Mi pc esta bastante lenta ultimamente....(SOLUCIONADO)

Claudia34 · Mensaje por **Claudia34** » 08 Feb 2008, 14:33

Hola, hace poco les deje para usar la pc en usuario limitado por supuesto a unas amigas, y despues quedo diferente la pc, como que mas lenta no solo para iniciarse el S.O. sino tambien el internet explorer se cuelga a veces.

Por las dudad les dejo el log de hijacthis en modo normal y en modo a prueba de fallos, ademas de los logs de elistara y elitrip mas el log de macafee antirootkit.

Ademas de eso he escaneado con varios antivirus online, spybot search and destroy, adware S.E., a squared y avg antispyware.

Saludos.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:40:43 a.m., on 08/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Eset\nod32krn.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe

C:\Archivos de programa\Eset\nod32kui.exe

C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Archivos de programa\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Adición a la lista de impresión de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Impresión a alta velocidad de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Impresión de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Vista previa de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5216/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5287 bytes

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:47:12 a.m., on 08/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Archivos de programa\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Adición a la lista de impresión de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Impresión a alta velocidad de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Impresión de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Vista previa de Easy-WebPrint - res://C:\Archivos de programa\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5216/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 4925 bytes

Fri Feb 08 10:29:53 2008

EliTriIP v4.34 (c)2008 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Acción Directa):

Fri Feb 08 10:29:59 2008

EliStartPage v15.61 (c)2008 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

Fri Feb 08 10:30:00 2008

EliTriIP v4.34 (c)2008 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

Nº Total de Directorios: 3332

Nº Total de Ficheros: 45151

Nº de Ficheros Analizados: 11130

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

Nº Total de Directorios: 3332

Nº Total de Ficheros: 45151

Nº de Ficheros Analizados: 12593

Nº de Ficheros Infectados: 0

Nº de Ficheros Limpiados: 0

Claudia34 · Mensaje por **Claudia34** » 08 Feb 2008, 14:35

McAfee(R) Rootkit Detective 1.1 scan report

On 24-11-2007 at 11:25:26

OS-Version 5.1.2600

Service Pack 2.0

====================================

Object-Type: SSDT-hook

Object-Name: ZwAcceptConnectPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAccessCheck

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAccessCheckAndAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAccessCheckByType

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAccessCheckByTypeAndAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAccessCheckByTypeResultList

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAccessCheckByTypeResultListAndAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAccessCheckByTypeResultListAndAuditAlarmByHandle

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAddAtom

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAddBootEntry

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAdjustGroupsToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAdjustPrivilegesToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAlertResumeThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAlertThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAllocateLocallyUniqueId

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAllocateUserPhysicalPages

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAllocateUuids

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAllocateVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAreMappedFilesTheSame

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwAssignProcessToJobObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCallbackReturn

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCancelDeviceWakeupRequest

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCancelIoFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCancelTimer

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwClearEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwClose

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCloseObjectAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCompactKeys

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCompareTokens

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCompleteConnectPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCompressKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwConnectPort

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwContinue

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateDebugObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateDirectoryObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateFile

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwCreateIoCompletion

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateJobObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateJobSet

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwCreateMailslotFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateMutant

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateNamedPipeFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreatePagingFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreatePort

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwCreateProcess

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwCreateProcessEx

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwCreateProfile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateSection

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwCreateSemaphore

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateSymbolicLinkObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateTimer

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateWaitablePort

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwDebugActiveProcess

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDebugContinue

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDelayExecution

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDeleteAtom

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDeleteBootEntry

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDeleteFile

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwDeleteKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwDeleteObjectAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDeleteValueKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwDeviceIoControlFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDisplayString

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwDuplicateObject

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwDuplicateToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwEnumerateBootEntries

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwEnumerateKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwEnumerateSystemEnvironmentValuesEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwEnumerateValueKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwExtendSection

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFilterToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFindAtom

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFlushBuffersFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFlushInstructionCache

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFlushKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFlushVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFlushWriteBuffer

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFreeUserPhysicalPages

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFreeVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwFsControlFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwGetContextThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwGetDevicePowerState

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwGetPlugPlayEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwGetWriteWatch

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwImpersonateAnonymousToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwImpersonateClientOfPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwImpersonateThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwInitializeRegistry

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwInitiatePowerAction

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwIsProcessInJob

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwIsSystemResumeAutomatic

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwListenPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwLoadDriver

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwLoadKey2

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwLoadKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwLockFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwLockProductActivationKeys

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwLockRegistryKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwLockVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwMakePermanentObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwMakeTemporaryObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwMapUserPhysicalPages

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwMapUserPhysicalPagesScatter

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwMapViewOfSection

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwModifyBootEntry

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwNotifyChangeDirectoryFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwNotifyChangeKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwNotifyChangeMultipleKeys

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenDirectoryObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenFile

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwOpenIoCompletion

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenJobObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwOpenMutant

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenObjectAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenProcess

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwOpenProcessToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenProcessTokenEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenSection

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenSemaphore

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenSymbolicLinkObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenThread

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwOpenThreadToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenThreadTokenEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenTimer

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwPlugPlayControl

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwPowerInformation

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwPrivilegeCheck

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwPrivilegeObjectAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwPrivilegedServiceAuditAlarm

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwProtectVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwPulseEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryAttributesFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryBootEntryOrder

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryBootOptions

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryDebugFilterState

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryDefaultLocale

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryDefaultUILanguage

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryDirectoryFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryDirectoryObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryEaFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryFullAttributesFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInformationAtom

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInformationFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInformationJobObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInformationPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInformationProcess

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInformationThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInformationToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryInstallUILanguage

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryIntervalProfile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryIoCompletion

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwQueryMultipleValueKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryMutant

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryOpenSubKeys

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryPerformanceCounter

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryQuotaInformationFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySection

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySecurityObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySemaphore

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySymbolicLinkObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySystemEnvironmentValue

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySystemEnvironmentValueEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySystemInformation

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQuerySystemTime

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryTimer

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryTimerResolution

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryValueKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwQueryVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryVolumeInformationFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueueApcThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRaiseException

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRaiseHardError

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReadFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReadFileScatter

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReadRequestData

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReadVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRegisterThreadTerminatePort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReleaseMutant

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReleaseSemaphore

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRemoveIoCompletion

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRemoveProcessDebug

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRenameKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReplaceKey

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwReplyPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReplyWaitReceivePort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReplyWaitReceivePortEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReplyWaitReplyPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRequestDeviceWakeup

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRequestPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRequestWaitReplyPort

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwRequestWakeupLatency

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwResetEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwResetWriteWatch

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwRestoreKey

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwResumeProcess

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwResumeThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSaveKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSaveKeyEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSaveMergedKeys

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSecureConnectPort

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwSetBootEntryOrder

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetBootOptions

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetContextThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetDebugFilterState

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetDefaultHardErrorPort

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetDefaultLocale

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetDefaultUILanguage

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetEaFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetEventBoostPriority

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetHighEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetHighWaitLowEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetInformationDebugObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetInformationFile

Object-Path: C:\WINDOWS\system32\vsdatant.sys

Object-Type: SSDT-hook

Object-Name: ZwSetInformationJobObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetInformationKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetInformationObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetInformationProcess

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetInformationThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetInformationToken

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetIntervalProfile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetIoCompletion

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetLdtEntries

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetLowEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetLowWaitHighEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetQuotaInformationFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetSecurityObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetSystemEnvironmentValue

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetSystemEnvironmentValueEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetSystemInformation

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetSystemPowerState

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetSystemTime

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetThreadExecutionState

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetTimer

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetTimerResolution

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetUuidSeed

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSetValueKey

Object-Path: C:\WINDOWS\system32\drivers\ShldDrv.sys

Object-Type: SSDT-hook

Object-Name: ZwSetVolumeInformationFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwShutdownSystem

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSignalAndWaitForSingleObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwStartProfile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwStopProfile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSuspendProcess

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSuspendThread

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwSystemDebugControl

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwTerminateJobObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwTerminateProcess

Object-Path: C:\WINDOWS\system32\drivers\PavProc.sys

Object-Type: SSDT-hook

Object-Name: ZwTerminateThread

Object-Path: C:\WINDOWS\system32\drivers\PavProc.sys

Object-Type: SSDT-hook

Object-Name: ZwTestAlert

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwTraceEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwTranslateFilePath

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwUnloadDriver

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwUnloadKey

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwUnloadKeyEx

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwUnlockFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwUnlockVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwUnmapViewOfSection

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwVdmControl

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWaitForDebugEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWaitForMultipleObjects

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWaitForSingleObject

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWaitHighEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWaitLowEventPair

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWriteFile

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWriteFileGather

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWriteRequestData

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWriteVirtualMemory

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwYieldExecution

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwCreateKeyedEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwOpenKeyedEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwReleaseKeyedEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwWaitForKeyedEvent

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: SSDT-hook

Object-Name: ZwQueryPortInformationProcess

Object-Path: C:\WINDOWS\system32\TUKernel.exe

Object-Type: IRP-hook

Object-Name: \Driver\Tcpip->IRP_MJ_CLEANUP

Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook

Object-Name: \Driver\Tcpip->IRP_MJ_INTERNAL_DEVICE_CONTROL

Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook

Object-Name: \Driver\Tcpip->IRP_MJ_DEVICE_CONTROL

Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook

Object-Name: \Driver\Tcpip->IRP_MJ_CLOSE

Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: IRP-hook

Object-Name: \Driver\Tcpip->IRP_MJ_CREATE

Object-Path: \SystemRoot\System32\vsdatant.sys

Object-Type: Registry-key

Object-Name: 0SystemRoot\System32\vsdatant.sys

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\0

Status: Hidden

Object-Type: Registry-value

Object-Name: FileName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\0

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\0

Status: Hidden

Object-Type: Registry-value

Object-Name: BuildDate

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\0

Status: Hidden

Object-Type: Registry-value

Object-Name: BuildCheckSum

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\0

Status: Hidden

Object-Type: Registry-value

Object-Name: Location

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\0

Status: Hidden

Object-Type: Registry-key

Object-Name: 1OFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\0

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\1

Status: Hidden

Object-Type: Registry-value

Object-Name: FileName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\1

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\1

Status: Hidden

Object-Type: Registry-value

Object-Name: BuildDate

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\1

Status: Hidden

Object-Type: Registry-value

Object-Name: BuildCheckSum

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\1

Status: Hidden

Object-Type: Registry-value

Object-Name: Location

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865\Filelist\1

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}

Status: Hidden

Object-Type: Registry-value

Object-Name: FriendlyName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}

Status: Hidden

Object-Type: Registry-value

Object-Name: ComponentGUID

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}

Status: Hidden

Object-Type: Registry-value

Object-Name: Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}

Status: Hidden

Object-Type: Registry-value

Object-Name: Sub-Version

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionInfName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}

Status: Hidden

Object-Type: Registry-value

Object-Name: ExceptionCatalogName

Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}

Status: Hidden

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : USER32.dll!SetWindowsHookExW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : USER32.dll!SetWindowsHookExA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!ZwDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ntdll.dll!NtDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : kernel32.dll!TerminateProcess =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ADVAPI32.dll!StartServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ADVAPI32.dll!StartServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ADVAPI32.dll!OpenServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ADVAPI32.dll!OpenServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ADVAPI32.dll!CreateServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1492

Details: Export : Function : ADVAPI32.dll!CreateServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : USER32.dll!SetWindowsHookExW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : USER32.dll!SetWindowsHookExA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!ZwDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ntdll.dll!NtDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : kernel32.dll!TerminateProcess =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ADVAPI32.dll!StartServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ADVAPI32.dll!StartServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ADVAPI32.dll!OpenServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ADVAPI32.dll!OpenServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ADVAPI32.dll!CreateServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 1812

Details: Export : Function : ADVAPI32.dll!CreateServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : USER32.dll!SetWindowsHookExW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : USER32.dll!SetWindowsHookExA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!ZwDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ntdll.dll!NtDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : kernel32.dll!TerminateProcess =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ADVAPI32.dll!StartServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ADVAPI32.dll!StartServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ADVAPI32.dll!OpenServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ADVAPI32.dll!OpenServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ADVAPI32.dll!CreateServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 824

Details: Export : Function : ADVAPI32.dll!CreateServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : USER32.dll!SetWindowsHookExW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : USER32.dll!SetWindowsHookExA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!ZwDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ntdll.dll!NtDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : kernel32.dll!TerminateProcess =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ADVAPI32.dll!StartServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ADVAPI32.dll!StartServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ADVAPI32.dll!OpenServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ADVAPI32.dll!OpenServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ADVAPI32.dll!CreateServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 248

Details: Export : Function : ADVAPI32.dll!CreateServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : USER32.dll!SetWindowsHookExW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : USER32.dll!SetWindowsHookExA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!ZwDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ntdll.dll!NtDeleteFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : kernel32.dll!TerminateProcess =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ADVAPI32.dll!StartServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ADVAPI32.dll!StartServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ADVAPI32.dll!OpenServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ADVAPI32.dll!OpenServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ADVAPI32.dll!CreateServiceW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 264

Details: Export : Function : ADVAPI32.dll!CreateServiceA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : USER32.dll!SetWindowsHookExW =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : USER32.dll!SetWindowsHookExA =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwQueryValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwQueryKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwOpenKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwOpenFile =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwEnumerateValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwEnumerateKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwDeleteValueKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwDeleteKey =>

Object-Path:

Status: Hooked

Object-Type: IAT/EAT-hook

PID: 136

Details: Export : Function : ntdll.dll!ZwDeleteFile =>

Claudia34 · Mensaje por **Claudia34** » 08 Feb 2008, 14:43

Es tan largo el log que quedo entrecortado mas de la mitad, asique adjunto el log en vez de pegarlo:

Mensaje por **msc hotline sat** » 08 Feb 2008, 15:07

Otra vez no anexes ficheros de texto, log o txt, copialos con un copiar y pegar aunque sea a trozo en varios post, sino se pierde la estructura y no nos sirven.

Y el log del HJT está limpio, envianos estos ficheros del infrome de, McAfee Rootkit:

C:\WINDOWS\system32\vsdatant.sys

C:\WINDOWS\system32\TUKernel.exe

y los analizaremos e informaremos

Ya sabs:

->~~[b]~~ Para ello recordar[/b]: https://foros.zonavirus.com/viewtopic.php?f=2&t=45334

saludos

ms, 8-2-2008

Claudia34 · Mensaje por **Claudia34** » 09 Feb 2008, 12:26

Bien ya envie los 2 archivos pedidos anteriormente, con respecto al TUKernel.exe creo si no me equivoco, es un archivo que ya una vez envie para ser analizado, creo que es del tune up 2007 mas principalmente referido al diseño grafico de la pc.

Y el vsdatant.sys es creo el cortafuegos zone alarm si no me equivoco, pero en fin veremos igual a ver que tiene, y mientras tanto voy a enviarlo tambien a virustotal para ver lo que me dicen los 32 antivirus.

Saludos.

Mensaje por **msc hotline sat** » 09 Feb 2008, 21:10

Sí , asi adelantaremos al lunes para cuando volvamos al trabajo, y posteanos el log del virustotal de los dos ficheros indicados, gracias

saludos

ms, 9-2-2008

Claudia34 · Mensaje por **Claudia34** » 09 Feb 2008, 21:49

File vsdatant.sys received on 02.09.2008 21:26:17 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.2.6.10 2008.02.05 -

AntiVir 7.6.0.62 2008.02.08 -

Authentium 4.93.8 2008.02.08 -

Avast 4.7.1098.0 2008.02.09 -

AVG 7.5.0.516 2008.02.09 -

BitDefender 7.2 2008.02.09 -

CAT-QuickHeal None 2008.02.08 -

ClamAV 0.92 2008.02.09 -

DrWeb 4.44.0.09170 2008.02.09 -

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5522 2008.02.08 -

Ewido 4.0 2008.02.09 -

FileAdvisor 1 2008.02.09 -

Fortinet 3.14.0.0 2008.02.09 -

F-Prot 4.4.2.54 2008.02.08 -

F-Secure 6.70.13260.0 2008.02.09 -

Ikarus T3.1.1.20 2008.02.09 -

Kaspersky 7.0.0.125 2008.02.09 -

McAfee 5226 2008.02.08 -

Microsoft 1.3204 2008.02.09 -

NOD32v2 2861 2008.02.09 -

Norman 5.80.02 2008.02.08 -

Panda 9.0.0.4 2008.02.09 -

Prevx1 V2 2008.02.09 -

Rising 20.29.22.00 2008.01.30 -

Sophos 4.26.0 2008.02.09 -

Sunbelt 2.2.907.0 2008.02.09 -

Symantec 10 2008.02.09 -

TheHacker 6.2.9.214 2008.02.09 -

VBA32 3.12.6.0 2008.02.09 -

VirusBuster 4.3.26:9 2008.02.09 -

Webwasher-Gateway 6.6.2 2008.02.09 -

Additional information

File size: 394192 bytes

MD5: 270986575ceb1f8ea48e7545d55ff810

SHA1: 039f75ec03a33127f9c84a43854ae3caaca2f704

PEiD: -

File TUKernel.exe received on 02.09.2008 21:45:09 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.2.6.10 2008.02.05 -

AntiVir 7.6.0.62 2008.02.08 -

Authentium 4.93.8 2008.02.08 -

Avast 4.7.1098.0 2008.02.09 -

AVG 7.5.0.516 2008.02.09 -

BitDefender 7.2 2008.02.09 -

CAT-QuickHeal None 2008.02.08 -

ClamAV 0.92 2008.02.09 -

DrWeb 4.44.0.09170 2008.02.09 -

eSafe 7.0.15.0 2008.01.28 -

eTrust-Vet 31.3.5522 2008.02.08 -

Ewido 4.0 2008.02.09 -

FileAdvisor 1 2008.02.09 -

Fortinet 3.14.0.0 2008.02.09 -

F-Prot 4.4.2.54 2008.02.08 -

F-Secure 6.70.13260.0 2008.02.09 -

Ikarus T3.1.1.20 2008.02.09 -

Kaspersky 7.0.0.125 2008.02.09 -

McAfee 5226 2008.02.08 -

Microsoft 1.3204 2008.02.09 -

NOD32v2 2861 2008.02.09 -

Norman 5.80.02 2008.02.08 -

Panda 9.0.0.4 2008.02.09 -

Prevx1 V2 2008.02.09 -

Rising 20.29.22.00 2008.01.30 -

Sophos 4.26.0 2008.02.09 -

Sunbelt 2.2.907.0 2008.02.09 -

Symantec 10 2008.02.09 -

TheHacker 6.2.9.214 2008.02.09 -

VBA32 3.12.6.0 2008.02.09 -

VirusBuster 4.3.26:9 2008.02.09 -

Webwasher-Gateway 6.6.2 2008.02.09 -

Additional information

File size: 2322432 bytes

MD5: 7f657dd7975aba96aff36687fd2e4890

SHA1: 33a01ea1d38b9d5ec53d2cc286b789d584f0842f

PEiD: -

Mensaje por **msc hotline sat** » 10 Feb 2008, 08:26

Pues no hay pistas con el virustotal, los monitorizaremos cuando los recibamos, pueden ser Rootkits desconocidos...

saludos

ms, 10-2-2008

Mensaje por **msc hotline sat** » 11 Feb 2008, 16:30

Pues tranquila, resultan ser de microsoft y del zonealarm, asi que no vienen al caso...

Lo unico raro es que el TUKERNEL.EXE se llama originalmente NTOSKRNL.EXE, no sé la razón del poequé en tu equipo se llama distinto ???

Elimina los ficheros de la carpeta c:\windows\prefetch, elimina temporales, vacia papelera, lanza un acomprobacion de errores y desfragmenta, y empuja un poco :wink: , a ver si consigues que vaya mas aprisa :wink:

saludos

ms, 11-2-2008

saludos

ms, 11-2-2008

Claudia34 · Mensaje por **Claudia34** » 11 Feb 2008, 21:18

Elimine el contenido de la carpeta prefetch y quedo solucionado, desde nuevamente gracias por la ayuda.

Saludos.

Mensaje por **msc hotline sat** » 11 Feb 2008, 21:21

Pues lo celebro, y dando por solucionado el Tema, procedemos a cerrarlo

Si nos necesitas de nuevo, ya lo sabes, verdad... :wink:

saludos Claudia

ms, 11-2-2008