24 replies to this topic

[hans]

Bonjour,
J'ai un rootkit ou malware dans mon ordi. j'ai utilise plusieurs logiciels donc RkUnhooker pour deceler. je vais vous donnez ce que j'ai comme rapport de ce logiciel. ce que fait entre autre ce foutu logiels malveillant captent tous les touches sur le claviers pour les envoyer a qui mieux mieux. j'Ai beaux de reformater mon systeme passe a travers facilement. On me dit que les malfaisants utilise une cle usb pour se logger sur mon systeme.
voici ce que rkunhooker a trouver.:

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.341.552
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtConnectPort
Actual Address 0xACF22040
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateFile
Actual Address 0xACF1E930
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateKey
Actual Address 0xACF29A80
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreatePort
Actual Address 0xACF22510
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateProcess
Actual Address 0xACF28870
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateProcessEx
Actual Address 0xACF28AA0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateSection
Actual Address 0xACF2BFD0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtCreateWaitablePort
Actual Address 0xACF22600
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtDeleteFile
Actual Address 0xACF1EF20
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtDeleteKey
Actual Address 0xACF2A6E0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtDeleteValueKey
Actual Address 0xACF2A440
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtDuplicateObject
Actual Address 0xACF28580
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtLoadKey
Actual Address 0xACF2A8B0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtMapViewOfSection
Actual Address 0xACF2C270
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtOpenFile
Actual Address 0xACF1ED70
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtOpenProcess
Actual Address 0xACF28350
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtOpenThread
Actual Address 0xACF28150
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtRenameKey
Actual Address 0xACF2B250
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtReplaceKey
Actual Address 0xACF2ACB0
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtRequestWaitReplyPort
Actual Address 0xACF21C00
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtRestoreKey
Actual Address 0xACF2B080
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtSecureConnectPort
Actual Address 0xACF22220
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtSetInformationFile
Actual Address 0xACF1F120
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtSetValueKey
Actual Address 0xACF2A140
Hooked by: C:\WINDOWS\System32\vsdatant.sys
NtTerminateProcess
Actual Address 0xAA1A3A70
Hooked by: C:\WINDOWS\system32\DRIVERS\PavProc.sys
NtTerminateThread
Actual Address 0xAA1A2E40
Hooked by: C:\WINDOWS\system32\DRIVERS\PavProc.sys
==============================================
>Shadow
NtUserCreateWindowEx
Actual Address 0xAA1A3E50
Hooked by: C:\WINDOWS\system32\DRIVERS\PavProc.sys
NtUserDestroyWindow
Actual Address 0xAA1A4030
Hooked by: C:\WINDOWS\system32\DRIVERS\PavProc.sys
NtUserMessageCall
Actual Address 0xAA1A4070
Hooked by: C:\WINDOWS\system32\DRIVERS\PavProc.sys
NtUserPostMessage
Actual Address 0xAA1A4300
Hooked by: C:\WINDOWS\system32\DRIVERS\PavProc.sys
NtUserPostThreadMessage
Actual Address 0xAA1A44E0
Hooked by: C:\WINDOWS\system32\DRIVERS\PavProc.sys
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x8A97E7F8

Process: C:\WINDOWS\system32\MsPMSPSv.exe
Process Id: 212
EPROCESS Address: 0x88C71678

Process: C:\WINDOWS\system32\alg.exe
Process Id: 488
EPROCESS Address: 0x88C698B0

Process: C:\WINDOWS\system32\smss.exe
Process Id: 496
EPROCESS Address: 0x8A37ABC0

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 544
EPROCESS Address: 0x8A825518

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 576
EPROCESS Address: 0x89D34728

Process: C:\WINDOWS\system32\services.exe
Process Id: 620
EPROCESS Address: 0x89D8B3B8

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 632
EPROCESS Address: 0x89D7B5B8

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 804
EPROCESS Address: 0x89D96348

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 820
EPROCESS Address: 0x88AB6CA8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 912
EPROCESS Address: 0x88AA7B10

Process: C:\Program Files\Panda Security\Panda Antivirus 2008\PAVSRV51.EXE
Process Id: 960
EPROCESS Address: 0x89330DA0

Process: C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
Process Id: 972
EPROCESS Address: 0x8A76F330

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1164
EPROCESS Address: 0x8A75FBA8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1220
EPROCESS Address: 0x88AB5020

Process: C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
Process Id: 1240
EPROCESS Address: 0x888753D0

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1244
EPROCESS Address: 0x88ABD660

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1324
EPROCESS Address: 0x88CF1330

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1364
EPROCESS Address: 0x88CE12D0

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 1636
EPROCESS Address: 0x88A33980

Process: C:\WINDOWS\ATKKBService.exe
Process Id: 1732
EPROCESS Address: 0x88A2E720

Process: C:\WINDOWS\system32\CTSVCCDA.EXE
Process Id: 1744
EPROCESS Address: 0x88A2B020

Process: C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
Process Id: 1768
EPROCESS Address: 0x889F66F0

Process: C:\WINDOWS\system32\LxrSII1s.exe
Process Id: 1860
EPROCESS Address: 0x889F5400

Process: C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrlS.exe
Process Id: 1904
EPROCESS Address: 0x88CA6DA0

Process: C:\Program Files\Fichiers communs\Panda Software\PavShld\PavPrSrv.exe
Process Id: 1940
EPROCESS Address: 0x889EB980

Process: C:\WINDOWS\system32\HPZipm12.exe
Process Id: 1960
EPROCESS Address: 0x889EB020

Process: C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
Process Id: 1980
EPROCESS Address: 0x889EA320

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 2032
EPROCESS Address: 0x889E5DA0

Process: C:\Program Files\Windows Defender\MsMpEng.exe
Process Id: 2144
EPROCESS Address: 0x88BF1020

Process: C:\WINDOWS\explorer.exe
Process Id: 2468
EPROCESS Address: 0x889DE6B8

Process: C:\Program Files\Microsoft IntelliType Pro\type32.exe
Process Id: 2612
EPROCESS Address: 0x88A9EDA0

Process: C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
Process Id: 2636
EPROCESS Address: 0x889D4420

Process: C:\WINDOWS\CTHELPER.EXE
Process Id: 2664
EPROCESS Address: 0x88A1EDA0

Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
Process Id: 2816
EPROCESS Address: 0x88CF5A20

Process: C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
Process Id: 2820
EPROCESS Address: 0x8A8086B8

Process: C:\WINDOWS\V0420Mon.exe
Process Id: 2852
EPROCESS Address: 0x88CD7398

Process: C:\Program Files\Panda Security\Panda Antivirus 2008\ApVxdWin.exe
Process Id: 2860
EPROCESS Address: 0x88CB9DA0

Process: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
Process Id: 2920
EPROCESS Address: 0x88AC7DA0

Process: C:\WINDOWS\system32\ctfmon.exe
Process Id: 2964
EPROCESS Address: 0x88CD2508

Process: C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
Process Id: 3024
EPROCESS Address: 0x88C56020

Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
Process Id: 3224
EPROCESS Address: 0x88987860

Process: C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
Process Id: 3244
EPROCESS Address: 0x88D212C8

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 3628
EPROCESS Address: 0x88A075D0

Process: C:\Program Files\Windows Defender\MSASCui.exe
Process Id: 3748
EPROCESS Address: 0x88886020

Process: C:\RkUnhooker\44xNmWaLa4sc80x.exe
Process Id: 3864
EPROCESS Address: 0x88606020

==============================================
>Drivers
Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF183000
Size: 3092480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB9AE9000
Size: 2625536 bytes

Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000
Size: 2260992 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2260992 bytes

Driver: RAW
Address: 0x804D7000
Size: 2260992 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2260992 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF476000
Size: 1589248 bytes

Driver: C:\WINDOWS\system32\drivers\ha10kx2k.sys
Address: 0xAD12D000
Size: 1064960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys
Address: 0xB9860000
Size: 1044480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSFCXTS2.sys
Address: 0xB97B8000
Size: 688128 bytes

Driver: C:\WINDOWS\System32\drivers\ctac32k.sys
Address: 0xAD03D000
Size: 638976 bytes

Driver: Ntfs.sys
Address: 0xF7B52000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\drivers\ctaud2k.sys
Address: 0xB9A0F000
Size: 499712 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_V124.sys
Address: 0xAA009000
Size: 491520 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xACE0A000
Size: 458752 bytes

Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF096000
Size: 450560 bytes

Driver: C:\WINDOWS\System32\drivers\ACEDRV08.sys
Address: 0xAA9CC000
Size: 401408 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys
Address: 0xAA281000
Size: 393216 bytes

Driver: C:\WINDOWS\System32\vsdatant.sys
Address: 0xACEEF000
Size: 393216 bytes

Driver: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xB9375000
Size: 385024 bytes

Driver: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xACF9D000
Size: 364544 bytes

Driver: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xAA1F5000
Size: 335872 bytes

Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF104000
Size: 331776 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys
Address: 0xAA367000
Size: 290816 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 286720 bytes

Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF051000
Size: 282624 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xAA2E1000
Size: 266240 bytes

Driver: C:\WINDOWS\System32\atkdisp.dll
Address: 0xBF012000
Size: 245760 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys
Address: 0xB995F000
Size: 221184 bytes

Driver: C:\WINDOWS\System32\drivers\ctoss2k.sys
Address: 0xB9995000
Size: 208896 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys
Address: 0xAA0D1000
Size: 200704 bytes

Driver: ACPI.sys
Address: 0xF75A7000
Size: 192512 bytes

Driver: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBF155000
Size: 188416 bytes

Driver: C:\WINDOWS\System32\drivers\emupia2k.sys
Address: 0xAD100000
Size: 184320 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xAA49F000
Size: 184320 bytes

Driver: NDIS.sys
Address: 0xF7837000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA900B000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PavProc.sys
Address: 0xAA1A2000
Size: 176128 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xACE7A000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Address: 0xAA44E000
Size: 167936 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB9AAD000
Size: 163840 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xACF75000
Size: 163840 bytes

Driver: C:\WINDOWS\System32\drivers\ctsfm2k.sys
Address: 0xAD0D9000
Size: 159744 bytes

Driver: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xA95D9000
Size: 155648 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xACF4F000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB99EB000
Size: 147456 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xB9A89000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB99C8000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xACEA5000
Size: 139264 bytes

Driver: ACPI_HAL
Address: 0x806FF000
Size: 134400 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806FF000
Size: 134400 bytes

Driver: fltmgr.sys
Address: 0xF7877000
Size: 131072 bytes

Driver: ftdisk.sys
Address: 0xF74D7000
Size: 126976 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys
Address: 0xAA34A000
Size: 118784 bytes

Driver: C:\WINDOWS\system32\drivers\AtiHdAud.sys
Address: 0xAD2F9000
Size: 106496 bytes

Driver: Mup.sys
Address: 0xF7A35000
Size: 106496 bytes

Driver: atapi.sys
Address: 0xF74BF000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xF7408000
Size: 94208 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xB945C000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA9CFC000
Size: 86016 bytes

Driver: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xB9793000
Size: 81920 bytes

Driver: srescan.sys
Address: 0xF7973000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9AD5000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xACFF6000
Size: 77824 bytes

Driver: C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
Address: 0xAAA56000
Size: 77824 bytes

Driver: WudfPf.sys
Address: 0xF7864000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\Drivers\LxrSII1d.sys
Address: 0xAA247000
Size: 73728 bytes

Driver: sfdrv01.sys
Address: 0xF7961000
Size: 73728 bytes

Driver: pci.sys
Address: 0xF7596000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xB9423000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xB97A7000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF741F000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF76B7000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF76C7000
Size: 65536 bytes

Driver: ohci1394.sys
Address: 0xF7607000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xF748F000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xB9E14000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF76D7000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xAA172000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF7516000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF7617000
Size: 57344 bytes

Driver: VolSnap.sys
Address: 0xF7647000
Size: 57344 bytes

Driver: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF7667000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys
Address: 0xAA42E000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF76E7000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF7586000
Size: 49152 bytes

Driver: agp440.sys
Address: 0xF7687000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF745F000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xB9E04000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xF7627000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF76F7000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xF7556000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xB9E24000
Size: 40960 bytes

Driver: isapnp.sys
Address: 0xF75F7000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7526000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF7566000
Size: 40960 bytes

Driver: disk.sys
Address: 0xF7657000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF742F000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF7576000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF747F000
Size: 36864 bytes

Driver: PxHelp20.sys
Address: 0xF7677000
Size: 36864 bytes

Driver: sfsync02.sys
Address: 0xF7637000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF749F000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\drivers\ctprxy2k.sys
Address: 0xF7817000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF781F000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF779F000
Size: 32768 bytes

Driver: sfhlp02.sys
Address: 0xF771F000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ShlDrv51.sys
Address: 0xF77A7000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xF77AF000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF780F000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7747000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7787000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF7767000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\Drivers\sybex38.SYS
Address: 0xACD2A000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF776F000
Size: 24576 bytes

Driver: pavboot.sys
Address: 0xF7717000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7807000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF778F000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF7777000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Address: 0xF77DF000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7797000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xF770F000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF774F000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF775F000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7757000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xF77B7000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\drivers\asusgsb.sys
Address: 0xBA7D4000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB9448000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xBA7C4000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xAA7F8000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xBA7E8000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\drivers\atkkbnt.sys
Address: 0xBA7DC000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\atkosdmini.dll
Address: 0xBF04E000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB9434000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\EIO.sys
Address: 0xF794B000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xBA7EC000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB9454000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Address: 0xAA4CC000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xB9450000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xBA7D0000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xBA77E000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Video3D32.sys
Address: 0xBA7D8000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xBA7C0000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF7947000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79B5000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79B3000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79B7000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF79CD000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\PfModNT.sys
Address: 0xF7A07000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79B9000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF79AD000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF79B1000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7989000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xB9DAB000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7A75000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7AB7000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xF7A4F000
Size: 4096 bytes

==============================================
>Stealth
==============================================
>Files
==============================================
>Hooks

ntoskrnl.exe+0x00005B12, Type: Inline - RelativeJump 0x804DCB12 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA50, Type: Inline - RelativeJump 0x804E4A50 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA70, Type: Inline - RelativeJump 0x804E4A70 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DCA4, Type: Inline - RelativeJump 0x804E4CA4 [ntoskrnl.exe]
ntoskrnl.exe-->KeFindConfigurationEntry, Type: Inline - RelativeCall 0x806B4DDE [ntoskrnl.exe]
ntoskrnl.exe-->KeFindConfigurationEntry, Type: Inline - RelativeCall 0x806B4DE3 [ntoskrnl.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xACFDC428 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xACFDC454 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xACFDC460 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF74A4B4C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF74A4B1C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF74A4B3C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF74A4B28 [vsdatant.sys]
[2468]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DA1218 [shimeng.dll]
[2468]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77EF10B4 [shimeng.dll]
[2468]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[2468]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9D15A4 [shimeng.dll]
[2468]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E39133C [shimeng.dll]
[2468]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x44081488 [shimeng.dll]
[2468]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x719F109C [shimeng.dll]
[3628]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E3D6D7D [ieframe.dll]
[3628]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E3B2072 [ieframe.dll]
[3628]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E3BB144 [ieframe.dll]
[3628]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E3A47AB [ieframe.dll]
[3628]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E3D085C [ieframe.dll]
[3628]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E3D0838 [ieframe.dll]
[3628]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E3BA082 [ieframe.dll]
[3628]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E3E64D5 [ieframe.dll]

[noisette]

Bonjour Hans, et bienvenue sur infomars !


J'ai jeté un oeil très rapide à ton Log ce matin, à peine quelques minutes, j'y reviendrai ce soir.

Ce que je peux dire rapidement:

• qu'est-ce qui te fait penser que tu es infecté d'un rootkit exactement ? activité suspecte que tu as pu mettre en évidence ? tente de décrire exactement les symptômes que tu as décelé et comment tu les as décelé.
• Panda antivirus n'est pas vraiment une bonne solution antivirale.
• Windows Defender n'a rien à faire sur un PC, pour les même raisons, en bien pire. Quant à Malware Sweeper: connait pas ... mais je me demande si son efficacité est d'actualité également.
• Zone Alarm est-il toujours installé comme pare-feu ?
• As-tu utilisé Rootrepeal ?

Si tu veux, accompagne tes réponses de:

• un rapport Hijacjthis
• un rapport de scan avec Malewarebytes anti malware

@ bientôt

[Txon]

Salut et bienvenue !

Un rootkit invisible est un rootkit efficace.

A - Analyse de ton « log » réalisé avec RkUnhooker 3.8.
[1] - Les crochetages (hooks) dans la SSDT et dans Shadow SSDT ...
vsdatant.sys ... TrueVector Device Driver de TrueVector Device Driver or vsdatant or ZoneAlarm or ZoneAlarm with Antivirus or ZoneAlarm Security Suite or ZoneAlarm Pro or ZoneAlarm Anti-virus by Zone Labs Inc (www.zonelabs.com) or Zone Labs, LLC or Zone Labs LLC,
Pavproc.sys driver de Panda Process Protection / Panda shield / Panda Security
Si tu as des logiciels de ce type, ces « hooks » peuvent être tout à fait « normaux ». Si non, il y a un problème.

[2] - Les processus actifs au moment du scan ... ... Merci Google dans certains cas !
WindowsNT/2000/XP signifie ci-dessous « module générique de WindowsNT/2000/XP ».
System,
MsPMSPSv.exe (WMDM PMSP Service => Windows Media Player. => DRM?),
alg.exe (WindowsNT/2000/XP pour firewall => connexion internet partagée),
smss.exe (WindowsNT/2000/XP => Session Management Subsystem),
csrss.exe (générique de Windows XP => Client/Server Runtime Subsystem),
winlogon.exe (WindowsNT/2000/XP => Windows LogOn Process),
services.exe (WindowsNT/2000/XP => Windows Service Controller),
lsass.exe (processus Local Security Authentication Server de Windows Security Mechanisms à ne pas confondre avec Issas.exe (avec un i) qui est un cheval de Troie),
ati2evxx.exe (ATI Display Adapters pour raccourcis clavier vers le gestionnaire de carte graphique ATI ?)
svchost.exe (WindowsNT/2000/XP => Service Host Process pour chaque processus qui utilise une ou plusieurs librairie(s) dynamique(s) (DLLs)),
PAVSRV51.EXE (Panda antivirus)
AVENGINE.EXE (Panda antivirus),
infocard.exe (Windows CardSpace => Microsoft® .NET Framework),
spoolsv.exe ( WindowsNT/2000/XP => Printer Spooler Service),
ATKKBService.exe (ASUS Keyboard Service => configuration de clavier ASUS pour les touches spéciales, raccourcis etc.),
CTSVCCDA.EXE (Creative SoundBlaster => lecteur de CDRom),
DKService.exe (Executif Software => Diskeeper),
LxrSII1s.exe (Lexar Secure II => carte flash ou peut-être clé USB),
PsCtrlS.exe (Panda Antimalware Manager ),
PavPrSrv.exe (Panda antivirus),
HPZipm12.exe (Imprimante HP PSC 2100, 2200, 4100 ou série 6100),
PsImSvc.exe (Panda Antivirus => Titanium),
MsMpEng.exe (Microsoft Windows Defender Antispyware),
explorer.exe ( WindowsNT/2000/XP pour interface utilisateur (shell)),
type32.exe (Microsoft Office Keyboard Driver),
hpwuSchd2.exe (Hewlett Packard Update Scheduler => mise à jour),
CTHELPER.EXE (Creative Labs => carte son),
MOM.exe (ATI Technologies => Catalyst Control Center),
realsched.exe (RealPlayer => mises à jour),
ApVxdWin.exe (Panda Antivirus => Platinium?),
jusched.exe (Java Update Scheduler => mise à jour),
ctfmon.exe (WindowsNT/2000/XP => Alternative User Input Services pour saisies de texte alternatives => logiciel de reconnaissance vocale, Microsoft Office ?),
MalSwep.exe (MalwareSweeper ?),
CCC.exe 'ATI => Catalyst Control Center),
WebProxy.exe (Panda software Web proxy),
iexplore.exe (Microsoft Internet Explorer),
MSASCui.exe (Microsoft Windows Defender Antispyware),
44xNmWaLa4sc80x.exe (RootKit Unhooker).
Plusieurs remarques ...

• Une prochaine fois, quand tu auras un soucis, ne laisse fonctionner que l'inévitable avant d'analyser ton problème avec un ARK. Ici, il y a trop de choses inutiles qui tournent.
• Aucun des processus ne présente d'anomalie (hidden => caché). Vérifie cependant qu'ils correspondent à des logiciels que tu as installés.
• Tu dis avoir des soucis avec ton clavier, mais tu as des gestionnaires de deux claviers différents sur ta bécane plus deux gestionnaires spéciaux (raccourcis ...) qui tournent en même temps. Y a-t-il une merdouille la-dedans (incompatibilité ou autre) ? Tu devrais désinstaller (proprement) tout ça et ne recharger que le strict nécessaire.
• Tu dis que ça communique vers l'extérieur, mais avec la quantité de logiciels qui cherchent à se mettre à jour et les mouchards de Windows, ça ne m'étonne pas vraiment. Fais un scan de ce qui se lance au démarrage de ton PC et un autre de ce qui communique. Si tu n'as rien d'autre sous la main, fais-le avec ce bon vieux IceSword. Complète avec un scan complet réalisé avec RootRepeal.

[3] - Les drivers actifs au moment du scan ...
Il y en a trop, c'est trop long, et aucun ne semble présenter d'anomalie (caché ou autre).

[4] - Hooks
La liste me semble très courte et ne comporte rien d'extraordinaire. Es-tu sûr de l'avoir copiée en entier ?


B – Commentaires hors éventuel rootkit.
[1] A quoi te sert ce Windows Defender Antispyware qui n'est connu que pour être une passoire à maliciels ?
Si tu veux plusieurs anti-intrusions, prend de préférence quelque chose qui fonctionne convenablement et par exemple Spyware Terminator ou la nouvelle version de Dynamic Security Agent qui sont gratuits et assez efficaces.

[2] Qu'est-ce que ce MalwareSweeper? Est-il efficace? A-t-il des références?

[3] Pourquoi utilises-tu des logiciels de Microsoft ?
. Windows Media Player contient un mouchard dont on ne sait pas trop ce qu'il fait et ne fait pas.
. Internet Explorer est très attaqué et ringard comparé à FireFox.
. J'espère pour toi que tu n'utilises pas MSN ou sa version moderne.

[5] Zone Alarm et Panda Antivirus
Quelle idée d'utiliser des logiciels de deuxième ordre !!!
Zone Alarm est un "has-been" et Panda une vieillerie rétrograde.
Désinstalle complètement tout ça (attention à Zone Alarm) et installe plutôt Comodo FP et Antivir qui sont gratuits et plus efficaces.

@+

[Txon]

Re ... Des nouvelles de Malware Sweeper ...

Malware Sweeper pretends to be an advanced spyware remover providing effective system protection and reliable parasite removal. However, in practice, Malware Sweeper is a mediocre product that cannot compete with leading anti-spyware solutions. We have carefully tested the application on several computers including absolutely clean machines and PCs infected with different parasites. Tests revealed that although Malware Sweeper actually detects most of the parasites, it incorrectly identifies some of them. Furthermore, the program has some stability and performance issues.

Malware Sweeper est un produit médiocre qui ne peut pas rivaliser avec les solutions anti-spywares de pointe.
Rating 48/100 ... Pas brillant.

@+

[hans]

Merci ! tres apprecies de me repondres avec une grandes analyses sur mon ordi. je suis plutot novice dans les config voyez vous. j'ai changer plusieurs parametres de mon ordi dont antivir, comodo, et la derniere dynamic securty agent. La plus part des fichiers de demarrage a ete supprime.
malwarebytes a scanner rien sur mon ordi.
Je vais changer mon navigateur pour firefox bientot aussi.
J'avais un clavier arabe en 2e ligne. pour un autre personne qui l'utilisait.
comment je sais que j'Ai un rootkit? ca m'a ete dit d'une source sur, dans mon entourage. et ce n'ai pas un 2 de piques celui qui l'a mis.
je voudrait deceler c'Est malicieux ou ce malicieux.
je vous envoie un rapport de hijackthis, rootrepeal mais avec moins de lignes a verifier:)
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2008/09/06 01:30
Program Version: Version 1.1.1.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: RootRepeal.sys
Image Path: C:\WINDOWS\system32\drivers\RootRepeal.sys
Address: 0xA93B9000 Size: 40960 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\AVWSC.EXE-347FCF75.pf
Status: Size mismatch (API: 37220, Raw: 37200)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c0c8c

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c03c4

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c08a0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c143c

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c0080

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c2084

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c0e72

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb9e332d4

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c10b8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c1268

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6bfb02

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c1d24

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c0ab0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb9e332c0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c0744

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb9e332c5

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c17f2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c0196

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c1ae6

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c1ec4

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c1602

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c05d2

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6c0638

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xb9e332cf

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac6bfe18

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xb9e332ca

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:59:21, on 2008-09-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.islamicfi.......n==
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Hypersight] C:\Program Files\Hypersight\hypersight.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.81\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 3.81\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com...cpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187894390265
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...upv2.0.0.10.cab?
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = introductionparinfraction
O17 - HKLM\Software\..\Telephony: DomainName = introductionparinfraction
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = introductionparinfraction
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: 22930533 - Unknown owner - C:\WINDOWS\system32\22930533.exe (file missing)
O23 - Service: 8503DB8F - Unknown owner - C:\WINDOWS\system32\8503DB8F.exe (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: B1E6F8BD - Unknown owner - C:\WINDOWS\system32\B1E6F8BD.exe (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: F3773D6A - Unknown owner - C:\WINDOWS\system32\F3773D6A.exe (file missing)
O23 - Service: FB37F5A2 - Unknown owner - C:\WINDOWS\system32\FB37F5A2.exe (file missing)
O23 - Service: FFC04F73 - Unknown owner - C:\WINDOWS\system32\FFC04F73.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Fichiers communs\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 8329 bytes

[noisette]

Salut Hans,



bravo d'avoir été si rapide à renouveller vos logiciels de sécurité

comment je sais que j'Ai un rootkit? ca m'a ete dit d'une source sur, dans mon entourage. et ce n'ai pas un 2 de piques celui qui l'a mis.

Par contre là, je dois vous dire que ce n'est pas le genre de réponse que j'attendais

Impossible de se baser là-dessus pour quoi que ce soit concernant votre machine.

Qu'est-ce qui fait dire à votre connaissance que votre PC abrite un rootkit ? Peut-il vous montrer exactement ce qu'il a décelé ?



Ou pas ?


En ce qui concerne votre rapport Rootrepeal, les hooks de cmdguard.sys sont le fait de Comodo, c'est donc normal.
Il faudrait que l'on en sache plus sur "Unknown" qui a réalisé les autres hooks. Pour cela, je propose d'attendre le passage de Txon qui pratique la chose à un tout autre niveau que moi.

Par contre, je vais regarder le rapport Hijackthis, et je vous tiens au courant dans la matinée .

[Txon]

Salut !

Ce changement rapide de défenses convient assez bien.
As-tu effectué un scan de ton PC avec Antivir après avoir mis à jour sa base de connaissance ? Si oui, quel a été le résultat ?

Scan que tu as réalisé avec RootRepeal.
[1] Drivers
Rien d'anormal à priori (celui qui est "non visible" est delui de RootRepeal lui-même.
[2] Hidden/Locked Files
... a ... "WUDFTrace.etl" ??? Utiliserais-tu un outil qui porte un nom semblable : WUDF ou autre ou qui utiliserait le Windows User-Mode Driver Framework ? Un logiciel Apple’s iTunes ?
... b ... "AVWSC.EXE" aucun problème s'il est bien signé par Avira.
[3] SSDT
... a ... "cmdguard.sys" est le driver de Comodo F.P. Ses "hooks" ne posent pas de problème. Il ne faut pas y toucher.
... b ... "<unknown>" ... tous les crochetages réalisés par des inconnus sont suspects mais il peuvent simplement venir d'un logiciel mal ficelé et pas seulement d'un rootkit malsain. L'ennui est que je ne suis pas sur ton PC pour y farfouiller, mais il faudrait essayer de tout savoir la-dessus.

• Faire un scan de ta nouvelle configuration de Windows avec RkU 3.8 : SSDT (tout sélectionner puis copier/coller) et Report,
• Avec RootReal, refaire une analyse de la SSDT, puis plusieurs actions possibles après sélection d'une ligne correspondant au crochet réalisé par <unknow> et après y avoir fait un "click droit" ...
  • [Copy File] pour essayer d'avoir une copie de ce fichier pour nous l'envoyer à des fins d'analyse.
  • [Unhook Selected] pour défaire le crochet et voir si un logiciel connu a cessé de fonctionner. Refaire plus tard ou après un reboot un autre scan de la SSDT pour savoir si le crochet a été remis en place. Si oui, voir ci-dessous.
  • [Force Delete] pour flinguer le fichier mais il se pourrait qu'il soit "blindé" et que cette fonction n'aboutisse pas. Si c'est le cas, voir ci-dessous.
  • [Wipe File] pour tenter de remplacer le contenu du fichier par des zéros. Redémarrer ensuite Windows.

Je vois que tu as téléchargé Hypersight RD et donc que tu dois avoir un processeur récent Intel Core 2 ou AMD-V ... Quel est le résultat du scan avec cet ARK ?

@+

[noisette]

Voici donc mon analyse de ton rapport Hijackthis.

O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

Flashget est considéré par certains comme un malware, puisque consommant des ressources (en particulier réseau) pour un service quasi-nul, mais c'est à toi de voir l'utilité que tu en as.

O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw

Personnellement, je trouve MSI un peu invasif sur ce coup-là ... je fixerais ces lignes aussi. Mais là encore, le danger pour tes données personnelles est quasi-inexistant (seulement en cas de piratage du site de msi je pense), mais bon, c'est un site internet et voilà tout, il n'a rien à faire dans la liste de confiance d'IE.


Pas mal de toolbar en 016, à fixer si tu ne les utilises pas. Demande-moi avant de les fixer si tu veux être sûr.


Venons-en à ce qui me pose problème.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = introductionparinfraction
O17 - HKLM\Software\..\Telephony: DomainName = introductionparinfraction
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = introductionparinfraction

Qu'est-ce c'est que ça : introductionparinfraction ? c'est toi qui a modifié le rapport ou c'était comme ça ?

O23 - Service: 22930533 - Unknown owner - C:\WINDOWS\system32\22930533.exe (file missing)
O23 - Service: 8503DB8F - Unknown owner - C:\WINDOWS\system32\8503DB8F.exe (file missing)
O23 - Service: B1E6F8BD - Unknown owner - C:\WINDOWS\system32\B1E6F8BD.exe (file missing)
O23 - Service: F3773D6A - Unknown owner - C:\WINDOWS\system32\F3773D6A.exe (file missing)
O23 - Service: FB37F5A2 - Unknown owner - C:\WINDOWS\system32\FB37F5A2.exe (file missing)
O23 - Service: FFC04F73 - Unknown owner - C:\WINDOWS\system32\FFC04F73.exe (file missing)

Là, à mon avis, il y a peut-être un soucis. Ce sont des services, aux noms aléatoires, qui savent éventuellement se cacher. Il faudrait regarder de ce côté-là, par exemple en vérifiant que ce ne sont pas des créations de ta solution anti-rootkit. Et allant également dans C:\WINDOWS\system32 pour regarder si d'autres exe du même genre sont présents (afficher les fichiers système et cachés avant).

[Txon]

O23 - Service: 22930533 - Unknown owner - C:\WINDOWS\system32\22930533.exe (file missing)
O23 - Service: 8503DB8F - Unknown owner - C:\WINDOWS\system32\8503DB8F.exe (file missing)
O23 - Service: B1E6F8BD - Unknown owner - C:\WINDOWS\system32\B1E6F8BD.exe (file missing)
O23 - Service: F3773D6A - Unknown owner - C:\WINDOWS\system32\F3773D6A.exe (file missing)
O23 - Service: FB37F5A2 - Unknown owner - C:\WINDOWS\system32\FB37F5A2.exe (file missing)
O23 - Service: FFC04F73 - Unknown owner - C:\WINDOWS\system32\FFC04F73.exe (file missing)

Là, à mon avis, il y a peut-être un soucis. Ce sont des services, aux noms aléatoires, qui savent éventuellement se cacher. Il faudrait regarder de ce côté-là, par exemple en vérifiant que ce ne sont pas des créations de ta solution anti-rootkit. Et allant également dans C:\WINDOWS\system32 pour regarder si d'autres exe du même genre sont présents (afficher les fichiers système et cachés avant).

Ces services pourraient (peut-être, éventuellement, ce n'est pas impossible) venir de RkU 3.8 mais c'est à vérifier.
Voir -> ICI <- dernier screenshot de la page, paragraphe [5] Autorisations.

Pour les "introductionparinfraction", en vérité (la vrai, pas l'autre), je ne sais pas. Cependant ne serait-ce pas encore des traces de ATI Technologies => Catalyst Control Center ? Si non, et si ce n'est pas du fait de hans, dans un pareil cas je flinguerais (mais je suis parfois trop brutal et ça peut mal tourner).

@+

[hans]

Salut noisette, je suis pas caller en programmation, mais ce qu'n me dit tu a possiblement un keylloger sur ta machine et on recoit t'es frappe de clavier. que je sois sur wordpad exemple ou meme rien. c'est genre enregistreur de frappe.

Allo, txon j'utilisait un tracer avant webtracer quelque chose du genre que j'Avait jamais effacer. suivre un ip de a à b.
J'Ai fait un scan avec rku 3.8 derniere version. le rapport est au bas.
Je sais pas s'il fonctionne bien ce rootpeal. j'essai de copier les fichier unknow mais c'Est ecrit ''no path files''. et ca sur tout les fichiers crocheter ou non. pour decrocheter rien ne ce fait dans le SSDT. De plus quans je scan dans driver ou rapport ma machine reboot comme s'il avait pas assez de memoire. j'Ai 2gig en ram.
J'ai telecharger hypersignt rd mais malheursement mon pc a 2.8 gig 1 processeur, ca ne pas fonctionne.

Noisette, j'Ai dessinstaller flashget que je n'utilise vraiment rarement.
intoduction par infraction c'Est moi qui a ecrit comme nom a mon ordi. message de bienvenue au cyber infitrateur dans mon systeme.
Pour les toolbars 99.9% je n'Aprecie pas d'installation.
J'ai ouvert les fichiers caches sur windows/system 32, mais il en a tellement. je sais pas ou les cherchers.
merci pour l'Aide.

Le scan sur antivir semble normal a part 3 problemes, c'Est surement du au logiciels ''pc security test''.

Avira AntiVir Personal
Report file date: 6 septembre 2008 19:57

Scanning for 1599979 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name:
Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 2008-08-12 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 2008-06-26 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008-05-26 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 2008-06-12 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 2008-05-26 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 2008-06-24 19:54:15
ANTIVIR2.VDF : 7.0.6.94 2998784 Bytes 2008-08-31 05:16:26
ANTIVIR3.VDF : 7.0.6.124 202240 Bytes 2008-09-05 05:16:27
Engineversion : 8.1.1.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2008-02-25 15:58:21
AESCRIPT.DLL : 8.1.0.70 319866 Bytes 2008-09-06 05:16:42
AESCN.DLL : 8.1.0.23 119156 Bytes 2008-07-10 18:44:49
AERDL.DLL : 8.1.1.1 397683 Bytes 2008-09-06 05:16:41
AEPACK.DLL : 8.1.2.1 364917 Bytes 2008-07-15 18:58:35
AEOFFICE.DLL : 8.1.0.23 196987 Bytes 2008-09-06 05:16:40
AEHEUR.DLL : 8.1.0.51 1397111 Bytes 2008-09-06 05:16:39
AEHELP.DLL : 8.1.0.15 115063 Bytes 2008-07-10 18:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 2008-09-06 05:16:37
AEEMU.DLL : 8.1.0.7 430452 Bytes 2008-07-31 14:33:21
AECORE.DLL : 8.1.1.11 172406 Bytes 2008-09-06 05:16:36
AEBB.DLL : 8.1.0.1 53617 Bytes 2008-07-10 18:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008-07-09 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 2008-05-16 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 2008-09-06 05:16:35
AVREG.DLL : 8.0.0.1 33537 Bytes 2008-05-09 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2008-02-12 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008-06-12 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008-01-22 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008-06-12 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 2008-01-25 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 2008-06-12 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 2008-06-27 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, G:, H:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 6 septembre 2008 19:57

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'DSA.exe' - '0' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'type32.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'pfsvc.exe' - '0' Module(s) have been scanned
Scan process 'LxrSII1s.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'ATKKBService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '51' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\neo\Application Data\Sun\Java\Deployment\cache\6.0\23\1c06d557-75186e6a
[0] Archive type: ZIP
--> ProxyClassLoader.class
[DETECTION] Contains recognition pattern of the EXP/Java.Bytver.5.A exploit
[NOTE] The file was moved to '48f31ba8.qua'!
C:\Documents and Settings\neo\Application Data\Sun\Java\Deployment\cache\6.0\7\7bf016c7-485453f2
[0] Archive type: ZIP
--> OP.class
[DETECTION] Contains recognition pattern of the EXP/ByteVerify.I exploit
[NOTE] The file was moved to '49291bad.qua'!
C:\iDEFENSE\SysAnalyzer\safe_test1.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.CC back-door program
[NOTE] The file was moved to '49291d8c.qua'!
Begin scan in 'D:\'
Begin scan in 'G:\'
Begin scan in 'H:\'


End of the scan: 6 septembre 2008 20:43
Used time: 46:02 Minute(s)

The scan has been done completely.

11822 Scanning directories
400466 Files were scanned
3 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
3 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
400462 Files not concerned
12725 Archives were scanned
1 Warnings


RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.341.553
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAdjustPrivilegesToken
Actual Address 0xAC37AC8C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtConnectPort
Actual Address 0xAC37A3C4
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtCreateFile
Actual Address 0xAC2B47C0
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtCreateKey
Actual Address 0xAC37B43C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtCreatePort
Actual Address 0xAC37A080
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtCreateProcessEx
Actual Address 0xAC2B5B00
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtCreateSection
Actual Address 0xAC2B53F0
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtCreateSymbolicLinkObject
Actual Address 0xAC37AE72
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtDebugActiveProcess
Actual Address 0xAC2B4CB0
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtDeleteKey
Actual Address 0xAC37B0B8
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtDeleteValueKey
Actual Address 0xAC37B268
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtDuplicateObject
Actual Address 0xAC379B02
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtLoadDriver
Actual Address 0xAC37BD24
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtOpenFile
Actual Address 0xAC2B4970
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtOpenProcess
Actual Address 0xAC3E2D68
Hooked by: Unknown module filename
NtOpenSection
Actual Address 0xAC2B4B40
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtOpenThread
Actual Address 0xAC3E2D6D
Hooked by: Unknown module filename
NtRenameKey
Actual Address 0xAC37B7F2
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtRequestWaitReplyPort
Actual Address 0xAC37A196
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtResumeThread
Actual Address 0xAC2B3E40
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtSecureConnectPort
Actual Address 0xAC37BAE6
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtSetSystemInformation
Actual Address 0xAC37BEC4
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtSetValueKey
Actual Address 0xAC37B602
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtShutdownSystem
Actual Address 0xAC37A5D2
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtSystemDebugControl
Actual Address 0xAC37A638
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtTerminateProcess
Actual Address 0xAC3E2D77
Hooked by: Unknown module filename
NtTerminateThread
Actual Address 0xAC2B3CF0
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtWriteVirtualMemory
Actual Address 0xAC3E2D72
Hooked by: Unknown module filename
==============================================
>Shadow
NtUserGetAsyncKeyState
Actual Address 0xAC37CF3C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtUserGetKeyboardState
Actual Address 0xAC37CD42
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtUserMessageCall
Actual Address 0xAC2B44B0
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtUserPostMessage
Actual Address 0xAC2B4640
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtUserPostThreadMessage
Actual Address 0xAC37C8E8
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtUserRegisterRawInputDevices
Actual Address 0xAC37D03C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtUserSendInput
Actual Address 0xAC37CC4C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
NtUserSetWindowsHookEx
Actual Address 0xAC2B4290
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
NtUserSetWinEventHook
Actual Address 0xAC2B4390
Hooked by: C:\WINDOWS\system32\drivers\pwipf6.sys
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x8A97E7F8

Process: C:\WINDOWS\system32\CTSVCCDA.EXE
Process Id: 436
EPROCESS Address: 0x88B0FB30

Process: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
Process Id: 568
EPROCESS Address: 0x8A559A50

Process: C:\WINDOWS\ATKKBService.exe
Process Id: 580
EPROCESS Address: 0x8A1A74F8

Process: C:\WINDOWS\system32\smss.exe
Process Id: 696
EPROCESS Address: 0x8A5F5D10

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 760
EPROCESS Address: 0x89B9E0B0

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 792
EPROCESS Address: 0x8A1F81E8

Process: C:\WINDOWS\system32\services.exe
Process Id: 836
EPROCESS Address: 0x8A1BC308

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 848
EPROCESS Address: 0x8A5828B0

Process: C:\WINDOWS\system32\LxrSII1s.exe
Process Id: 892
EPROCESS Address: 0x88AFF8B0

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1016
EPROCESS Address: 0x8A5FFC10

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1036
EPROCESS Address: 0x8A5DD020

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1104
EPROCESS Address: 0x8A188950

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1220
EPROCESS Address: 0x8A217BE0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1260
EPROCESS Address: 0x8A1C7748

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1316
EPROCESS Address: 0x8A216A78

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1420
EPROCESS Address: 0x8A1E8B90

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1524
EPROCESS Address: 0x8A1EF770

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 1596
EPROCESS Address: 0x8A5155B0

Process: C:\WINDOWS\system32\HPZipm12.exe
Process Id: 1600
EPROCESS Address: 0x88AE8860

Process: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
Process Id: 1660
EPROCESS Address: 0x8A1F4DA0

Process: C:\WINDOWS\explorer.exe
Process Id: 1820
EPROCESS Address: 0x8A149DA0

Process: C:\Program Files\Microsoft IntelliType Pro\type32.exe
Process Id: 1888
EPROCESS Address: 0x8915A968

Process: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
Process Id: 1912
EPROCESS Address: 0x8A1A1A20

Process: C:\WINDOWS\system32\ctfmon.exe
Process Id: 1980
EPROCESS Address: 0x8A19F860

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 2052
EPROCESS Address: 0x8A6E4020

Process: C:\WINDOWS\system32\MsPMSPSv.exe
Process Id: 2204
EPROCESS Address: 0x88A8A690

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 2336
EPROCESS Address: 0x88ADF350

Process: C:\WINDOWS\system32\alg.exe
Process Id: 2924
EPROCESS Address: 0x8A614320

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 3584
EPROCESS Address: 0x8A59EBF0

Process: C:\WINDOWS\system32\rundll32.exe
Process Id: 3616
EPROCESS Address: 0x8A57EB40

Process: C:\LE38\h8RteuadsY2a67.exe
Process Id: 284
EPROCESS Address: 0x88910BE0

Process: C:\Program Files\COMODO\Firewall\cmdagent.exe
Process Id: 592
EPROCESS Address: 0x88B0E988

Process: C:\Program Files\Privacyware\Dynamic Security Agent\pfsvc.exe
Process Id: 1300
EPROCESS Address: 0x88AF6DA0

Process: C:\Program Files\COMODO\Firewall\cfp.exe
Process Id: 1896
EPROCESS Address: 0x8A1D2C08

Process: C:\Program Files\Privacyware\Dynamic Security Agent\DSA.exe
Process Id: 1924
EPROCESS Address: 0x8A208708

==============================================
>Drivers
Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF183000
Size: 3092480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB8F30000
Size: 2625536 bytes

Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000
Size: 2260992 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2260992 bytes

Driver: RAW
Address: 0x804D7000
Size: 2260992 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2260992 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF476000
Size: 1589248 bytes

Driver: C:\WINDOWS\system32\drivers\ha10kx2k.sys
Address: 0xAC576000
Size: 1064960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys
Address: 0xB8CA7000
Size: 1044480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSFCXTS2.sys
Address: 0xB8BFF000
Size: 688128 bytes

Driver: C:\WINDOWS\System32\drivers\ctac32k.sys
Address: 0xAC3FA000
Size: 638976 bytes

Driver: Ntfs.sys
Address: 0xF7B52000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\drivers\ctaud2k.sys
Address: 0xB8E56000
Size: 499712 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_V124.sys
Address: 0xA916B000
Size: 491520 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xAC19E000
Size: 458752 bytes

Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF096000
Size: 450560 bytes

Driver: C:\WINDOWS\System32\drivers\ACEDRV08.sys
Address: 0xA9D62000
Size: 401408 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys
Address: 0xA9390000
Size: 393216 bytes

Driver: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xB8ADE000
Size: 385024 bytes

Driver: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xAC2EC000
Size: 364544 bytes

Driver: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xA932C000
Size: 335872 bytes

Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF104000
Size: 331776 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys
Address: 0xA9476000
Size: 290816 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 286720 bytes

Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF051000
Size: 282624 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA9418000
Size: 266240 bytes

Driver: C:\WINDOWS\System32\atkdisp.dll
Address: 0xBF012000
Size: 245760 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys
Address: 0xB8DA6000
Size: 221184 bytes

Driver: C:\WINDOWS\System32\drivers\ctoss2k.sys
Address: 0xB8DDC000
Size: 208896 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys
Address: 0xA9233000
Size: 200704 bytes

Driver: ACPI.sys
Address: 0xF75A7000
Size: 192512 bytes

Driver: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBF155000
Size: 188416 bytes

Driver: C:\WINDOWS\System32\drivers\emupia2k.sys
Address: 0xAC549000
Size: 184320 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xA9A3D000
Size: 184320 bytes

Driver: C:\WINDOWS\System32\DRIVERS\NDIS.SYS
Address: 0xF795A000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA8AF0000
Size: 176128 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xAC20E000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Address: 0xA9599000
Size: 167936 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB8EF4000
Size: 163840 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xAC25B000
Size: 163840 bytes

Driver: C:\WINDOWS\System32\drivers\ctsfm2k.sys
Address: 0xAC496000
Size: 159744 bytes

Driver: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xB8BD9000
Size: 155648 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xAC283000
Size: 155648 bytes

Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA8ACC000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB8E32000
Size: 147456 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xB8ED0000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB8E0F000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAC239000
Size: 139264 bytes

Driver: ACPI_HAL
Address: 0x806FF000
Size: 134400 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806FF000
Size: 134400 bytes

Driver: fltmgr.sys
Address: 0xF7877000
Size: 131072 bytes

Driver: ftdisk.sys
Address: 0xF74D7000
Size: 126976 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys
Address: 0xA9459000
Size: 118784 bytes

Driver: C:\WINDOWS\system32\drivers\pwipf6.sys
Address: 0xAC2A9000
Size: 110592 bytes

Driver: C:\WINDOWS\system32\drivers\AtiHdAud.sys
Address: 0xAC742000
Size: 106496 bytes

Driver: Mup.sys
Address: 0xF7A35000
Size: 106496 bytes

Driver: atapi.sys
Address: 0xF74BF000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xF7408000
Size: 94208 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xB8B9D000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA9938000
Size: 86016 bytes

Driver: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Address: 0xA94E5000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Address: 0xAC378000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xB8BB4000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8F1C000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xAC345000
Size: 77824 bytes

Driver: WudfPf.sys
Address: 0xF7864000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000
Size: 73728 bytes

Driver: inspect.sys
Address: 0xF7852000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\Drivers\LxrSII1d.sys
Address: 0xA937E000
Size: 73728 bytes

Driver: sfdrv01.sys
Address: 0xF7840000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xAC165000
Size: 69632 bytes

Driver: pci.sys
Address: 0xF7596000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xB8B8C000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xB8BC8000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF76F7000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF74AF000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF76C7000
Size: 65536 bytes

Driver: ohci1394.sys
Address: 0xF7607000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xBA1C3000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7506000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF749F000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA9A92000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xBA233000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF7617000
Size: 57344 bytes

Driver: VolSnap.sys
Address: 0xF7647000
Size: 57344 bytes

Driver: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF7667000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys
Address: 0xA9772000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF748F000
Size: 53248 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF746F000
Size: 49152 bytes

Driver: agp440.sys
Address: 0xF7687000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA1B3000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF74F6000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xF7627000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF747F000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xF743F000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF7516000
Size: 40960 bytes

Driver: isapnp.sys
Address: 0xF75F7000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA243000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF744F000
Size: 40960 bytes

Driver: disk.sys
Address: 0xF7657000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF76B7000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF745F000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xBA1E3000
Size: 36864 bytes

Driver: PxHelp20.sys
Address: 0xF7677000
Size: 36864 bytes

Driver: sfsync02.sys
Address: 0xF7637000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xBA1F3000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\drivers\ctprxy2k.sys
Address: 0xF7767000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF776F000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF77C7000
Size: 32768 bytes

Driver: sfhlp02.sys
Address: 0xF771F000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xF77DF000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF775F000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\evidence.SYS
Address: 0xB8B5C000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7777000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF77AF000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF778F000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF7797000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF77D7000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7757000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77B7000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\DRIVERS\cmdhlp.sys
Address: 0xF77CF000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF779F000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Address: 0xF780F000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF77BF000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xF770F000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF777F000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7787000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7717000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xF77E7000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\drivers\asusgsb.sys
Address: 0xBA79A000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xBA7D0000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xBA786000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xA9E48000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xBA7B8000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\drivers\atkkbnt.sys
Address: 0xBA7A2000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xAC696000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\EIO.sys
Address: 0xBA7D8000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xBA7BC000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBA7E0000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Address: 0xA9525000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xBA7DC000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xBA796000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7943000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Video3D32.sys
Address: 0xBA79E000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xBA782000
Size: 12288 bytes

Driver: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
Address: 0xF79D9000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79D1000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79CF000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79D3000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF79A7000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\PfModNT.sys
Address: 0xF79B9000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79D5000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF79C9000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF79CD000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7989000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7AA0000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7AB3000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7A84000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xF7A4F000
Size: 4096 bytes

==============================================
>Stealth
==============================================
>Files
==============================================
>Hooks

ntoskrnl.exe+0x00005B12, Type: Inline - RelativeJump 0x804DCB12 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D970, Type: Inline - RelativeJump 0x804E4970 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DA70, Type: Inline - RelativeJump 0x804E4A70 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DCA4, Type: Inline - RelativeJump 0x804E4CA4 [ntoskrnl.exe]
ntoskrnl.exe+0x0000DCF4, Type: Inline - RelativeJump 0x804E4CF4 [ntoskrnl.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xAC32B428 [inspect.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xAC32B454 [inspect.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xAC32B460 [inspect.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xBA1F8B4C [inspect.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xBA1F8B1C [inspect.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xBA1F8B3C [inspect.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xBA1F8B28 [inspect.sys]
[1016]ati2evxx.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1016]ati2evxx.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1016]ati2evxx.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1016]ati2evxx.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1016]ati2evxx.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1016]ati2evxx.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1016]ati2evxx.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1016]ati2evxx.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1016]ati2evxx.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1016]ati2evxx.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1016]ati2evxx.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1016]ati2evxx.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1016]ati2evxx.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1016]ati2evxx.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1016]ati2evxx.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1036]svchost.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1036]svchost.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1036]svchost.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1036]svchost.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1036]svchost.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1036]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1036]svchost.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1036]svchost.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1036]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1036]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1036]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1036]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1036]svchost.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1036]svchost.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1036]svchost.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1104]svchost.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1104]svchost.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1104]svchost.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1104]svchost.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1104]svchost.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1104]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1104]svchost.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1104]svchost.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1104]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1104]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1104]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1104]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1104]svchost.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1104]svchost.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1104]svchost.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1220]svchost.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1220]svchost.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1220]svchost.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1220]svchost.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1220]svchost.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1220]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1220]svchost.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1220]svchost.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1220]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1220]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1220]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1220]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1220]svchost.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1220]svchost.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1220]svchost.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1260]svchost.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1260]svchost.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1260]svchost.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1260]svchost.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1260]svchost.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1260]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1260]svchost.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1260]svchost.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1260]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1260]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1260]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1260]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1260]svchost.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1260]svchost.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1260]svchost.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1316]svchost.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1316]svchost.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1316]svchost.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1316]svchost.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1316]svchost.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1316]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1316]svchost.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1316]svchost.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1316]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1316]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1316]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1316]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1316]svchost.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1316]svchost.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1316]svchost.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1420]svchost.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1420]svchost.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1420]svchost.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1420]svchost.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1420]svchost.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1420]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1420]svchost.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1420]svchost.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1420]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1420]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1420]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1420]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1420]svchost.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1420]svchost.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1420]svchost.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1524]ati2evxx.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1524]ati2evxx.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1524]ati2evxx.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1524]ati2evxx.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1524]ati2evxx.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1524]ati2evxx.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1524]ati2evxx.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1524]ati2evxx.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1524]ati2evxx.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1524]ati2evxx.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1524]ati2evxx.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1524]ati2evxx.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1524]ati2evxx.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1524]ati2evxx.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1524]ati2evxx.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1596]spoolsv.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1596]spoolsv.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1596]spoolsv.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1596]spoolsv.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1596]spoolsv.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1596]spoolsv.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1596]spoolsv.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1596]spoolsv.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1596]spoolsv.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1596]spoolsv.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1596]spoolsv.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1596]spoolsv.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1596]spoolsv.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1596]spoolsv.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1596]spoolsv.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1600]HPZipm12.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1600]HPZipm12.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1600]HPZipm12.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1600]HPZipm12.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1600]HPZipm12.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1600]HPZipm12.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1600]HPZipm12.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1600]HPZipm12.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1600]HPZipm12.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1600]HPZipm12.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1600]HPZipm12.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1600]HPZipm12.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1600]HPZipm12.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1600]HPZipm12.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1600]HPZipm12.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1820]explorer.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DA1218 [shimeng.dll]
[1820]explorer.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1820]explorer.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1820]explorer.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1820]explorer.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1820]explorer.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1820]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77EF10B4 [shimeng.dll]
[1820]explorer.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1820]explorer.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1820]explorer.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1820]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[1820]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1820]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1820]explorer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1820]explorer.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1820]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9D15A4 [shimeng.dll]
[1820]explorer.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [guard32.dll]
[1820]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E39133C [shimeng.dll]
[1820]explorer.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1820]explorer.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1820]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x44081488 [shimeng.dll]
[1820]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x719F109C [shimeng.dll]
[1888]type32.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1888]type32.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1888]type32.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1888]type32.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1888]type32.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1888]type32.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1888]type32.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1888]type32.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1888]type32.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1888]type32.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1888]type32.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1888]type32.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1888]type32.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1888]type32.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1888]type32.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1912]avgnt.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1912]avgnt.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1912]avgnt.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1912]avgnt.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1912]avgnt.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1912]avgnt.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1912]avgnt.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1912]avgnt.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1912]avgnt.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1912]avgnt.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1912]avgnt.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1912]avgnt.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1912]avgnt.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1912]avgnt.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1912]avgnt.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[1980]ctfmon.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[1980]ctfmon.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[1980]ctfmon.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[1980]ctfmon.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[1980]ctfmon.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[1980]ctfmon.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[1980]ctfmon.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[1980]ctfmon.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[1980]ctfmon.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[1980]ctfmon.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[1980]ctfmon.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[1980]ctfmon.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[1980]ctfmon.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[1980]ctfmon.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[1980]ctfmon.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[2052]svchost.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[2052]svchost.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[2052]svchost.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[2052]svchost.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[2052]svchost.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[2052]svchost.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[2052]svchost.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[2052]svchost.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[2052]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[2052]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[2052]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[2052]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[2052]svchost.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[2052]svchost.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[2052]svchost.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[2204]MsPMSPSv.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[2204]MsPMSPSv.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[2204]MsPMSPSv.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[2204]MsPMSPSv.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[2204]MsPMSPSv.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[2204]MsPMSPSv.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[2204]MsPMSPSv.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[2204]MsPMSPSv.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[2204]MsPMSPSv.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[2204]MsPMSPSv.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[2204]MsPMSPSv.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[2204]MsPMSPSv.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[2204]MsPMSPSv.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[2204]MsPMSPSv.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[2336]iexplore.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[2336]iexplore.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[2336]iexplore.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[2336]iexplore.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[2336]iexplore.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[2336]iexplore.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[2336]iexplore.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[2336]iexplore.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[2336]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[2336]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[2336]iexplore.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[2336]iexplore.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[2336]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E3D6D7D [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E3B2072 [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E3BB144 [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E3A47AB [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[2336]iexplore.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[2336]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E3D085C [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E3D0838 [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E3BA082 [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E3E64D5 [ieframe.dll]
[2336]iexplore.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[2924]alg.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[2924]alg.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[2924]alg.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[2924]alg.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[2924]alg.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[2924]alg.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[2924]alg.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[2924]alg.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[2924]alg.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[2924]alg.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[2924]alg.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[2924]alg.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[2924]alg.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[2924]alg.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[2924]alg.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[3584]iexplore.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[3584]iexplore.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[3584]iexplore.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[3584]iexplore.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[3584]iexplore.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[3584]iexplore.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[3584]iexplore.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[3584]iexplore.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[3584]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[3584]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[3584]iexplore.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[3584]iexplore.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[3584]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E3D6D7D [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E3B2072 [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E3BB144 [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E3A47AB [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[3584]iexplore.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[3584]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E3D085C [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E3D0838 [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E3BA082 [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E3E64D5 [ieframe.dll]
[3584]iexplore.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[3616]rundll32.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[3616]rundll32.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[3616]rundll32.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[3616]rundll32.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[3616]rundll32.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[3616]rundll32.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[3616]rundll32.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[3616]rundll32.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[3616]rundll32.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[3616]rundll32.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[3616]rundll32.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[3616]rundll32.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[3616]rundll32.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[3616]rundll32.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[3616]rundll32.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[436]CTSVCCDA.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[436]CTSVCCDA.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[436]CTSVCCDA.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[436]CTSVCCDA.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[436]CTSVCCDA.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[436]CTSVCCDA.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[436]CTSVCCDA.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[568]avguard.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[568]avguard.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[568]avguard.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[568]avguard.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[568]avguard.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[568]avguard.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[568]avguard.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[580]ATKKBService.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[580]ATKKBService.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[580]ATKKBService.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[580]ATKKBService.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[580]ATKKBService.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[580]ATKKBService.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[580]ATKKBService.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[580]ATKKBService.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[580]ATKKBService.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[580]ATKKBService.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[580]ATKKBService.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[580]ATKKBService.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[580]ATKKBService.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[580]ATKKBService.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[792]winlogon.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[792]winlogon.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[792]winlogon.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[792]winlogon.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[792]winlogon.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[792]winlogon.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[792]winlogon.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[792]winlogon.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[792]winlogon.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[792]winlogon.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[792]winlogon.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[792]winlogon.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[792]winlogon.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[792]winlogon.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[792]winlogon.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[836]services.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[836]services.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[836]services.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[836]services.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[836]services.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[836]services.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[836]services.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[836]services.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[836]services.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[836]services.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[836]services.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[836]services.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[836]services.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[836]services.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[836]services.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[836]services.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[836]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[836]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[836]services.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[836]services.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[836]services.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[836]services.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[836]services.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[848]lsass.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[848]lsass.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[848]lsass.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[848]lsass.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[848]lsass.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[848]lsass.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[848]lsass.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[848]lsass.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[848]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[848]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[848]lsass.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[848]lsass.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[848]lsass.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[848]lsass.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[848]lsass.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]
[892]LxrSII1s.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump 0x77DC49DD [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E071E9 [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E07381 [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E07489 [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump 0x77DB4280 [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump 0x77DB557B [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump 0x77DAECD5 [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump 0x77DAEDE1 [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump 0x77DAEAD7 [pfproc.dll]
[892]LxrSII1s.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump 0x77DAD757 [pfproc.dll]
[892]LxrSII1s.exe-->gdi32.dll-->BitBlt, Type: Inline - RelativeJump 0x77EF6F79 [guard32.dll]
[892]LxrSII1s.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77EFB7C2 [guard32.dll]
[892]LxrSII1s.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77EFBE28 [guard32.dll]
[892]LxrSII1s.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C [pfproc.dll]
[892]LxrSII1s.exe-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump 0x7C80AC6E [pfproc.dll]
[892]LxrSII1s.exe-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump 0x7C80C200 [pfproc.dll]
[892]LxrSII1s.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B [pfproc.dll]
[892]LxrSII1s.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEDB [pfproc.dll]
[892]LxrSII1s.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C92736B [guard32.dll]
[892]LxrSII1s.exe-->ntdll.dll-->NtClose, Type: Inline - RelativeJump 0x7C91CFD0 [guard32.dll]
[892]LxrSII1s.exe-->user32.dll-->EndTask, Type: Inline - RelativeJump 0x7E3DA0A5 [pfproc.dll]
[892]LxrSII1s.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7E3E6783 [guard32.dll]
[892]LxrSII1s.exe-->user32.dll-->mouse_event, Type: Inline - RelativeJump 0x7E3E673F [guard32.dll]

[Txon]

Salut !
C'est maintenant un peu plus clair.

L'antivirus d'Avira a trouvé trois saletés que celui de Panda n'avait pas détectées et que tes autres défenses n'avaient pas vu passer : Java.Bytver.5.A exploit, ByteVerify.I exploit, BDS/Agent.CC back-door program. Je te laisse vérifier avec Google à quoi ils correspondent, mais ils ne semblent pas être cachés par des rootkits.
A ce propos, le paramètre d'Antivir les concernant "Search for rootkits..............: off" doit être passé sur "[on]".

Le log de RkUnhooker 3.8 donne ce qui suit :
[1] SSDT et Shadow SSDT
... a ... "cmdguard.sys" est le driver de Comodo F.P. Ses "hooks" ne posent pas de problème. Il ne faut pas y toucher.
... b ... "pwipf6.sys" est le driver de Webroot Desktop Firewall. Pourquoi as-tu installé ce logiciel alors que tu as déjà Comodo et, je l'espère pour toi DSA ? D'autant que Webroot est un assez mauvias firewall et à force d'en rajouter, tu risques de créer des conflits.
... c ... on retrouve effectivement des "Hooked by: Unknown module filename" mais à des adresses différentes de celles du scan par RootRepeal ce qui est logique puisque entre temps tu as du redémarrer ta bécane.
[2] Drivers
Je n'ai pas le temps de tous les contrôler en détail, mais, a priori, aucun n'est crocheté. Tout semble correct.
[3] Stealth Code
Rien à signaler.
[4] Files
Rien à signaler.
[5] Hooks (Report)
La liste est longue, mais à première vue, il n'y a rien de malsain. Il faut cependant que je vérifie en détail. Je ferai ça plus tard.
Comme autre repère et sous réserve que la liste soit complète, il y aurait à la fin un message du genre "Possible rootkit ..."

Pour en revenir aux <unknow>, il y a une logique au fait que Roorepeal ou RhUnhooker ne puissent pas trouver le fichier d'origine.
Il va falloir refaire un scan et sélectionner avec précaution chaque ligne de <unknow> (pas les autres) et faire pour chacune un "click droit" et [Unkook selected].
Note : un de ces hooks pourrait venir d'un pilote de carte Lexar, mais ce n'est pas certain. Même si c'était le cas, ce ne serait pas capital.

@+

[noisette]

L'antivirus d'Avira a trouvé trois saletés que celui de Panda n'avait pas détectées et que tes autres défenses n'avaient pas vu passer : Java.Bytver.5.A exploit, ByteVerify.I exploit, BDS/Agent.CC back-door program. Je te laisse vérifier avec Google à quoi ils correspondent, mais ils ne semblent pas être cachés par des rootkits.
A ce propos, le paramètre d'Antivir les concernant "Search for rootkits..............: off" doit être passé sur "[on]".

Salut Hans,

voilà exactement par quoi je voulais commencer.



Ce que tu peux faire aussi: supprimer ces objets trouvés par Antivir, désactiver la restauration système, redémarrer en mode sans échec et refaire un autre scan avec antivir.


Je plussoie également la remarque de Txon: un seul antivirus résident, un seul pare-feu ... ce n'est pas anodin.


Enfin, il faudrait quand même que tu demandes plus d'explication à ta connaissance, ou que tu nous en dises plus, parce que bon, "il y a un truc, c'est infecté", c'est pas une explication, et on risque Txon et moi de passer des heures à chercher quelque chose qui n'existe pas.
On te dit qu'il y a un keylogger ? Pourquoi te dit-on ça ? quelles activités suspectes sur le PC ? sur le modem ? Précisément ...

[Txon]

Re ...

Deuxième vérification très rapide du scan de RkUnhooker ...
Rien de méchant ne saute aux yeux dans Processes ni dans Drivers. Il serait bien que tu te prennes en main et que l'ami Google te serve à vérifier tout ça.
Un des deux "hooks" par "<unknow> se fait sur "NtWriteVirtualMemory" (voir -> ICI), le problème est que des tas de programmes, sains ou non, crochètent cette "classe" de Windows. Le fait d'annuler ce crochetage et de remettre les valeurs d'origine par [Unhook Selected] ne devrait avoir aucune conséquence dramatique. Je vérifierai l'autre plus tard.

Pour ce qui est des maliciels dégotés par Antivir, je ne sais pas s'ils ont ou non des fonctions de "keylogger" mais il semblerait qu'ils soient tous trois des chevaux de Troie.
Deux d'entre eux au moins ont quelque chose à voir avec Java, et j'ai horreur des Javascripts (voir -> ICI et suivre les liens).
Il serait peut-être plus prudent pour toi à l'avenir d'utiliser Firefox v3 avec son extension NoScript, même si ce dernier peut te paraitre emmerdant, et de faire tourner tout ça sous Sandboxie, même si ça prend quelques secondes de plus à lancer ton navigateur qu'en drirect.

@+

[hans]

Bonjour Noisette et Txon, ma connaissance ne connait pas grand chose en programmation c'Est pas elle qu'il a mis dans ma machine.
Mais je savais pas qu'on pouvait avec un enregistreur de frappe installer depuis mon modem. J'aimerais en savoir plus.
j'Ai fait un scan en mode sans echec avec rootkit a on. ca rien donne. juste par contre 2 warnings, fichier ne pouvant etre verifies.
J'ai installer sur ma machine dsa, Comodo, spyware terminator et antivir.
le pwipf6.sys est un vieux fichier je croit. Le systeme la mal desastaller. je vais regarder plus tard pour l'elimine. mais semble actif en memoire j'effacerai en mode sans echec.
a la fin du scan avec RKU c'Est belle et bien ecrit possible rootkit detection a toute les fois.
Je vais reverifie RKU pour les unknown
Merci pour l'Aide.

[Txon]

j'Ai fait un scan en mode sans echec avec rootkit a on. ca rien donne. juste par contre 2 warnings, fichier ne pouvant etre verifies.

Les fichiers ne pouvant être vérifiés appartiennent le plus souvent au système ou à certaines applications en cours. Pourquoi n'as-tu pas noté (bloc note) desquels il s'agissait ?

J'ai installer sur ma machine dsa, Comodo, spyware terminator et antivir.

Ca fait déjà beaucoup. Tu n'as vraiment besoin de rien d'autre de manière permanente.

le pwipf6.sys est un vieux fichier je croit. Le systeme la mal desastaller. je vais regarder plus tard pour l'elimine. mais semble actif en memoire j'effacerai en mode sans echec.

Ne crois pas, ce n'est pas un vieux fichier. "pwipf6.sys" est le "driver" de DSA v2. Sans ce "driver" DSA n'est plus efficace et devrait même à un moment ou un autre t'envoyer un message d'erreur.
Il ne te reste plus qu'à désinstaller complètement DSA et à le réinstaller proprement.

a la fin du scan avec RKU c'Est belle et bien ecrit possible rootkit detection a toute les fois.

C'est bien ce qui me semblait. J'ai vu aussi, dans [Report], qu'il manquait les "hooks" des <unknow>. Quels sont les "hooks" manquants (tous) ? Pourquoi as-tu tronqué les listes que tu as postées ici ? Des cachoteries ?

@+

[hans]

salut txon, j'ai jamais tronquer quoique ce soit dans les rapports. je sais pas si rku examine bien tous les fichiers. mais a chaque fois que je scan repport au bas completement c'Est ecrit possible rootkit detected&shy;.
il y a quelque fenetre d'Erreur avant que le rapport arrive.
les unknown file dans rku sont apparue seulement apres desinstalation de panda et malware sweeper. en les remplacant par antivir,comodo et dsa. faut-il tirer un conclusion?
Je voudrait savoir si c'Est possible d'installer un genre de kellogger sur un modem haute vistesse d'un fournisseur?
merci txon et noisette.

[noisette]

Salut Hans,

tout est possible, mais à mon avis, c'est très très peu probable.
Pour te rassurer, au risque de détruire ton modem , tu peux essayer de mettre à jour son firmware.

[Txon]

... j'ai jamais tronquer quoique ce soit dans les rapports. je sais pas si rku examine bien tous les fichiers. mais a chaque fois que je scan repport au bas completement c'Est ecrit possible rootkit detected&shy;.

Ce que tu as posté est bien une partie seulement de l'ensemble des lignes de la liste puisque il manque le message de fin qui signale la possibilité d'un rootkit. Donc, il y a eu troncature .

... il y a quelque fenetre d'Erreur avant que le rapport arrive.

Intéressant ! En quoi consiste-t-elle ? Peux-tu faire une copie d'écran ?

les unknown file dans rku sont apparue seulement apres desinstalation de panda et malware sweeper. en les remplacant par antivir,comodo et dsa. faut-il tirer un conclusion?

Pour une conclusion, ce serait aller trop vite en besogne, mais c'est effectivement une piste. La désinstallation de certains logiciels via le désinstallateur fourni par l'éditeur se fait parfois incomplètement et c'est souvent le cas pour les logiciels de défense (Zone Alarm en faisait partie, pour les autres, je ne sais pas). Des "traces" restent : clés du Registre Windows, driver(s) ... et ça peut créer des problèmes.
Si tu connais le nom des drivers des logiciels que tu as désinstallés, tu peux vérifier pas toi même s'ils ont encore présents sur le disque de ton ordinateur. Tu peux aussi jeter un oeil dans le Registre pour y chercher des clés qui n'auraient pas été enlevées. Tu peux faire de même pour tout répertoire non effacé.
Le mieux quand on installe un logiciel de défense, est de le faire sous le contrôle d'un vrai désinstallateur.

Je voudrait savoir si c'Est possible d'installer un genre de kellogger sur un modem haute vistesse d'un fournisseur?

Ce que je sais, c'est qu'il est possible d'introduire un rootkit dans tout périphérique d'ordinateur qui dispose de "firmware" et c'est la cas pour un modem. Qui dit rootkit, dit éventuellement n'importe quel maliciel (voir -> ICI <- (b) Les rootkits firmware (driver level rootkits) ou flash). A ce jour je n'en ai pas entendu parler pour les modems, mais je ne sais pas tout, très loin de là, et tout peut arriver un jour ou l'autre.
Les seules solutions dans ce cas sont :

• Tenter d'écraser le parasite en déchargeant le driver du périphérique puis en installant à nouveau ce driver,
• Changer le périphérique si la première solution n'a pas été suffisante.

@+

[hans]

Salut Txon et Noisette, J'ai jamais tronque rien comme report je sais pas pourquoi vous affirme ca pour rku. Je sauvgarde le raport dans ''mes documents'' et je le joint au forum et non copie coller. faite l'essai!
Des messages s'affiche quand je commande le rapport avec rku au moin 5 fenetres s'ouvre alternatif avec mention ''error starting helper service''. J'appuis tous sur ok. A la fn du rapport c'Est inscrit comme toujours !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =) (ca c'Est un copie coller)
est ce que c'Est vraie , dans un noyau de programme, ou bien dans des periphériques.
J'ai un enregistreur de frappe prit a un endroit ou un autre.
J'ai un modem et telephone par ip cable en meme temps, pour pas le nomme videotron. comment on peut biduler ce genre de modem. j'ai meme pas de logicel pour le faire tourne. J'avait juste a ouvrir connection reseaux sur windows la premiere fois et hope tout s'installait tout seul.
merci de vos conseils.

[Txon]

Re ...

Les messages de type "Error starting helper service" peuvent avoir plusieurs origines, toutes liées au fait que le "Helper Service" ne fonctionne pas : exécution en mode sans échec, dans certaines "machines virtuelles", dans un compte trop "tweaké", au sein d'un Windows détérioré etc.

Les chevaux de Troie éliminés par le premier scan d'Antivir peuvent avoir eu une fonction d'enregistreur de frappe. As-tu vérifié les résultats par un deuxième scan "de contrôle"?
Peux-tu refaire ensuite un scan le plus complet possible avec RootRepeal 1.1.1 et avec RkUnhooker 3.8, après un redémarrage du système et en lançant le moins de logiciels applicatifs possible ?

Pour décharger puis recharger le "driver" de ton modem, il te faut d'abord disposer de ce driver et du désinstallateur. En théorie ton fournisseur d'accès à internet devrait t'avoir donné des explications sur la marque et le modèle du modem et un CD d'installation. Si ce n'est pas le cas, il faut te débrouiller pour avoir tous les renseignement nécessaires (éventuellement en appelant ce fournisseur) et chercher le désinstallateur et le "driver" sur le web, généralement sur le site du fabricant.

As-tu désinstallé puis réinstallé Dynamic Security Agent?

@+

[hans]

Bonjour Txon et Noisette si t'Es toujours la

bon, hier j'Ai essayer pas mal de fois de vous envoyer sur le forum ce que j'Ecrit et votre serveur est toujours en erreur genre: ''ips driver error''.

j'ai scanner avec antivir partiel les fichiers et j'Ai un warning: ''C:\pagefile.sys
[WARNING] The file could not be opened!'' j'Ai un 2e quand j'Aurai le temps de faire au complet un scan de ma machine.

J'ai desinsstaler dsa pour le moment j'ai deja assez de comodo, antivir et spyware terminator.
Faudra que j'appel mon fournisseur pour dessastaller le driver sur le modem. il n'est pas venu avec un cd d'installation.

j'Ai supprime en mode sans echec un fichier en memoire ram wudftrace.etl. j'ai verifier avec google semble etre un virus (beagle) je ne suis pas sur.

maintenant voila avec rootrepeal report hook:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2008/09/11 22:09
Program Version: Version 1.1.1.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: RootRepeal.sys
Image Path: C:\WINDOWS\system32\drivers\RootRepeal.sys
Address: 0xA7C82000 Size: 40960 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\neo\ntuser.dat.LOG
Status: Size mismatch (API: 1024, Raw: 32768)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4eec8c

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab094606

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ee3c4

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab09405a

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab093d3c

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ee080

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab095652

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4eee72

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb91771fc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab093e46

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab093f30

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4edb02

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab0948cc

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab094362

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb91771e8

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ee744

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb91771ed

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ef7f2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ee196

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4efae6

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4efec4

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab093bba

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ee5d2

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ee638

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab094814

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xac4ede18

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xab094494

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xb91771f2

merci a+

[noisette]

Salut,

oui, hier le site était injoignable.

Pas de soucis pour ton pagefile.sys. (Au pire, tu définis aucun fichier d'échange, tu rebootes, tu remets un fichier d'échange).




Pour le fichier: http://www.commentca...us-beagle-bagle
au cas où comme tu le penses, beagle serait sur ton PC (a priori, cela t'empêcherait d'avoir accès au mode sans échec).
Je te conseille la méthode ComboFix.

[Txon]

Salut !

Le message C:\pagefile.sys [WARNING] The file could not be opened! est celui d'Antivir qui signale qu'il ne peut pas scanner ce fichier système. Tu aurais pu avoir un message semblable pour d'autres fichiers comme C:\hiberfil.sys (mise en veille prolongée) etc.

Le fichier WUDFTrace.etl se trouvait, comme tu as pu le voir dans le sous-répertoire \system32\LogFiles\WUDF\ où sont placés des fichiers "logs" (de résultats d'analyses) de modules du système. Ce fichier peut éventuellement être un "fake" qui contiendrait des données d'un maliciel, mais il peut surtout être l'authentique fichier "log" de WUDFSvc qui est le "User-mode Driver Framework Service" de Windows pour la création de "drivers" en mode utilisateur et qui utilise le driver wudfrd.sys et la bibliothèque logicielle WudfSvc.dll ...
Google aurait aussi bien pu t'indiquer qu'on trouve l'utilisation de ce service à beaucoup de sauces (voir par exemple -> ICI <- en anglais). Si tu n'as installé dans ton PC aucun outil ou utilitaire qui fasse appel à tout ce beau monde, c'est inquiètant, si non ce n'est rien de méchant.

Le fichier ntuser.dat.log est protégé par le système et contient le profil de l'utilisateur de ton compte "neo" et les changements effectués dans le Registre Windows pendant la cession d'utilisation (ntuser.dat).

Les crochetages effectués par cmdguard.sys et par sp_rsdrv2.sys n'ont bien sûr, rien d'inquiétant. Il ne faut pas y toucher.
Les crochetages effectués par "<unknown>" dans NtOpenProcess et dans NtWriteVirtualMemory le sont à des adresses qui ont bien entendu changé depuis la dernière fois. Il n'y a rien à en tirer en l'état. Tu peux défaire ces crochets comme je l'ai déjà indiqué (voir plus haut).
Il est évident que je t'ai demandé de faire des analyses par RootRepeal et par RkUnhooker au cours de la même cession et immédiatement à la suite l'une de l'autre à des fins de recoupement. Une seule ne suffit pas.

@+

[hans]

Salut, txon, bon retour Noisette : je sais pas si c'Est normal je ne peut aller en mode sans echec par f8 en bootant ma machine. je suis obliger d'utilise le /safeboot dans ms config.

dans rku, la rubrique files je ne peut scanner il y la le fameux message d'erreur: 'error starting helper service.
Dans tool du rku, vm detection affiche les lignes 126 et/a 119 result compromised. que veul t-il dire.
Quand je decrochet les fichiers crocheter dans ssdt, apres un rebootage ils reviennent automatique. un wipe file ne fonctionne pas ni copy files. (force delete n'Est pas dans les choix.)

je fait un copie coller du report RKU pour avoir toutes les lignes que j'Ai en entier.


>SSDT State
NtAdjustPrivilegesToken
Actual Address 0xABFC0C8C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtClose
Actual Address 0xABE78606
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtConnectPort
Actual Address 0xABFC03C4
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtCreateFile
Actual Address 0xABE7805A
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtCreateKey
Actual Address 0xABE77D3C
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtCreatePort
Actual Address 0xABFC0080
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtCreateSection
Actual Address 0xABE79652
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtCreateSymbolicLinkObject
Actual Address 0xABFC0E72
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtCreateThread
Actual Address 0xF7A84F24
Hooked by: Unknown module filename

NtDeleteKey
Actual Address 0xABE77E46
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtDeleteValueKey
Actual Address 0xABE77F30
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtDuplicateObject
Actual Address 0xABFBFB02
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtLoadDriver
Actual Address 0xABE788CC
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtOpenFile
Actual Address 0xABE78362
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtOpenProcess
Actual Address 0xF7A84F10
Hooked by: Unknown module filename

NtOpenSection
Actual Address 0xABFC0744
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtOpenThread
Actual Address 0xF7A84F15
Hooked by: Unknown module filename

NtRenameKey
Actual Address 0xABFC17F2
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtRequestWaitReplyPort
Actual Address 0xABFC0196
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtSecureConnectPort
Actual Address 0xABFC1AE6
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtSetSystemInformation
Actual Address 0xABFC1EC4
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtSetValueKey
Actual Address 0xABE77BBA
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtShutdownSystem
Actual Address 0xABFC05D2
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtSystemDebugControl
Actual Address 0xABFC0638
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtTerminateProcess
Actual Address 0xABE78814
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtTerminateThread
Actual Address 0xABFBFE18
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtWriteFile
Actual Address 0xABE78494
Hooked by: C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

NtWriteVirtualMemory
Actual Address 0xF7A84F1A
Hooked by: Unknown module filename

>Shadow
NtUserGetAsyncKeyState
Actual Address 0xABFC2F3C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserGetKeyboardState
Actual Address 0xABFC2D42
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserGetKeyState
Actual Address 0xABFC2E3C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserMessageCall
Actual Address 0xABFC2A8A
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserPostMessage
Actual Address 0xABFC273C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserPostThreadMessage
Actual Address 0xABFC28E8
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserRegisterRawInputDevices
Actual Address 0xABFC303C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserSendInput
Actual Address 0xABFC2C4C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserSetWindowsHookEx
Actual Address 0xABFC3132
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

NtUserSetWinEventHook
Actual Address 0xABFC335C
Hooked by: C:\WINDOWS\System32\DRIVERS\cmdguard.sys

>Processes
>Drivers
>Stealth
>Hooks
Device object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
File object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
Key object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
ntoskrnl.exe+0x00005B12, Type: Inline - RelativeJump 0x804DCB12 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D970, Type: Inline - RelativeJump 0x804E4970 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D99C, Type: Inline - RelativeJump 0x804E499C [ntoskrnl.exe]
Process object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
Section object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xABF49428 [inspect.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xABF49454 [inspect.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xABF49460 [inspect.sys]
Thread object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF751BB4C [inspect.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF751BB1C [inspect.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF751BB3C [inspect.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF751BB28 [inspect.sys]
[500]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DA1218 [shimeng.dll]
[500]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77EF10B4 [shimeng.dll]
[500]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[500]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9D15A4 [shimeng.dll]
[500]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E39133C [shimeng.dll]
[500]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x44081488 [shimeng.dll]
[500]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x719F109C [shimeng.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


Dans rootrepeal j'ai fait un copie coller du ssdt:


ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2008/09/13 23:35
Program Version: Version 1.1.1.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc0c8c

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe78606

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc03c4

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe7805a

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe77d3c

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc0080

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe79652

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc0e72

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7a84f24

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe77e46

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe77f30

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfbfb02

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe788cc

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe78362

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7a84f10

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc0744

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7a84f15

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc17f2

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc0196

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc1ae6

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc1ec4

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe77bba

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc05d2

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfc0638

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe78814

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xabfbfe18

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xabe78494

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf7a84f1a

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked

merci
a+

[Txon]

Re ...

C'est maintenant un peu plus clair et j'ai une bonne nouvelle grâce à USForce et à EASTER (deux "grands" du forum "Sysinternals")

Device object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
File object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
Key object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
Process object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
Section object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
Thread object-->OpenProcedure, Type: Kernel Object [unknown_code_page]

Ces crochetages seraient réalisés par Avira Antivir (que je n'utilise pas). Voir -> ICI <- en anglais. Pour confirmer, vrtule a désassemblé les fonctions crochetées.
Ceux qui préconisent des approches "heuristiques" pour détecter des maliciels apprécieront certainement.

Le reste ne présente pas de risque apparent. S'il reste des maliciels dans ton PC, ils ne semblent pas cachés par des rootkits.

La version 1.1.2 de RootRepeal est sortie. Tu peux la télécharger et l'utiliser.

@+