[OK]Rapports RkU (comparatifs+ rapport d'aujourhui)

Modérateur: Modérateurs et Modératrices

[OK]Rapports RkU (comparatifs+ rapport d'aujourhui)

Messagede michte » 04 Fév 2008, 15:51

Salut,

Voilà ces derniers temps j'ai remarqué lors d'un scan d'RkU des changements de crochetages dans la SSDT, ayant gardé un extrait d'un ancien rapport, je compare et je me rends compte que quelque chose a changé, je n'aime pas ça du tout.

Je vous soumet donc trois anciens extraits de rapports, ainsi que le rapport complet d'aujourd'hui, je n'arrive pas à identifier ce module inconnu et je voudrais savoir...

Si il vous est possible de me donner votre avis concernant cette "chose" ainsi que la méthode pour pouvoir l'identifier, je vous en serait très reconnaissant.

1) vendredi 10 août 2007 à 14h01
forum.zebulon.fr/index.php?showtopic=127678&hl=khips

Service name: NtCreateThread. Hooked: Yes. Module: pwipf2.sys
Service name: NtOpenProcess. Hooked: Yes. Module: pwipf2.sys
Service name: NtOpenThread. Hooked: Yes. Module: pwipf2.sys
Service name: NtTerminateProcess. Hooked: Yes. Module: pwipf2.sys
NtWriteVirtualMemory n'était pas crochetée

------------------------------------------------------------------------------------------------------------------------------
2) Un peu avant l'envoi de l'extrait de rapport sur malekal.com
archive personnelle

NtCreateThread
Actual Address 0xF710E3BC
Hooked by: Unknown module filename

NtOpenProcess
Actual Address 0xF710E3A8
Hooked by: Unknown module filename

NtOpenThread
Actual Address 0xF710E3AD
Hooked by: Unknown module filename

NtTerminateProcess
Actual Address 0xF710E3B7
Hooked by: Unknown module filename

NtWriteVirtualMemory
Actual Address 0xF710E3B2
Hooked by: Unknown module filename

---------------------------------------------------------------------------------------------------------------------------------
3) le 30 Jan 2008 20:12
forum.malekal.com/viewtopic.php?f=46&t=8093&start=0

NtCreateThread
Actual Address 0xF70FEDD4
Hooked by: Unknown module filename

NtOpenProcess
Actual Address 0xF70FEDC0
Hooked by: Unknown module filename

NtOpenThread
Actual Address 0xF70FEDC5
Hooked by: Unknown module filename

NtTerminateProcess
Actual Address 0xF70FEDCF
Hooked by: Unknown module filename

NtWriteVirtualMemory
Actual Address 0xF70FEDCA
Hooked by: Unknown module filename

Le rapport d'aujourd'hui:

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtClose
Actual Address 0xEE7E3F80
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtCreateFile
Actual Address 0xEE6EAAE0
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtCreateKey
Actual Address 0xEE6EA7E0
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtCreateProcess
Actual Address 0xEE7E2A1A
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtCreateProcessEx
Actual Address 0xEE7E2910
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtCreateThread
Actual Address 0xF70C36E4
Hooked by: Unknown module filename
NtDeleteFile
Actual Address 0xEE7E4034
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtDeleteKey
Actual Address 0xEE7DFD54
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtDeleteValueKey
Actual Address 0xEE7DFE70
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtOpenFile
Actual Address 0xEE6EAB20
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtOpenKey
Actual Address 0xEE6EAB90
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtOpenProcess
Actual Address 0xF70C36D0
Hooked by: Unknown module filename
NtOpenSection
Actual Address 0xEE6EAB50
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtOpenThread
Actual Address 0xF70C36D5
Hooked by: Unknown module filename
NtResumeThread
Actual Address 0xEE7E30DC
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtSetInformationFile
Actual Address 0xEE7E3CE0
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtSetValueKey
Actual Address 0xEE6EA3B0
Hooked by: C:\WINDOWS\system32\drivers\pwipf2.sys
NtTerminateProcess
Actual Address 0xF70C36DF
Hooked by: Unknown module filename
NtWriteFile
Actual Address 0xEE7E3BB2
Hooked by: C:\WINDOWS\system32\drivers\fwdrv.sys
NtWriteVirtualMemory
Actual Address 0xF70C36DA
Hooked by: Unknown module filename
==============================================
>Shadow
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x863812C0

Process: C:\Program Files\AntiVir PersonalEdition Classic\AVGUARD.EXE
Process Id: 180
EPROCESS Address: 0x85EE6020

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
Process Id: 272
EPROCESS Address: 0x86113DA0

Process: C:\Program Files\AntiVir PersonalEdition Classic\AVGNT.EXE
Process Id: 364
EPROCESS Address: 0x857B1B30

Process: C:\WINDOWS\System32\SMSS.EXE
Process Id: 468
EPROCESS Address: 0x8610D718

Process: C:\WINDOWS\qmc.exe
Process Id: 556
EPROCESS Address: 0x857948C8

Process: C:\Program Files\AntiVir PersonalEdition Classic\SCHED.EXE
Process Id: 616
EPROCESS Address: 0x86144728

Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Process Id: 636
EPROCESS Address: 0x85FCDDA0

Process: C:\WINDOWS\EXPLORER.EXE
Process Id: 716
EPROCESS Address: 0x852FE020

Process: C:\Program Files\regprot.exe
Process Id: 752
EPROCESS Address: 0x8580E8D8

Process: C:\WINDOWS\System32\locator.exe
Process Id: 760
EPROCESS Address: 0x85E9C7E8

Process: C:\Program Files\Sunbelt Software\Personal Firewall\KPF4SS.EXE
Process Id: 848
EPROCESS Address: 0x86100598

Process: C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
Process Id: 924
EPROCESS Address: 0x852F9DA0

Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1020
EPROCESS Address: 0x8604D598

Process: C:\WINDOWS\System32\CSRSS.EXE
Process Id: 1192
EPROCESS Address: 0x8608B5C8

Process: C:\Acer\Empowering Technology\ePower\EPM-DM.EXE
Process Id: 1208
EPROCESS Address: 0x8579F650

Process: C:\WINDOWS\System32\WINLOGON.EXE
Process Id: 1284
EPROCESS Address: 0x85FFC020

Process: C:\WINDOWS\System32\SERVICES.EXE
Process Id: 1424
EPROCESS Address: 0x8614F588

Process: C:\WINDOWS\System32\LSASS.EXE
Process Id: 1436
EPROCESS Address: 0x8617BBD8

Process: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
Process Id: 1504
EPROCESS Address: 0x857B6020

Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1636
EPROCESS Address: 0x85FEA430

Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1716
EPROCESS Address: 0x86175240

Process: C:\WINDOWS\System32\SVCHOST.EXE
Process Id: 1744
EPROCESS Address: 0x85FF44A8

Process: C:\Acer\Empowering Technology\eRecovery\Monitor.exe
Process Id: 1824
EPROCESS Address: 0x857B3020

Process: C:\WINDOWS\System32\SPOOLSV.EXE
Process Id: 2032
EPROCESS Address: 0x85FEF020

Process: C:\Documents and Settings\Michel\Mes documents\Dossier Install\20071210_182632_rku37300509\rku37300509.exe
Process Id: 372
EPROCESS Address: 0x86021DA0

Process: C:\Program Files\Privacyware\Dynamic Security Agent\dsa.exe
Process Id: 624
EPROCESS Address: 0x8528C9B8

==============================================
>Drivers
Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA75000
Size: 2310144 bytes

Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000
Size: 2182400 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2182400 bytes

Driver: RAW
Address: 0x804D7000
Size: 2182400 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2182400 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Address: 0xF6C16000
Size: 1327104 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF6F38000
Size: 1200128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\AVerM115.sys
Address: 0xF6E5B000
Size: 679936 bytes

Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCA9000
Size: 606208 bytes

Driver: C:\WINDOWS\System32\Drivers\Ntfs.SYS
Address: 0xEE575000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEE602000
Size: 454656 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6ACD000
Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEE719000
Size: 360448 bytes

Driver: C:\WINDOWS\system32\drivers\fwdrv.sys
Address: 0xEE7C8000
Size: 299008 bytes

Driver: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Address: 0xEE880000
Size: 294912 bytes

Driver: C:\WINDOWS\system32\drivers\camchal.sys
Address: 0xF6DC9000
Size: 278528 bytes

Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000
Size: 245760 bytes

Driver: timntr.sys
Address: 0xF72A6000
Size: 217088 bytes

Driver: C:\WINDOWS\system32\drivers\pwipf2.sys
Address: 0xEE6E6000
Size: 208896 bytes

Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA11000
Size: 204800 bytes

Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA43000
Size: 204800 bytes

Driver: C:\WINDOWS\system32\drivers\btslbcsp.sys
Address: 0xEC052000
Size: 204800 bytes

Driver: C:\WINDOWS\System32\Drivers\UDFReadr.SYS
Address: 0xEE796000
Size: 204800 bytes

Driver: ACPI.sys
Address: 0xF7437000
Size: 192512 bytes

Driver: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF6D77000
Size: 188416 bytes

Driver: NDIS.sys
Address: 0xF72DB000
Size: 184320 bytes

Driver: dac2w2k.sys
Address: 0xF7374000
Size: 180224 bytes

Driver: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Address: 0xF6E0D000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEE699000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEC2C7000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6DA5000
Size: 147456 bytes

Driver: C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS
Address: 0xEE84B000
Size: 143360 bytes

Driver: Fastfat.sys
Address: 0xF731F000
Size: 143360 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6E38000
Size: 143360 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6F01000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEE6C4000
Size: 139264 bytes

Driver: ACPI_HAL
Address: 0x806EC000
Size: 131968 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000
Size: 131968 bytes

Driver: fltMgr.sys
Address: 0xF7354000
Size: 131072 bytes

Driver: ftdisk.sys
Address: 0xF73E9000
Size: 126976 bytes

Driver: pcmcia.sys
Address: 0xF7408000
Size: 122880 bytes

Driver: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Address: 0xF6D5A000
Size: 118784 bytes

Driver: Mup.sys
Address: 0xF7275000
Size: 110592 bytes

Driver: adpu160m.sys
Address: 0xF73A0000
Size: 102400 bytes

Driver: atapi.sys
Address: 0xF73B9000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE495000
Size: 98304 bytes

Driver: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF73D1000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xF7308000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6B37000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\irda.sys
Address: 0xEC2EF000
Size: 90112 bytes

Driver: snapman.sys
Address: 0xF7290000
Size: 90112 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEBDD1000
Size: 86016 bytes

Driver: C:\WINDOWS\system32\drivers\epm-shd.sys
Address: 0xEC03E000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6F24000
Size: 81920 bytes

Driver: C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
Address: 0xEC1C4000
Size: 77824 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEE771000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000
Size: 73728 bytes

Driver: sr.sys
Address: 0xF7342000
Size: 73728 bytes

Driver: C:\Acer\Empowering Technology\eRecovery\int15.sys
Address: 0xEB98A000
Size: 69632 bytes

Driver: pci.sys
Address: 0xF7426000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6B26000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF6BCE000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7617000
Size: 61440 bytes

Driver: ohci1394.sys
Address: 0xF7497000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7657000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEC144000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF76E7000
Size: 61440 bytes

Driver: aic78u2.sys
Address: 0xF7507000
Size: 57344 bytes

Driver: aic78xx.sys
Address: 0xF74D7000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xF7215000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7627000
Size: 57344 bytes

Driver: VolSnap.sys
Address: 0xF74C7000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF74A7000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7647000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7567000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF7667000
Size: 53248 bytes

Driver: ql12160.sys
Address: 0xF7547000
Size: 49152 bytes

Driver: ql1280.sys
Address: 0xF7537000
Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7687000
Size: 49152 bytes

Driver: agp440.sys
Address: 0xF75C7000
Size: 45056 bytes

Driver: agpCPQ.sys
Address: 0xF75D7000
Size: 45056 bytes

Driver: alim1541.sys
Address: 0xF75A7000
Size: 45056 bytes

Driver: amdagp.sys
Address: 0xF75B7000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7637000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xF74B7000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF7677000
Size: 45056 bytes

Driver: sisagp.sys
Address: 0xF7597000
Size: 45056 bytes

Driver: viaagp.sys
Address: 0xF7587000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF75F7000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF76B7000
Size: 40960 bytes

Driver: ql1080.sys
Address: 0xF7527000
Size: 40960 bytes

Driver: ql1240.sys
Address: 0xF74F7000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF76A7000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\drivers\camcaud.sys
Address: 0xF7607000
Size: 36864 bytes

Driver: disk.sys
Address: 0xF7557000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7225000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF6BBE000
Size: 36864 bytes

Driver: isapnp.sys
Address: 0xF7487000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7697000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7235000
Size: 36864 bytes

Driver: PxHelp20.sys
Address: 0xF7577000
Size: 36864 bytes

Driver: ql10wnt.sys
Address: 0xF74E7000
Size: 36864 bytes

Driver: ultra.sys
Address: 0xF7517000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF71D5000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7867000
Size: 32768 bytes

Driver: symc8xx.sys
Address: 0xF7737000
Size: 32768 bytes

Driver: sym_u3.sys
Address: 0xF7747000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
Address: 0xF788F000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF787F000
Size: 32768 bytes

Driver: asc.sys
Address: 0xF771F000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF784F000
Size: 28672 bytes

Driver: hpn.sys
Address: 0xF776F000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF77DF000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nscirda.sys
Address: 0xF77D7000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000
Size: 28672 bytes

Driver: perc2.sys
Address: 0xF7767000
Size: 28672 bytes

Driver: sym_hi.sys
Address: 0xF773F000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF77CF000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF7877000
Size: 28672 bytes

Driver: ABP480N5.SYS
Address: 0xF774F000
Size: 24576 bytes

Driver: asc3350p.sys
Address: 0xF7757000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\drivers\btserial.sys
Address: 0xF783F000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\dvd_2K.SYS
Address: 0xF780F000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF77E7000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xEC09C000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF786F000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7857000
Size: 24576 bytes

Driver: dpti2o.sys
Address: 0xF775F000
Size: 20480 bytes

Driver: i2omp.sys
Address: 0xF772F000
Size: 20480 bytes

Driver: mraid35x.sys
Address: 0xF7727000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF785F000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xF770F000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77FF000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Address: 0xF77EF000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7807000
Size: 20480 bytes

Driver: sparrow.sys
Address: 0xF7717000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF77F7000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF77C7000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7887000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xEC3A1000
Size: 16384 bytes

Driver: aha154x.sys
Address: 0xF78AF000
Size: 16384 bytes

Driver: asc3550.sys
Address: 0xF78BF000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF789F000
Size: 16384 bytes

Driver: C:\WINDOWS\System32\DRIVERS\Bonifay.sys
Address: 0xF796B000
Size: 16384 bytes

Driver: cbidf2k.sys
Address: 0xF78C7000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF7983000
Size: 16384 bytes

Driver: cpqarray.sys
Address: 0xF78AB000
Size: 16384 bytes

Driver: dac960nt.sys
Address: 0xF78B7000
Size: 16384 bytes

Driver: ini910u.sys
Address: 0xF78C3000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF6AB1000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF71A1000
Size: 16384 bytes

Driver: symc810.sys
Address: 0xF78B3000
Size: 16384 bytes

Driver: UBHelper.sys
Address: 0xF78A7000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xF6AB5000
Size: 16384 bytes

Driver: ACPIEC.sys
Address: 0xF78A3000
Size: 12288 bytes

Driver: amsint.sys
Address: 0xF78BB000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\BdaSup.SYS
Address: 0xF796F000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000
Size: 12288 bytes

Driver: compbatt.sys
Address: 0xF789B000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7143000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF6AB9000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\irenum.sys
Address: 0xF7973000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xEC1DB000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF6AA5000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF71AD000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\OsaFsLoc.sys
Address: 0xF6BFE000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF797B000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF711F000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0xEC399000
Size: 12288 bytes

Driver: aliide.sys
Address: 0xF798B000
Size: 8192 bytes

Driver: C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
Address: 0xF79AD000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79A7000
Size: 8192 bytes

Driver: cd20xrnt.sys
Address: 0xF7995000
Size: 8192 bytes

Driver: cmdide.sys
Address: 0xF7993000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79AF000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79A5000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF79A3000
Size: 8192 bytes

Driver: intelide.sys
Address: 0xF798D000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79A9000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
Address: 0xF799D000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\drivers\osaio.sys
Address: 0xF79B7000
Size: 8192 bytes

Driver: perc2hib.sys
Address: 0xF7997000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79AB000
Size: 8192 bytes

Driver: speedfan.sys
Address: 0xF7999000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF799F000
Size: 8192 bytes

Driver: toside.sys
Address: 0xF798F000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF799B000
Size: 8192 bytes

Driver: viaide.sys
Address: 0xF7991000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF70B7000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys
Address: 0xF7073000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF70DD000
Size: 4096 bytes

Driver: C:\WINDOWS\system32\drivers\epm-psd.sys
Address: 0xF7B6C000
Size: 4096 bytes

Driver: giveio.sys
Address: 0xF7A51000
Size: 4096 bytes

Driver: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Address: 0xF7066000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7075000
Size: 4096 bytes

Driver: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7A50000
Size: 4096 bytes

Driver: C:\WINDOWS\system32\drivers\osanbm.sys
Address: 0xF7B7D000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xF7A4F000
Size: 4096 bytes

==============================================
>Stealth
==============================================
>Files
==============================================
>Hooks

ndis.sys-->NdisMIndicateStatus, Type: Inline - DirectJump at address 0xF72F5A5F hook handler located in [fwdrv.sys]
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump at address 0x804DBAA2 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B764, Type: Inline - RelativeJump at address 0x804E2764 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7A0, Type: Inline - RelativeJump at address 0x804E27A0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7AC, Type: Inline - RelativeJump at address 0x804E27AC hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000B9E0, Type: Inline - RelativeJump at address 0x804E29E0 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA28, Type: Inline - RelativeJump at address 0x804E2A28 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x0000BAF0, Type: Inline - RelativeJump at address 0x804E2AF0 hook handler located in [ntoskrnl.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xEE758028 hook handler located in [fwdrv.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xEE758054 hook handler located in [fwdrv.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xEE758060 hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF71DAB4C hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF71DAB1C hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF71DAB3C hook handler located in [fwdrv.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF71DAB28 hook handler located in [fwdrv.sys]
[1020]SVCHOST.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1020]SVCHOST.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1192]CSRSS.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1208]EPM-DM.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1284]WINLOGON.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1424]SERVICES.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindFirstFileW, Type: Inline - RelativeJump at address 0x7C80EEE1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindNextFileA, Type: Inline - RelativeJump at address 0x7C834EB1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FindNextFileW, Type: Inline - RelativeJump at address 0x7C80EF3A hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FreeLibrary, Type: Inline - RelativeJump at address 0x7C80ABDE hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->FreeLibraryAndExitThread, Type: Inline - RelativeJump at address 0x7C80C170 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump at address 0x7C80ADA0 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump at address 0x7C801D77 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump at address 0x7C80AE4B hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32First, Type: Inline - RelativeJump at address 0x7C864230 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32FirstW, Type: Inline - RelativeJump at address 0x7C864177 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32Next, Type: Inline - RelativeJump at address 0x7C8643B5 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->Module32NextW, Type: Inline - RelativeJump at address 0x7C864314 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump at address 0x7C835E8F hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileExA, Type: Inline - RelativeJump at address 0x7C85D4C3 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileExW, Type: Inline - RelativeJump at address 0x7C83565B hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump at address 0x7C821261 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump at address 0x7C8309E1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->OpenThread, Type: Inline - RelativeJump at address 0x7C82FC00 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - RelativeJump at address 0x7C801E16 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->EndTask, Type: Inline - RelativeJump at address 0x7E3D9E75 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->PostMessageA, Type: Inline - RelativeJump at address 0x7E39CB85 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->PostMessageW, Type: Inline - RelativeJump at address 0x7E398CCB hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SendMessageA, Type: Inline - RelativeJump at address 0x7E3AF383 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SendMessageW, Type: Inline - RelativeJump at address 0x7E39B8BA hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump at address 0x7E3B11D1 hook handler located in [pfproc.dll]
[1436]LSASS.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E3ADDB5 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->ControlService, Type: Inline - RelativeJump at address 0x77DBB635 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump at address 0x77E07071 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump at address 0x77E07209 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump at address 0x77E07311 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteKeyA, Type: Inline - RelativeJump at address 0x77DCC123 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteKeyW, Type: Inline - RelativeJump at address 0x77DC9884 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteValueA, Type: Inline - RelativeJump at address 0x77DAEDE5 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegDeleteValueW, Type: Inline - RelativeJump at address 0x77DAEEF1 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegSetValueExA, Type: Inline - RelativeJump at address 0x77DAEBE7 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->advapi32.dll-->RegSetValueExW, Type: Inline - RelativeJump at address 0x77DAD7CC hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CopyFileExW, Type: Inline - RelativeJump at address 0x7C827B32 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump at address 0x7C810760 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump at address 0x7C819513 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->DeleteFileW, Type: Inline - RelativeJump at address 0x7C831F31 hook handler located in [pfproc.dll]
[1504]SynTPLpr.exe-->kernel32.dll-->FindFirstFileA, Type: Inline - RelativeJump at address 0x7C8137D9 hook handler located in [pf
Dernière édition par michte le 26 Fév 2008, 17:09, édité 1 fois.
Mes configs
"la terre nous est prêtée par nos enfants"
Avatar de l’utilisateur
michte
 
Messages: 430
Inscription: 05 Sep 2006, 14:28

Messagede michte » 07 Fév 2008, 12:52

Salut,

Je n'arrive toujours pas à identifier la "chose" qui a crochetée la SSDT à la place de DSA, et je voudrais savoir si il me fallait comparer le log avec un autre antirootkit (si oui lequel?)

Dernièrement, j'ai laissé la gestion de la pagefile à windows, j'ai installé l'onglet sécurité pour ma partition NTFS, j'ai mis en route un logiciel de cryptage de dossier (acer), installé regshot, désinstallé spyblocker, installé hostsxpert, installé speedfan, cpuz, qmc (calendrier qui se lance au démarrage) changé la version de Rku, de DSA (hier).

C'est tout ce qui me vient comme changements, je ne vois vraiment pas quel logiciel "a pris la place" de DSA (et ce qui m'inquiète c'est que DSA est une des pièces importantes de sécurité sur mon PC).

Merci.
Mes configs
"la terre nous est prêtée par nos enfants"
Avatar de l’utilisateur
michte
 
Messages: 430
Inscription: 05 Sep 2006, 14:28

Messagede michte » 17 Fév 2008, 14:41

up
Mes configs
"la terre nous est prêtée par nos enfants"
Avatar de l’utilisateur
michte
 
Messages: 430
Inscription: 05 Sep 2006, 14:28

Messagede michte » 26 Fév 2008, 17:09

Salut,

Je préfère en rester là car je ne maîtrise pas le sujet et il se peut que ce soit un processus légitime donc je met résolu.
Je précise quand même, que j'avais bien désactivé mes logs de protections à un moment pour effectuer ces vérifs.

A+
Mes configs
"la terre nous est prêtée par nos enfants"
Avatar de l’utilisateur
michte
 
Messages: 430
Inscription: 05 Sep 2006, 14:28

Messagede sarla » 10 Avr 2008, 08:10

Salut,
Je suis de passage, n'ayant découvert gmer et le pb rooktkit que depuis ce ce matin...
J'ignore si ça pourrait t'aider, je viens de la glaner tout à l'heure, même pas eu le temps de le lire !
http://www.malekal.com/supprimer_rootki ... zTocId7910
http://forum.malekal.com/ftopic3218.php

Il est aussi question je ne sais plus où, d'une nouvelle version qui identifie ces vilainetés et donne le programme en rapport.
sarla
 
Messages: 884
Inscription: 22 Juin 2004, 08:30
Localisation: IdF

Messagede michte » 17 Avr 2008, 13:23

Salut sarla,

Excuse moi pour ma réponse tardive, je suis aller voir et Malekal parle des rootkits en général avec des exemples, ainsi que plusieurs anti-rootkit, mais pas de trace de "Rootkit Unhooker" ni de "seem" les deux que j'ai actuellement, je pense passer GMER mais il faut que je me renseigne si je peux garder les deux que j'ai, ou si je dois les désinstaller pour ne pas avoir de conflits.

Merci,
Michte.
Mes configs
"la terre nous est prêtée par nos enfants"
Avatar de l’utilisateur
michte
 
Messages: 430
Inscription: 05 Sep 2006, 14:28

Messagede nardino » 17 Avr 2008, 19:50

Salut Michte.
Si tu l'as pas encore vu, voici, un comparatif sur les principaux rootkits
http://www.lesnouvelles.net/articles/ch ... it-epitech

@+
nardino
 
Messages: 377
Inscription: 31 Juil 2006, 14:34

Messagede michte » 17 Avr 2008, 21:13

Salut nardino,

Très intéressant les différents liens dans l'article, on y apprend qu'une solution matérielle existait sous la forme d'une carte au format PCI batisée CoPilot, qui disposait de son propre système d'exploitation, mais Microsoft a fait l'acquisition de komuku et ce n'est que la solution logicielle anti-rootkit qui sera intégrée aux produits Microsoft (Windows Live OneCare et Forefront). Komoku n'existera ainsi plus à l'issue de l'acquisition par Microsoft. Ce dernier ne précise toutefois pas ce que deviendra la carte PCI de Komoku (qui était pourtant son produit principal, la solution logicielle étant moins efficace de l'aveu même de son fondateur).

Sinon dans ce comparatif RkU se porte comme un charme ainsi que GMER, par contre pour SEEM ce n'est pas terrible, dommage pour GMER et sa cohabitation impossible avec RkU, je les auraient bien vu tout les deux dans ma config.

A+
Mes configs
"la terre nous est prêtée par nos enfants"
Avatar de l’utilisateur
michte
 
Messages: 430
Inscription: 05 Sep 2006, 14:28

Messagede sloshy » 18 Avr 2008, 02:50

Bonjour,
RkU n'est plus maintenu à jour depuis la version 3.7, une version 4 est sortie mais pour un public restreint.
Je conseille réellement GMER qui reste de "production" et qui est un travail titanesque qui continue d'être mis à jours régulièrement.
Exemple, les infections du MBR couplé à un RK sont détectable et modifiable par GMER (mais non par RkU), ce n'est bien entendu que pour l'exemple le plus frappant.

Amicalement, sloshy
citation de sloshy
5² = 25, mais (-5)² = 25 aussi
Ce n'est pas parce qu'on a une solution que c'est forcément la meilleure !
sloshy
 
Messages: 87
Inscription: 01 Nov 2005, 23:12
Localisation: /home/sloshy

Messagede michte » 18 Avr 2008, 12:23

Salut sloshy,

Je te remercie de ton info concernant RkU, je pense désinstaller RkU et SEEM, pour essayer GMER qui semble être plus d'actualité.

Amicalement,
michte.
Mes configs
"la terre nous est prêtée par nos enfants"
Avatar de l’utilisateur
michte
 
Messages: 430
Inscription: 05 Sep 2006, 14:28


Retourner vers RootKit

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 1 invité

cron