT modification at address 0x8065E3C8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aulldiv, Type: EAT modification at address 0x8065E3CC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aulldvrm, Type: EAT modification at address 0x8065E3D0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aullrem, Type: EAT modification at address 0x8065E3D4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_aullshr, Type: EAT modification at address 0x8065E3D8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_CIcos, Type: EAT modification at address 0x8065E3A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_CIsin, Type: EAT modification at address 0x8065E3A4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_CIsqrt, Type: EAT modification at address 0x8065E3A8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_except_handler2, Type: EAT modification at address 0x8065E3DC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_except_handler3, Type: EAT modification at address 0x8065E3E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_global_unwind2, Type: EAT modification at address 0x8065E3E4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_itoa, Type: EAT modification at address 0x8065E3E8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_itow, Type: EAT modification at address 0x8065E3EC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_local_unwind2, Type: EAT modification at address 0x8065E3F0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_purecall, Type: EAT modification at address 0x8065E3F4 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_snprintf, Type: EAT modification at address 0x8065E3F8 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_snwprintf, Type: EAT modification at address 0x8065E3FC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_stricmp, Type: EAT modification at address 0x8065E400 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strlwr, Type: EAT modification at address 0x8065E404 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strnicmp, Type: EAT modification at address 0x8065E408 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strnset, Type: EAT modification at address 0x8065E40C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strrev, Type: EAT modification at address 0x8065E410 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strset, Type: EAT modification at address 0x8065E414 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_strupr, Type: EAT modification at address 0x8065E418 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_vsnprintf, Type: EAT modification at address 0x8065E41C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_vsnwprintf, Type: EAT modification at address 0x8065E420 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsicmp, Type: EAT modification at address 0x8065E424 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcslwr, Type: EAT modification at address 0x8065E428 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsnicmp, Type: EAT modification at address 0x8065E42C hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsnset, Type: EAT modification at address 0x8065E430 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsrev, Type: EAT modification at address 0x8065E434 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe-->_wcsupr, Type: EAT modification at address 0x8065E438 hook handler located in [ntoskrnl.exe]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:52 AM

Posted 20 July 2007 - 03:07 AM

Hey there midgie,

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either AVG or Symantec/Norton.

By the looks of things, AVG is complete and working, parts of Symnatec are missing.
If you have a problem with the Symantec/Norton uninstallers, please let me know - they often don't work.
There should be two seperate uninstallers for Norton and Symantec, make sure you remove both!

These 'suspect files' look harmless to me:

Suspect File: C:\System Volume Information\catalog.wci\00010013.dir Status: Hidden

They appears to be in system restore, I cannot see them being rootkit files.

Oh, and another question, can you tell me whether cloaker.exe is something you knowlingly use?
I'm seeing it installed with HP printers and other software, but I don't really know what it does. This is what HP.com says:

Cloaker.exe is an internal program that runs in the background masking other running processes during the recovery.

May this is what is being flagged as rootkit activity.

If any of the logs are too big to fit in a single post (there is a limit), you can upload it here:
http://www.bleepingcomputer.com/submit-malware.php?channel=5

Then, download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Let me know how you get on...

#6 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 20 July 2007 - 05:57 AM

Thanks for the speedy reply D_T!!!
This may take a day or so on my part.... if even possible...
I'm on dial-up and d/l speed is 2 to 3kb per sec!!!!!!
I gave up downloading that activeX before as it kept hanging up this machine....
will try again...........
have used gmer but could not make heads nor tails of it :thumbsup:

cloaker is another nasty file put in by HP!
Even tho I shred it and all it's clones first thing up, it's ghost shows up in HJT...
and any file or process that is linked with it cannot be deleted of fixed by HJT!!!!
Next reformat I'll copy the inside of one for you - it is gone from this machine now and use is probably
just a link from the registry......

Also that System Volume Information folder and the files in there I do consider suspect, as earlier the
folder was empty and I could access it. Now I cannot even access as admin in safe mode. RKU cannot
touch any of those files tho it can see them - and cannot wipe them clean!!! AVG claims to have found it's
pet trojan in there!!! I'll try disabling restore and see if they disappear......

Norton was not set up on those last scans - tho some files were automatic as it came also with the HP
junk! I just had not gotten around to deleting it yet.... it is nothing but a nusiance!!! I am now wondering
about AVG ??? Google - Trojan Horse AHeur.apy....... Everybody is finding that thing and AVG has admited it
is a false positive!!! I've always used AVG..... alone....

What else??? Uhhhhhh.......
I'm burned out..........
Will get back as soon as I can!

Thanks a million for your help friend!!!!

Midgie

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:52 AM

Posted 20 July 2007 - 07:10 AM

Not a problem, post the logs when you can.

However, if you've reformatted windows, you should have a clean PC - nothing can survive a format unless it is deeply rooted into your system/hardware which is very unlikely as it almost never happens nowadays. I just want to say this; make sure you don't start getting paranoid - rootkits like this are rare and make sure you open your mind to other causes to the problems are having. A lot of people I have dealt with put all problems down to a rootkit.

For example, backweb is installed with a lot of applications without even telling you - that's why you still eventually find it on your PC even if you don't think you installed it yourself. You are starting to ruin your PC I'm afraid. Have a look at what you have running actively at the moment:

TeaTimer, BOClean, AVG, Symantec, Zonealarm, Ad-Aware and Comdo.

Your PC cannot take all that active protection and it's going to cause instability, and errors.
You need to choose 1 firewall (eg zone alarm), 1 antivirus (AVG) and 1 antispyware (spybot)
Anything more than that and your system will eventually go into meltdown.

#8 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 21 July 2007 - 12:05 PM

Good advice D-T, re the scanners. I will shut some of them down.
However there still is something in here and it was just recently using BackWeb..
Found several files where it was printing remotely my notepad and emails!!!
I managed to get all the BW files out of here - I think...
My intent is to keep it from getting in and out with my data until it can be found!
My concern is that it still has an open port/set-up server - above 1500 that I cannot see or close...

You see, I have to get this thing out of here by IDing and tossing it because I cannot do a true low-level
format - which would get rid of it! There is no true DOS in this machine and I have no pure Windows disc or
DOS and drivers on a CD! I live very remote and help is not possible right now.... What HP/Compact calls
a reformat with their 8 discs of junk - is NOT! It always comes back up with my previous settings before going
default! and that Trojan whatever comes back with it - minus it's installed files I guess!!!

This thing has been using networking crap on MY pc all along - view the screen shot attachments where I have just recently been able to screw up their efforts!! These attempts came AFTER AVG found and deleted the following trojan .....Trojan horse IRC/Back Door SdBot3.CHM .............from my backup HD! So something is still in here!!! I just found a whole set of files to be printed remotely or they had been printed - and reference to fax, tho I had disabled fax files..... I have never used any of this remote or sharing stuff!!!!!!!!! or a lan, messinger, or other networking stuff!!!!!!!!!!! And no one else has ever touched this computer....

I think buffer overrun or a hole in win or ie is how the danged thing got in...............

Midgie

OOOps...........
I can't upload here!!!! It hangs......
a 10 minute wait for a 100kb file - while it just hangs is absurd

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:52 AM

Posted 21 July 2007 - 06:11 PM

Did you try uploading the files at the link given? Have you tried posting them individually here?

#10 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 22 July 2007 - 11:44 AM

Good evening D-T!
It's morning here - CA :thumbsup:

I just uploaded 3 screen shots to the link...
It was the email attachments here that would not work for me....

Just wanted you to glance at them as I think they show thwarted efforts by that thing....
I think I have been able to seperate that malware file from it's puppeteer....
and (hopefully) prevented it's attempts to d/l anymore harassing junk into this pc - for now....
Knock wood!!! I have not been grossly inteferred with for a few days now....
But the base file is still in here and they will continue to try to reconnect!!!
There are many suspect probes shown in ZA>>>>

I tossed a lot more stuff from this machine and turned off at least half of the services (of those I can
even get to!) with the help of online guides. RKU is now showing 0 hooked files!!! Tho 2 hidden ones
are still there! I also cleaned up the registry...

Maybe now I will be able to get that activeX file <BG>

The latest HJ is below....

You have a lovely evening!!!!!

Midgie


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:11 AM, on 7/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\11111\AA\aawservice.exe
C:\11111\AVG\avgamsvr.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\11111\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: ZoneAlarm.lnk = C:\11111\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O17 - HKLM\System\CCS\Services\Tcpip\..\{256FB944-9EE2-4A4E-9454-D6D6372A2063}: NameServer = 205.208.227.13 205.208.227.14
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\11111\AA\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\11111\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\11111\AVG\avgupsvc.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3100 bytes

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:52 AM

Posted 22 July 2007 - 03:02 PM

I'm not entirely sure I know what you uploaded there, can you explain?
What happened to the GMER or Kaspersky results, they're important..

#12 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 23 July 2007 - 12:11 PM

I'm not entirely sure I know what you uploaded there, can you explain?
What happened to the GMER or Kaspersky results, they're important..



I think they show some (stopped) interaction with some NETWORK set up behind my back in here!
Was hoping you could confirm that...............guess not........

Here is Kasper... Was an all night vigle .... stopped by my isp after almost 5 hrs....
would not continue with a re-dial-up.... Only 33% of pc scanned....

I;'m searching for info on this thing with many names........

Why are so many of my files locked to the scanner???....
Has spybot been comproimised??

I will run again - just one drive at a time............

Midgie

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 23, 2007 10:06:37 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 23/07/2007
Kaspersky Anti-Virus database records: 366690
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 59182
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 04:57:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots\RegGBP2b-Global.reg Infected: Trojan.WinREG.StartPage skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\YOUR-LK4RLMSU41.ldb Object is locked skipped
C:\WINDOWS\ModemLog_Lucent Win Modem.txt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan was interrupted by user!

#13 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 23 July 2007 - 01:37 PM

GMER Log

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-07-23 11:24:26
Windows 5.1.2600 Service Pack 1


---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [FCF27658] socketlock.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FCD7C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [FCF27658] socketlock.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FCD7C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [FCF27658] socketlock.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FCD7C85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [FCF27658] socketlock.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FCD7C85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [FCF27658] socketlock.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F3EBFD30] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [FCD7C85A] avgtdi.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [F3EBF620] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [F3EBF620] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [F3EBF620] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [F3EBF320] vsdatant.sys

---- Files - GMER 1.0.12 ----

File C:\11111\AVG\
File C:\11111\gmer\
File C:\11111\ZoneAlarm\
File C:\Documents and Settings\
File C:\hp\
File C:\Program Files\
File C:\Python22\
File C:\WINDOWS\

---- EOF - GMER 1.0.12 ----

#14 Bobbi Flekman

Bobbi Flekman

    The computer whisperer


  • Malware Response Team
  • 4,422 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 AM

Posted 25 July 2007 - 03:37 AM

Hi midgie,

DTrojanator has gone on vacation, and has asked me to take a look at your log.

These logs all look clean. Have you executed the instructions DTrjoanator gave you regarding the overabundance of security programs on your computer? Because perwsonally I have a feeling that that is your problem.

Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".
Save the log to a convenient location, and copy it into this thread.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users