Salut,
Voilà ces derniers temps j'ai remarqué lors d'un scan d'RkU des changements de crochetages dans la SSDT, ayant gardé un extrait d'un ancien rapport, je compare et je me rends compte que quelque chose a changé, je n'aime pas ça du tout.
Je vous soumet donc trois anciens extraits de rapports, ainsi que le rapport complet d'aujourd'hui, je n'arrive pas à identifier ce module inconnu et je voudrais savoir...
Si il vous est possible de me donner votre avis concernant cette "chose" ainsi que la méthode pour pouvoir l'identifier, je vous en serait très reconnaissant.
1) vendredi 10 août 2007 à 14h01
forum.zebulon.fr/index.php?showtopic=127678&hl=khips
Service name: NtCreateThread. Hooked: Yes. Module: pwipf2.sys
Service name: NtOpenProcess. Hooked: Yes. Module: pwipf2.sys
Service name: NtOpenThread. Hooked: Yes. Module: pwipf2.sys
Service name: NtTerminateProcess. Hooked: Yes. Module: pwipf2.sys
NtWriteVirtualMemory n'était pas crochetée
------------------------------------------------------------------------------------------------------------------------------
2) Un peu avant l'envoi de l'extrait de rapport sur malekal.com
archive personnelle
NtCreateThread
Actual Address 0xF710E3BC
Hooked by: Unknown module filename
NtOpenProcess
Actual Address 0xF710E3A8
Hooked by: Unknown module filename
NtOpenThread
Actual Address 0xF710E3AD
Hooked by: Unknown module filename
NtTerminateProcess
Actual Address 0xF710E3B7
Hooked by: Unknown module filename
NtWriteVirtualMemory
Actual Address 0xF710E3B2
Hooked by: Unknown module filename
---------------------------------------------------------------------------------------------------------------------------------
3) le 30 Jan 2008 20:12
forum.malekal.com/viewtopic.php?f=46&t=8093&start=0
NtCreateThread
Actual Address 0xF70FEDD4
Hooked by: Unknown module filename
NtOpenProcess
Actual Address 0xF70FEDC0
Hooked by: Unknown module filename
NtOpenThread
Actual Address 0xF70FEDC5
Hooked by: Unknown module filename
NtTerminateProcess
Actual Address 0xF70FEDCF
Hooked by: Unknown module filename
NtWriteVirtualMemory
Actual Address 0xF70FEDCA
Hooked by: Unknown module filename
Le rapport d'aujourd'hui:
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtClose
Actual Address 0xEE7E3F80
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtCreateFile
Actual Address 0xEE6EAAE0
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtCreateKey
Actual Address 0xEE6EA7E0
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtCreateProcess
Actual Address 0xEE7E2A1A
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtCreateProcessEx
Actual Address 0xEE7E2910
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtCreateThread
Actual Address 0xF70C36E4
Hooked by: Unknown module filename
NtDeleteFile
Actual Address 0xEE7E4034
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtDeleteKey
Actual Address 0xEE7DFD54
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtDeleteValueKey
Actual Address 0xEE7DFE70
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtOpenFile
Actual Address 0xEE6EAB20
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtOpenKey
Actual Address 0xEE6EAB90
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtOpenProcess
Actual Address 0xF70C36D0
Hooked by: Unknown module filename
NtOpenSection
Actual Address 0xEE6EAB50
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtOpenThread
Actual Address 0xF70C36D5
Hooked by: Unknown module filename
NtResumeThread
Actual Address 0xEE7E30DC
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtSetInformationFile
Actual Address 0xEE7E3CE0
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtSetValueKey
Actual Address 0xEE6EA3B0
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtTerminateProcess
Actual Address 0xF70C36DF
Hooked by: Unknown module filename
NtWriteFile
Actual Address 0xEE7E3BB2
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtWriteVirtualMemory
Actual Address 0xF70C36DA
Hooked by: Unknown module filename
==============================================
>Shadow
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x863812C0
Process: C:\Program Files\AntiVir PersonalEdition Classic\AVGUARD.EXE
Process Id: 180
EPROCESS Address: 0x85EE6020
Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
Process Id: 272
EPROCESS Address: 0x86113DA0
Process: C:\Program Files\AntiVir PersonalEdition Classic\AVGNT.EXE
Process Id: 364
EPROCESS Address: 0x857B1B30
Process: C:\WINDOWS\System32\SMSS.EXE
Process Id: 468
EPROCESS Address: 0x8610D718
Process: C:\WINDOWS\qmc.exe
Process Id: 556
EPROCESS Address: 0x857948C8
Process: C:\Program Files\AntiVir PersonalEdition Classic\SCHED.EXE
Process Id: 616
EPROCESS Address: 0x86144728
Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Process Id: 636
EPROCESS Address: 0x85FCDDA0
Process: C:\WINDOWS\EXPLORER.EXE
Process Id: 716
EPROCESS Address: 0x852FE020
Process: C:\Program Files\regprot.exe
Process Id: 752
EPROCESS Address: 0x8580E8D8
Process: C:\WINDOWS\System32\locator.exe
Process Id: 760
EPROCESS Address: 0x85E9C7E8
Process: C:\Program Files\Sunbelt Software\Personal Firewall\KPF4SS.EXE
Process Id: 848
EPROCESS Address: 0x86100598
Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
Process Id: 924
EPROCESS Address: 0x852F9DA0
Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1020
EPROCESS Address: 0x8604D598
Process: C:\WINDOWS\System32\CSRSS.EXE
Process Id: 1192
EPROCESS Address: 0x8608B5C8
Process: C:\Acer\Empowering Technology\ePower\EPM-DM.EXE
Process Id: 1208
EPROCESS Address: 0x8579F650
Process: C:\WINDOWS\System32\WINLOGON.EXE
Process Id: 1284
EPROCESS Address: 0x85FFC020
Process: C:\WINDOWS\System32\SERVICES.EXE
Process Id: 1424
EPROCESS Address: 0x8614F588
Process: C:\WINDOWS\System32\LSASS.EXE
Process Id: 1436
EPROCESS Address: 0x8617BBD8
Process: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
Process Id: 1504
EPROCESS Address: 0x857B6020
Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1636
EPROCESS Address: 0x85FEA430
Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1716
EPROCESS Address: 0x86175240
Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1744
EPROCESS Address: 0x85FF44A8
Process: C:\Acer\Empowering Technology\eRecovery\Monitor.exe
Process Id: 1824
EPROCESS Address: 0x857B3020
Process: C:\WINDOWS\System32\SPOOLSV.EXE
Process Id: 2032
EPROCESS Address: 0x85FEF020
Process: C:\Documents and Settings\Michel\Mes documents\Dossier Install\20071210_182632_rku37300509\rku37300509.exe
Process Id: 372
EPROCESS Address: 0x86021DA0
Process: C:\Program Files\Privacyware\Dynamic Security Agent\dsa.exe
Process Id: 624
EPROCESS Address: 0x8528C9B8
==============================================
>Drivers
Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA75000
Size: 2310144 bytes
Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000
Size: 2182400 bytes
Driver: PnpManager
Address: 0x804D7000
Size: 2182400 bytes
Driver: RAW
Address: 0x804D7000
Size: 2182400 bytes
Driver: WMIxWDM
Address: 0x804D7000
Size: 2182400 bytes
Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes
Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes
Driver: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Address: 0xF6C16000
Size: 1327104 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF6F38000
Size: 1200128 bytes
Driver: C:\WINDOWS\system32\DRIVERS\AVerM115.sys
Address: 0xF6E5B000
Size: 679936 bytes
Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCA9000
Size: 606208 bytes
Driver: C:\WINDOWS\System32\Drivers\Ntfs.SYS
Address: 0xEE575000
Size: 577536 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEE602000
Size: 454656 bytes
Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6ACD000
Size: 364544 bytes
Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEE719000
Size: 360448 bytes
Driver: C:\WINDOWS\system32\drivers\fwdrv.sys
Address: 0xEE7C8000
Size: 299008 bytes
Driver: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Address: 0xEE880000
Size: 294912 bytes
Driver: C:\WINDOWS\system32\drivers\camchal.sys
Address: 0xF6DC9000
Size: 278528 bytes
Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000
Size: 245760 bytes
Driver: timntr.sys
Address: 0xF72A6000
Size: 217088 bytes
Driver: C:\WINDOWS\system32\drivers\pwipf2.sys
Address: 0xEE6E6000
Size: 208896 bytes
Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA11000
Size: 204800 bytes
Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA43000
Size: 204800 bytes
Driver: C:\WINDOWS\system32\drivers\btslbcsp.sys
Address: 0xEC052000
Size: 204800 bytes
Driver: C:\WINDOWS\System32\Drivers\UDFReadr.SYS
Address: 0xEE796000
Size: 204800 bytes
Driver: ACPI.sys
Address: 0xF7437000
Size: 192512 bytes
Driver: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF6D77000
Size: 188416 bytes
Driver: NDIS.sys
Address: 0xF72DB000
Size: 184320 bytes
Driver: dac2w2k.sys
Address: 0xF7374000
Size: 180224 bytes
Driver: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Address: 0xF6E0D000
Size: 176128 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEE699000
Size: 176128 bytes
Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEC2C7000
Size: 163840 bytes
Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6DA5000
Size: 147456 bytes
Driver: C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS
Address: 0xEE84B000
Size: 143360 bytes
Driver: Fastfat.sys
Address: 0xF731F000
Size: 143360 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6E38000
Size: 143360 bytes
Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6F01000
Size: 143360 bytes
Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEE6C4000
Size: 139264 bytes
Driver: ACPI_HAL
Address: 0x806EC000
Size: 131968 bytes
Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000
Size: 131968 bytes
Driver: fltMgr.sys
Address: 0xF7354000
Size: 131072 bytes
Driver: ftdisk.sys
Address: 0xF73E9000
Size: 126976 bytes
Driver: pcmcia.sys
Address: 0xF7408000
Size: 122880 bytes
Driver: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Address: 0xF6D5A000
Size: 118784 bytes
Driver: Mup.sys
Address: 0xF7275000
Size: 110592 bytes
Driver: adpu160m.sys
Address: 0xF73A0000
Size: 102400 bytes
Driver: atapi.sys
Address: 0xF73B9000
Size: 98304 bytes
Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE495000
Size: 98304 bytes
Driver: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF73D1000
Size: 98304 bytes
Driver: KSecDD.sys
Address: 0xF7308000
Size: 94208 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6B37000
Size: 94208 bytes
Driver: C:\WINDOWS\system32\DRIVERS\irda.sys
Address: 0xEC2EF000
Size: 90112 bytes
Driver: snapman.sys
Address: 0xF7290000
Size: 90112 bytes
Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEBDD1000
Size: 86016 bytes
Driver: C:\WINDOWS\system32\drivers\epm-shd.sys
Address: 0xEC03E000
Size: 81920 bytes
Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6F24000
Size: 81920 bytes
Driver: C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
Address: 0xEC1C4000
Size: 77824 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEE771000
Size: 77824 bytes
Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000
Size: 73728 bytes
Driver: sr.sys
Address: 0xF7342000
Size: 73728 bytes
Driver: C:\Acer\Empowering Technology\eRecovery\int15.sys
Address: 0xEB98A000
Size: 69632 bytes
Driver: pci.sys
Address: 0xF7426000
Size: 69632 bytes
Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6B26000
Size: 69632 bytes
Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF6BCE000
Size: 65536 bytes
Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7617000
Size: 61440 bytes
Driver: ohci1394.sys
Address: 0xF7497000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7657000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEC144000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF76E7000
Size: 61440 bytes
Driver: aic78u2.sys
Address: 0xF7507000
Size: 57344 bytes
Driver: aic78xx.sys
Address: 0xF74D7000
Size: 57344 bytes
Driver: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xF7215000
Size: 57344 bytes
Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7627000
Size: 57344 bytes
Driver: VolSnap.sys
Address: 0xF74C7000
Size: 57344 bytes
Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF74A7000
Size: 53248 bytes
Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7647000
Size: 53248 bytes
Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7567000
Size: 53248 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF7667000
Size: 53248 bytes
Driver: ql12160.sys
Address: 0xF7547000
Size: 49152 bytes
Driver: ql1280.sys
Address: 0xF7537000
Size: 49152 bytes
Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7687000
Size: 49152 bytes
Driver: agp440.sys
Address: 0xF75C7000
Size: 45056 bytes
Driver: agpCPQ.sys
Address: 0xF75D7000
Size: 45056 bytes
Driver: alim1541.sys
Address: 0xF75A7000
Size: 45056 bytes
Driver: amdagp.sys
Address: 0xF75B7000
Size: 45056 bytes
Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7637000
Size: 45056 bytes
Driver: MountMgr.sys
Address: 0xF74B7000
Size: 45056 bytes
Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF7677000
Size: 45056 bytes
Driver: sisagp.sys
Address: 0xF7597000
Size: 45056 bytes
Driver: viaagp.sys
Address: 0xF7587000
Size: 45056 bytes
Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF75F7000
Size: 40960 bytes
Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF76B7000
Size: 40960 bytes
Driver: ql1080.sys
Address: 0xF7527000
Size: 40960 bytes
Driver: ql1240.sys
Address: 0xF74F7000
Size: 40960 bytes
Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF76A7000
Size: 40960 bytes
Driver: C:\WINDOWS\system32\drivers\camcaud.sys
Address: 0xF7607000
Size: 36864 bytes
Driver: disk.sys
Address: 0xF7557000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7225000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF6BBE000
Size: 36864 bytes
Driver: isapnp.sys
Address: 0xF7487000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7697000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7235000
Size: 36864 bytes
Driver: PxHelp20.sys
Address: 0xF7577000
Size: 36864 bytes
Driver: ql10wnt.sys
Address: 0xF74E7000
Size: 36864 bytes
Driver: ultra.sys
Address: 0xF7517000
Size: 36864 bytes
Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF71D5000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7867000
Size: 32768 bytes
Driver: symc8xx.sys
Address: 0xF7737000
Size: 32768 bytes
Driver: sym_u3.sys
Address: 0xF7747000
Size: 32768 bytes
Driver: C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
Address: 0xF788F000
Size: 32768 bytes
Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF787F000
Size: 32768 bytes
Driver: asc.sys
Address: 0xF771F000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF784F000
Size: 28672 bytes
Driver: hpn.sys
Address: 0xF776F000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF77DF000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\DRIVERS\nscirda.sys
Address: 0xF77D7000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000
Size: 28672 bytes
Driver: perc2.sys
Address: 0xF7767000
Size: 28672 bytes
Driver: sym_hi.sys
Address: 0xF773F000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF77CF000
Size: 28672 bytes
Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF7877000
Size: 28672 bytes
Driver: ABP480N5.SYS
Address: 0xF774F000
Size: 24576 bytes
Driver: asc3350p.sys
Address: 0xF7757000
Size: 24576 bytes
Driver: C:\WINDOWS\system32\drivers\btserial.sys
Address: 0xF783F000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\Drivers\dvd_2K.SYS
Address: 0xF780F000
Size: 24576 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF77E7000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xEC09C000
Size: 24576 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF786F000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7857000
Size: 24576 bytes
Driver: dpti2o.sys
Address: 0xF775F000
Size: 20480 bytes
Driver: i2omp.sys
Address: 0xF772F000
Size: 20480 bytes
Driver: mraid35x.sys
Address: 0xF7727000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF785F000
Size: 20480 bytes
Driver: PartMgr.sys
Address: 0xF770F000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77FF000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Address: 0xF77EF000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7807000
Size: 20480 bytes
Driver: sparrow.sys
Address: 0xF7717000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF77F7000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF77C7000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7887000
Size: 20480 bytes
Driver: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xEC3A1000
Size: 16384 bytes
Driver: aha154x.sys
Address: 0xF78AF000
Size: 16384 bytes
Driver: asc3550.sys
Address: 0xF78BF000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF789F000
Size: 16384 bytes
Driver: C:\WINDOWS\System32\DRIVERS\Bonifay.sys
Address: 0xF796B000
Size: 16384 bytes
Driver: cbidf2k.sys
Address: 0xF78C7000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF7983000
Size: 16384 bytes
Driver: cpqarray.sys
Address: 0xF78AB000
Size: 16384 bytes
Driver: dac960nt.sys
Address: 0xF78B7000
Size: 16384 bytes
Driver: ini910u.sys
Address: 0xF78C3000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF6AB1000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF71A1000
Size: 16384 bytes
Driver: symc810.sys
Address: 0xF78B3000
Size: 16384 bytes
Driver: UBHelper.sys
Address: 0xF78A7000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xF6AB5000
Size: 16384 bytes
Driver: ACPIEC.sys
Address: 0xF78A3000
Size: 12288 bytes
Driver: amsint.sys
Address: 0xF78BB000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\BdaSup.SYS
Address: 0xF796F000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000
Size: 12288 bytes
Driver: compbatt.sys
Address: 0xF789B000
Size: 12288 bytes
Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7143000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF6AB9000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\irenum.sys
Address: 0xF7973000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xEC1DB000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF6AA5000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF71AD000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\drivers\OsaFsLoc.sys
Address: 0xF6BFE000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF797B000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF711F000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0xEC399000
Size: 12288 bytes
Driver: aliide.sys
Address: 0xF798B000
Size: 8192 bytes
Driver: C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
Address: 0xF79AD000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79A7000
Size: 8192 bytes
Driver: cd20xrnt.sys
Address: 0xF7995000
Size: 8192 bytes
Driver: cmdide.sys
Address: 0xF7993000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79AF000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79A5000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF79A3000
Size: 8192 bytes
Driver: intelide.sys
Address: 0xF798D000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79A9000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
Address: 0xF799D000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\drivers\osaio.sys
Address: 0xF79B7000
Size: 8192 bytes
Driver: perc2hib.sys
Address: 0xF7997000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79AB000
Size: 8192 bytes
Driver: speedfan.sys
Address: 0xF7999000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF799F000
Size: 8192 bytes
Driver: toside.sys
Address: 0xF798F000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF799B000
Size: 8192 bytes
Driver: viaide.sys
Address: 0xF7991000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF70B7000
Size: 4096 bytes
Driver: C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys
Address: 0xF7073000
Size: 4096 bytes
Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF70DD000
Size: 4096 bytes
Driver: C:\WINDOWS\system32\drivers\epm-psd.sys
Address: 0xF7B6C000
Size: 4096 bytes
Driver: giveio.sys
Address: 0xF7A51000
Size: 4096 bytes
Driver: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Address: 0xF7066000
Size: 4096 bytes
Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7075000
Size: 4096 bytes
Driver: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7A50000
Size: 4096 bytes
Driver: C:\WINDOWS\system32\drivers\osanbm.sys
Address: 0xF7B7D000
Size: 4096 bytes
Driver: pciide.sys
Address: 0xF7A4F000
Size: 4096 bytes
==============================================
>Stealth
==============================================
>Files
==============================================
>Hooks
ndis.sys-->NdisMIndicateStatus, Type: Inline - DirectJump at address 0xF72F5A5F hook handler located in [fwdrv.sys]
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump at address 0x804DBAA2 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B764, Type: Inline - RelativeJump at address 0x804E2764 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7A0, Type: Inline - RelativeJump at address 0x804E27A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7AC, Type: Inline - RelativeJump at address 0x804E27AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B9E0, Type: Inline - RelativeJump at address 0x804E29E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA28, Type: Inline - RelativeJump at address 0x804E2A28 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000BAF0, Type: Inline - RelativeJump at address 0x804E2AF0 hook handler located in [ntoskrnl.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xEE758028 hook handler located in [fwdrv.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xEE758054 hook handler located in [fwdrv.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xEE758060 hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF71DAB4C hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF71DAB1C hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF71DAB3C hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF71DAB28 hook handler located in [fwdrv.sys]
[1020]SVCHOST.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pf
[OK]Rapports RkU (comparatifs+ rapport d'aujourhui)
Modérateur: Modérateurs et Modératrices
10 messages
• Page 1 sur 1
[OK]Rapports RkU (comparatifs+ rapport d'aujourhui)
de michte » 04 02 2008
Dernière édition par michte le 26 02 2008, édité 1 fois.
-
michte - Messages: 430
- Inscription: 05 09 2006
de michte » 07 02 2008
Salut,
Je n'arrive toujours pas à identifier la "chose" qui a crochetée la SSDT à la place de DSA, et je voudrais savoir si il me fallait comparer le log avec un autre antirootkit (si oui lequel?)
Dernièrement, j'ai laissé la gestion de la pagefile à windows, j'ai installé l'onglet sécurité pour ma partition NTFS, j'ai mis en route un logiciel de cryptage de dossier (acer), installé regshot, désinstallé spyblocker, installé hostsxpert, installé speedfan, cpuz, qmc (calendrier qui se lance au démarrage) changé la version de Rku, de DSA (hier).
C'est tout ce qui me vient comme changements, je ne vois vraiment pas quel logiciel "a pris la place" de DSA (et ce qui m'inquiète c'est que DSA est une des pièces importantes de sécurité sur mon PC).
Merci.
Je n'arrive toujours pas à identifier la "chose" qui a crochetée la SSDT à la place de DSA, et je voudrais savoir si il me fallait comparer le log avec un autre antirootkit (si oui lequel?)
Dernièrement, j'ai laissé la gestion de la pagefile à windows, j'ai installé l'onglet sécurité pour ma partition NTFS, j'ai mis en route un logiciel de cryptage de dossier (acer), installé regshot, désinstallé spyblocker, installé hostsxpert, installé speedfan, cpuz, qmc (calendrier qui se lance au démarrage) changé la version de Rku, de DSA (hier).
C'est tout ce qui me vient comme changements, je ne vois vraiment pas quel logiciel "a pris la place" de DSA (et ce qui m'inquiète c'est que DSA est une des pièces importantes de sécurité sur mon PC).
Merci.
-
michte - Messages: 430
- Inscription: 05 09 2006
de michte » 26 02 2008
Salut,
Je préfère en rester là car je ne maîtrise pas le sujet et il se peut que ce soit un processus légitime donc je met résolu.
Je précise quand même, que j'avais bien désactivé mes logs de protections à un moment pour effectuer ces vérifs.
A+
Je préfère en rester là car je ne maîtrise pas le sujet et il se peut que ce soit un processus légitime donc je met résolu.
Je précise quand même, que j'avais bien désactivé mes logs de protections à un moment pour effectuer ces vérifs.
A+
-
michte - Messages: 430
- Inscription: 05 09 2006
de sarla » 10 04 2008
Salut,
Je suis de passage, n'ayant découvert gmer et le pb rooktkit que depuis ce ce matin...
J'ignore si ça pourrait t'aider, je viens de la glaner tout à l'heure, même pas eu le temps de le lire !
http://www.malekal.com/supprimer_rootki ... zTocId7910
http://forum.malekal.com/ftopic3218.php
Il est aussi question je ne sais plus où, d'une nouvelle version qui identifie ces vilainetés et donne le programme en rapport.
Je suis de passage, n'ayant découvert gmer et le pb rooktkit que depuis ce ce matin...
J'ignore si ça pourrait t'aider, je viens de la glaner tout à l'heure, même pas eu le temps de le lire !
http://www.malekal.com/supprimer_rootki ... zTocId7910
http://forum.malekal.com/ftopic3218.php
Il est aussi question je ne sais plus où, d'une nouvelle version qui identifie ces vilainetés et donne le programme en rapport.
- sarla
- Messages: 804
- Inscription: 22 06 2004
- Localisation: IdF
de michte » 17 04 2008
Salut sarla,
Excuse moi pour ma réponse tardive, je suis aller voir et Malekal parle des rootkits en général avec des exemples, ainsi que plusieurs anti-rootkit, mais pas de trace de "Rootkit Unhooker" ni de "seem" les deux que j'ai actuellement, je pense passer GMER mais il faut que je me renseigne si je peux garder les deux que j'ai, ou si je dois les désinstaller pour ne pas avoir de conflits.
Merci,
Michte.
Excuse moi pour ma réponse tardive, je suis aller voir et Malekal parle des rootkits en général avec des exemples, ainsi que plusieurs anti-rootkit, mais pas de trace de "Rootkit Unhooker" ni de "seem" les deux que j'ai actuellement, je pense passer GMER mais il faut que je me renseigne si je peux garder les deux que j'ai, ou si je dois les désinstaller pour ne pas avoir de conflits.
Merci,
Michte.
-
michte - Messages: 430
- Inscription: 05 09 2006
de nardino » 17 04 2008
Salut Michte.
Si tu l'as pas encore vu, voici, un comparatif sur les principaux rootkits
http://www.lesnouvelles.net/articles/ch ... it-epitech
@+
Si tu l'as pas encore vu, voici, un comparatif sur les principaux rootkits
http://www.lesnouvelles.net/articles/ch ... it-epitech
@+
- nardino
- Messages: 376
- Inscription: 31 07 2006
de michte » 17 04 2008
Salut nardino,
Très intéressant les différents liens dans l'article, on y apprend qu'une solution matérielle existait sous la forme d'une carte au format PCI batisée CoPilot, qui disposait de son propre système d'exploitation, mais Microsoft a fait l'acquisition de komuku et ce n'est que la solution logicielle anti-rootkit qui sera intégrée aux produits Microsoft (Windows Live OneCare et Forefront). Komoku n'existera ainsi plus à l'issue de l'acquisition par Microsoft. Ce dernier ne précise toutefois pas ce que deviendra la carte PCI de Komoku (qui était pourtant son produit principal, la solution logicielle étant moins efficace de l'aveu même de son fondateur).
Sinon dans ce comparatif RkU se porte comme un charme ainsi que GMER, par contre pour SEEM ce n'est pas terrible, dommage pour GMER et sa cohabitation impossible avec RkU, je les auraient bien vu tout les deux dans ma config.
A+
Très intéressant les différents liens dans l'article, on y apprend qu'une solution matérielle existait sous la forme d'une carte au format PCI batisée CoPilot, qui disposait de son propre système d'exploitation, mais Microsoft a fait l'acquisition de komuku et ce n'est que la solution logicielle anti-rootkit qui sera intégrée aux produits Microsoft (Windows Live OneCare et Forefront). Komoku n'existera ainsi plus à l'issue de l'acquisition par Microsoft. Ce dernier ne précise toutefois pas ce que deviendra la carte PCI de Komoku (qui était pourtant son produit principal, la solution logicielle étant moins efficace de l'aveu même de son fondateur).
Sinon dans ce comparatif RkU se porte comme un charme ainsi que GMER, par contre pour SEEM ce n'est pas terrible, dommage pour GMER et sa cohabitation impossible avec RkU, je les auraient bien vu tout les deux dans ma config.
A+
-
michte - Messages: 430
- Inscription: 05 09 2006
de sloshy » 18 04 2008
Bonjour,
RkU n'est plus maintenu à jour depuis la version 3.7, une version 4 est sortie mais pour un public restreint.
Je conseille réellement GMER qui reste de "production" et qui est un travail titanesque qui continue d'être mis à jours régulièrement.
Exemple, les infections du MBR couplé à un RK sont détectable et modifiable par GMER (mais non par RkU), ce n'est bien entendu que pour l'exemple le plus frappant.
Amicalement, sloshy
RkU n'est plus maintenu à jour depuis la version 3.7, une version 4 est sortie mais pour un public restreint.
Je conseille réellement GMER qui reste de "production" et qui est un travail titanesque qui continue d'être mis à jours régulièrement.
Exemple, les infections du MBR couplé à un RK sont détectable et modifiable par GMER (mais non par RkU), ce n'est bien entendu que pour l'exemple le plus frappant.
Amicalement, sloshy
citation de sloshy
5² = 25, mais (-5)² = 25 aussi
Ce n'est pas parce qu'on a une solution que c'est forcément la meilleure !
- sloshy
- Messages: 87
- Inscription: 02 11 2005
- Localisation: /home/sloshy
10 messages
• Page 1 sur 1
Qui est en ligne
Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 1 invité