Infection par RootKit-gen RTK

Renaud_C · le 9 août 2010

Bonsoir,

J'ai telecharger Sysprot mais il m'affiche un message d'erreur :

Fail to start service.Sysprot antirookit needs to be run with Admin privileges.

Sachant que je suis avec ma session Administrateur en mode sans echec.

Il m'a toutefois fourni un log mais ne me montre aucune ligne rouge.

-----

SysProt AntiRootkit v1.0.1.0

by swatkat

******************************************************************************************

No Hidden Processes found

******************************************************************************************

No Hidden Kernel Modules found

******************************************************************************************

No SSDT Hooks found

******************************************************************************************

No Kernel Hooks found

******************************************************************************************

No IRP Hooks found

******************************************************************************************

Ports:

Local Address: VENTO:NETBIOS-SSN

Remote Address: 0.0.0.0:0

Type: TCP

Process: 4 (PID)

State: LISTENING

Local Address: VENTO:MICROSOFT-DS

Remote Address: 0.0.0.0:0

Type: TCP

Process: 4 (PID)

State: LISTENING

Local Address: VENTO:EPMAP

Remote Address: 0.0.0.0:0

Type: TCP

Process: 1300 (PID)

State: LISTENING

Local Address: VENTO:138

Remote Address: NA

Type: UDP

Process: 4 (PID)

State: NA

Local Address: VENTO:NETBIOS-NS

Remote Address: NA

Type: UDP

Process: 4 (PID)

State: NA

Local Address: VENTO:1324

Remote Address: NA

Type: UDP

Process: 384 (PID)

State: NA

Local Address: VENTO:MICROSOFT-DS

Remote Address: NA

Type: UDP

Process: 4 (PID)

State: NA

******************************************************************************************

No hidden files/folders found

Je viens de tester clic droit executer en tant que... et il me signale que ce service ne peut être démarrer en mode sans echec.

pear · le 9 août 2010

Bonsoir,

Je n'ai pas tout relu: pourquoi le Mse, vous n'avez pas un accès normal ?

Essayez ceci;

Recherche de rootkit

Téléchargez RootRepeal

Désactiver les modules résidents:l'antivirus,antispyware ,Parefeu

Vous devez avoir les droits Administrateur

Installez RootRepeal , cliquez sur *Settings->Options*

Onglet "Général Cochez->Only suspicious ..

. [Driver scan] ... [Files scan] ... [Processes scan] ... [sSDT scan] (v. 1.1.0)

aucune raison de changer les paramètres standards.

Dans le [ File Scan ] l'option [X] [ Check for file size differences ] est celle qui permet la détection des fichiers dont la taille a été modifiée comme le fait par exemple le rootkit "Rustock.C". Il est donc fortement conseillé de ne pas la désactiver.

Dans le [ SSDT scan ], l'option [X] [ Check for hooked SYSENTER/INT 2E ] permet le scan des appels au système par SYSENTER ou INT 2E.

Choix des scans (boutons de sélection en bas, à gauche).

Chaque option comporte deux boutons [ Scan ] pour lancer l'analyse et [ Save Report ]qui permet d'enregistrer le rapport au format « .txt » dans le répertoire choisi (éventuellement dans le répertoire de démarrage de RootRepeal).

[ Report ]permet d'enchaîner plusieurs ou toutes les fonctions précédentes.

Cliquez [select scan]

Dans la fenêtre qui s'ouvre, sélectionner les options à exécuter(Cochez tout).

Un choix des partitions du disque est possible dans la fenêtre [select drives].

Cliquez sur Save Report

Lancez le scan,

Si RootRepeal ne trouve rien , il affichera ceci:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/04 18:47

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEB27E000 Size: 49152 File Visible: No Signed: -

Status: -

==EOF==

Renaud_C · le 9 août 2010

Après un boot réussi, je vous transmets le rapport sysprot

en rouge les lignes hidden

SysProt AntiRootkit v1.0.1.0

by swatkat

******************************************************************************************

No Hidden Processes found

******************************************************************************************

Kernel Modules:

Module Name: spsv.sys

Service Name: ---

Module Base: B7EA9000

Module End: B7FA7000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\azv8tf0l.SYS

Service Name: ---

Module Base: B7163000

Module End: B71CA000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\a77nbax1.SYS

Service Name: ---

Module Base: B7119000

Module End: B7163000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys

Service Name: ---

Module Base: B420D000

Module End: B4225000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS

Service Name: ---

Module Base: B85E4000

Module End: B85E6000

Hidden: Yes

Module Name: \??\C:\DOCUME~1\SESSIO~1\LOCALS~1\Temp\mc23.tmp

Service Name: mchInjDrv

Module Base: B86D8000

Module End: B86D9000

Hidden: Yes

******************************************************************************************

SSDT:

Function Name: ZwCreateKey

Address: B879B6FE

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwCreateThread

Address: B879B6F4

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwDeleteKey

Address: B879B703

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwDeleteValueKey

Address: B879B70D

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwEnumerateKey

Address: B7EC7CA2

Driver Base: B7EA9000

Driver End: B7FA7000

Driver Name: spsv.sys

Function Name: ZwEnumerateValueKey

Address: B7EC8030

Driver Base: B7EA9000

Driver End: B7FA7000

Driver Name: spsv.sys

Function Name: ZwLoadKey

Address: B879B712

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwOpenKey

Address: B7EAA0C0

Driver Base: B7EA9000

Driver End: B7FA7000

Driver Name: spsv.sys

Function Name: ZwOpenProcess

Address: B879B6E0

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwOpenThread

Address: B879B6E5

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwQueryKey

Address: B7EC8108

Driver Base: B7EA9000

Driver End: B7FA7000

Driver Name: spsv.sys

Function Name: ZwQueryValueKey

Address: B7EC7F88

Driver Base: B7EA9000

Driver End: B7FA7000

Driver Name: spsv.sys

Function Name: ZwReplaceKey

Address: B879B71C

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwRestoreKey

Address: B879B717

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwSetValueKey

Address: B879B708

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

Function Name: ZwTerminateProcess

Address: B879B6EF

Driver Base: 0

Driver End: 0

Driver Name: _unknown_

******************************************************************************************

No Kernel Hooks found

******************************************************************************************

IRP Hooks:

Hooked Module: \SystemRoot\System32\Drivers\azv8tf0l.SYS

Hooked IRP: IRP_MJ_CREATE

Jump To: 8AD38500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\azv8tf0l.SYS

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8AD38500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\azv8tf0l.SYS

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8AD38500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\azv8tf0l.SYS

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8AD38500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\azv8tf0l.SYS

Hooked IRP: IRP_MJ_POWER

Jump To: 8AD38500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\azv8tf0l.SYS

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8AD38500

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_READ

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_WRITE

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8ADDF1F8

Hooking Module: _unknown_

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CREATE

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CLOSE

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_READ

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_WRITE

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_INFORMATION

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_INFORMATION

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_EA

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_EA

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_DIRECTORY_CONTROL

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_LOCK_CONTROL

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CLEANUP

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_CREATE_MAILSLOT

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_SECURITY

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_SECURITY

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_POWER

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_DEVICE_CHANGE

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_QUERY_QUOTA

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: \Driver\sptd

Hooked IRP: IRP_MJ_SET_QUOTA

Jump To: B7EAA000

Hooking Module: spsv.sys

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbohci.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 8AD391F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbohci.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8AD391F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbohci.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8AD391F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbohci.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8AD391F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbohci.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 8AD391F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbohci.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8AD391F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_READ

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_WRITE

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_CLEANUP

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8AD711F8

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a77nbax1.SYS

Hooked IRP: IRP_MJ_CREATE

Jump To: 8AC50500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a77nbax1.SYS

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8AC50500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a77nbax1.SYS

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8AC50500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a77nbax1.SYS

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8AC50500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a77nbax1.SYS

Hooked IRP: IRP_MJ_POWER

Jump To: 8AC50500

Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a77nbax1.SYS

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8AC50500

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 89AF41F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 89AF41F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 89AF41F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 89AF41F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\netbt.sys

Hooked IRP: IRP_MJ_CLEANUP

Jump To: 89AF41F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_READ

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_WRITE

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8AC641F8

Hooking Module: _unknown_

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_CREATE

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_CLOSE

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_READ

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_WRITE

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_QUERY_INFORMATION

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_SET_INFORMATION

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_QUERY_EA

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_SET_EA

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_FLUSH_BUFFERS

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_DIRECTORY_CONTROL

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_SHUTDOWN

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_LOCK_CONTROL

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_CLEANUP

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_CREATE_MAILSLOT

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_QUERY_SECURITY

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_SET_SECURITY

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_POWER

Jump To: B7EB3A1A

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: B7EC5514

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_DEVICE_CHANGE

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_QUERY_QUOTA

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: \Driver\PCI_PNP8262

Hooked IRP: IRP_MJ_SET_QUOTA

Jump To: B7EECAD2

Hooking Module: spsv.sys

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 8AD321F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8AD321F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8AD321F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8AD321F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 8AD321F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\System32\DRIVERS\usbehci.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8AD321F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys

Hooked IRP: IRP_MJ_CREATE

Jump To: 8ADDD1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys

Hooked IRP: IRP_MJ_CLOSE

Jump To: 8ADDD1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys

Hooked IRP: IRP_MJ_DEVICE_CONTROL

Jump To: 8ADDD1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys

Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL

Jump To: 8ADDD1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys

Hooked IRP: IRP_MJ_POWER

Jump To: 8ADDD1F8

Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys

Hooked IRP: IRP_MJ_SYSTEM_CONTROL

Jump To: 8ADDD1F8

Hooking Module: _unknown_

******************************************************************************************

Ports:

Local Address: VENTO:1050

Remote Address: STATIC-IP-62-41.EURORINGS.NET:HTTP

Type: TCP

Process: C:\Program Files\Fichiers communs\Java\Java Update\jucheck.exe

State: ESTABLISHED

Local Address: VENTO:NETBIOS-SSN

Remote Address: 0.0.0.0:0

Type: TCP

Process: SYSTEM

State: LISTENING

Local Address: VENTO:5354

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: LISTENING

Local Address: VENTO:5152

Remote Address: LOCALHOST:1201

Type: TCP

Process: C:\Program Files\Java\jre6\bin\jqs.exe

State: CLOSE_WAIT

Local Address: VENTO:5152

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Java\jre6\bin\jqs.exe

State: LISTENING

Local Address: VENTO:1200

Remote Address: LOCALHOST:5152

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: VENTO:1031

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\alg.exe

State: LISTENING

Local Address: VENTO:3261

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

State: LISTENING

Local Address: VENTO:3260

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

State: LISTENING

Local Address: VENTO:2869

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\svchost.exe

State: LISTENING

Local Address: VENTO:MICROSOFT-DS

Remote Address: 0.0.0.0:0

Type: TCP

Process: SYSTEM

State: LISTENING

Local Address: VENTO:EPMAP

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\WINDOWS\system32\svchost.exe

State: LISTENING

Local Address: VENTO:5353

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: VENTO:1900

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: VENTO:138

Remote Address: NA

Type: UDP

Process: SYSTEM

State: NA

Local Address: VENTO:NETBIOS-NS

Remote Address: NA

Type: UDP

Process: SYSTEM

State: NA

Local Address: VENTO:123

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: VENTO:1900

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: VENTO:1202

Remote Address: NA

Type: UDP

Process: C:\Program Files\Internet Explorer\iexplore.exe

State: NA

Local Address: VENTO:1053

Remote Address: NA

Type: UDP

Process: C:\Program Files\Internet Explorer\iexplore.exe

State: NA

Local Address: VENTO:1036

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: VENTO:123

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\svchost.exe

State: NA

Local Address: VENTO:4500

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\lsass.exe

State: NA

Local Address: VENTO:1025

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: VENTO:500

Remote Address: NA

Type: UDP

Process: C:\WINDOWS\system32\lsass.exe

State: NA

Local Address: VENTO:MICROSOFT-DS

Remote Address: NA

Type: UDP

Process: SYSTEM

State: NA

******************************************************************************************

Hidden files/folders:

Object: C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\GameExplorer\{F248ADFA-64E0-4B03-8A83-059078BED6A0}\PlayTasks\1\Les Sims™ 2

Status: Hidden

Object: C:\Documents and Settings\SESSION XP\Application Data\SecuROM\UserData\???????????p?????????

Status: Hidden

Object: C:\Documents and Settings\SESSION XP\Application Data\SecuROM\UserData\???????????p?????????

Status: Hidden

Object: C:\Documents and Settings\SESSION XP\Favoris\YouTube zoé\YouTube - Barbapapa 10 - Le cha^teau HQ.URL

Status: Hidden

Object: C:\Documents and Settings\SESSION XP\Local Settings\Application Data\Microsoft\Windows\GameExplorer\{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}\PlayTasks\1\Les Sims™ 2

Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase

Status: Access denied

Object: C:\System Volume Information\tracking.log

Status: Access denied

Object: C:\System Volume Information\_restore{FD7007FD-6E61-4B86-85CB-4E7EEC6DD628}

Status: Access denied

Renaud_C · le 9 août 2010

bonsoir pear, et merci

je lance rootrepeal.

Renaud_C · le 9 août 2010

Voici le rapport

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/08/09 22:28

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: a77nbax1.SYS

Image Path: C:\WINDOWS\System32\Drivers\a77nbax1.SYS

Address: 0xB7119000 Size: 303104 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB420D000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xB85E4000 Size: 8192 File Visible: No Signed: -

Status: -

Name: mc23.tmp

Image Path: C:\DOCUME~1\SESSIO~1\LOCALS~1\Temp\mc23.tmp

Address: 0xB86D8000 Size: 2560 File Visible: No Signed: -

Status: -

Name: PCI_PNP8262

Image Path: \Driver\PCI_PNP8262

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB0787000 Size: 49152 File Visible: No Signed: -

Status: -

Name: spsv.sys

Image Path: spsv.sys

Address: 0xB7EA9000 Size: 1040384 File Visible: No Signed: -

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@cdn5.specificclick[1].txt

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@forum.zebulon[1].txt

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\SESSION XP\Cookies\adCACOYUUF

Status: Locked to the Windows API!

Path: C:\Documents and Settings\SESSION XP\Cookies\adserveCAEYNGL3.htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@www.zebulon[1].txt

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@zebulon[2].txt

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@cdn5.specificclick[2].txt

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@forum.zebulon[2].txt

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@www.zebulon[2].txt

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\SESSION XP\Cookies\session_xp@zebulon[1].txt

Status: Visible to the Windows API, but not on disk.

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xb879b6fe

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xb879b6f4

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xb879b703

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xb879b70d

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "spsv.sys" at address 0xb7ec7ca2

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "spsv.sys" at address 0xb7ec8030

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xb879b712

#: 119 Function Name: NtOpenKey

Status: Hooked by "spsv.sys" at address 0xb7eaa0c0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xb879b6e0

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xb879b6e5

#: 160 Function Name: NtQueryKey

Status: Hooked by "spsv.sys" at address 0xb7ec8108

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "spsv.sys" at address 0xb7ec7f88

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xb879b71c

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xb879b717

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xb879b708

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xb879b6ef

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x8ad6f1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System Address: 0x89a8c1f8 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]

Process: System Address: 0x8ad38500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]

Process: System Address: 0x8ad38500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ad38500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8ad38500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_POWER]

Process: System Address: 0x8ad38500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8ad38500 Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_PNP]

Process: System Address: 0x8ad38500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x8ac641f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System Address: 0x8addf1f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]

Process: System Address: 0x8ad391f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]

Process: System Address: 0x8ad391f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ad391f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8ad391f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]

Process: System Address: 0x8ad391f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8ad391f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]

Process: System Address: 0x8ad391f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x8ad711f8 Size: 121

Object: Hidden Code [Driver: a77nbax1ȅఈ浍浓談Ā, IRP_MJ_CREATE]

Process: System Address: 0x8ac50500 Size: 121

Object: Hidden Code [Driver: a77nbax1ȅఈ浍浓談Ā, IRP_MJ_CLOSE]

Process: System Address: 0x8ac50500 Size: 121

Object: Hidden Code [Driver: a77nbax1ȅఈ浍浓談Ā, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ac50500 Size: 121

Object: Hidden Code [Driver: a77nbax1ȅఈ浍浓談Ā, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8ac50500 Size: 121

Object: Hidden Code [Driver: a77nbax1ȅఈ浍浓談Ā, IRP_MJ_POWER]

Process: System Address: 0x8ac50500 Size: 121

Object: Hidden Code [Driver: a77nbax1ȅఈ浍浓談Ā, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8ac50500 Size: 121

Object: Hidden Code [Driver: a77nbax1ȅఈ浍浓談Ā, IRP_MJ_PNP]

Process: System Address: 0x8ac50500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x89af41f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x89af41f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89af41f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89af41f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x89af41f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x89af41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x8ad321f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x8ad321f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8ad321f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8ad321f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x8ad321f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8ad321f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x8ad321f8 Size: 121

Object: Hidden Code [Driver: sbp2port, IRP_MJ_CREATE]

Process: System Address: 0x8addd1f8 Size: 121

Object: Hidden Code [Driver: sbp2port, IRP_MJ_CLOSE]

Process: System Address: 0x8addd1f8 Size: 121

Object: Hidden Code [Driver: sbp2port, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8addd1f8 Size: 121

Object: Hidden Code [Driver: sbp2port, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8addd1f8 Size: 121

Object: Hidden Code [Driver: sbp2port, IRP_MJ_POWER]

Process: System Address: 0x8addd1f8 Size: 121

Object: Hidden Code [Driver: sbp2port, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8addd1f8 Size: 121

Object: Hidden Code [Driver: sbp2port, IRP_MJ_PNP]

Process: System Address: 0x8addd1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]