Author Topic: Unidentified Process  (Read 18866 times)

0 Members and 1 Guest are viewing this topic.

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #15 on: October 13, 2009, 02:13:05 AM »
I ran combofix, and it seems to have removed a couple things. If you want to see the log its posted below.
After running it the pop up that sometimes came up, dissapeared.
(I also created a restore point, on a external drive, before I ran combofix, just in case. Since Combofix, at times, has done some unusual things in the past.)

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Unidentified Process
« Reply #16 on: October 13, 2009, 11:04:44 PM »
Please see the new Log Posting Instructions.  Post the logs here.  Please do not run ComboFix at this time.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #17 on: October 14, 2009, 05:56:04 PM »
I am fully aware about what it says about running combofix.. (This is what my backups are for)

I will most likely reinstall netbalancer, to see if the "unknown" program is still running. If it is, then its either an anomally, or a really clever spyware/adware/vrius etc.

ComboFix 09-10-11.03 - Yoshi 10/12/2009 15:26.4.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1516 [GMT -4:00]
Running from: c:\documents and settings\Yoshi\Desktop\ComboFix.exe
Command switches used :: \u
AV: avast! antivirus 4.8.1335 [VPS 090618-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((   Files Created from 2009-09-12 to 2009-10-12  )))))))))))))))))))))))))))))))
.

2009-10-12 01:31 . 2009-10-12 01:31   --------   d-----w-   c:\documents and settings\LocalService\Application Data\Xfire
2009-10-09 05:17 . 2009-10-09 05:17   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Xfire
2009-10-09 05:15 . 2009-10-12 03:08   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\Xfire
2009-10-09 05:15 . 2009-10-09 05:15   --------   d-----w-   c:\program files\Xfire
2009-09-25 22:21 . 2009-09-25 22:21   41872   ----a-w-   c:\windows\system32\xfcodec.dll
2009-09-22 23:44 . 2009-09-22 23:44   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\SeriousBit
2009-09-22 20:30 . 2009-09-22 20:30   --------   d-----w-   c:\documents and settings\Yoshi\Local Settings\Application Data\PunkBuster
2009-09-22 18:02 . 2009-09-22 18:02   --------   d-sh--w-   c:\windows\ftpcache
2009-09-22 18:01 . 2009-10-12 06:14   138808   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2009-09-22 18:00 . 2009-10-12 06:35   190144   ----a-w-   c:\windows\system32\PnkBstrB.exe
2009-09-22 18:00 . 2009-09-22 20:31   75064   ----a-w-   c:\windows\system32\PnkBstrA.exe
2009-09-21 20:12 . 2009-09-21 20:12   --------   d-----w-   c:\program files\Paradox Interactive
2009-09-14 18:59 . 2009-09-14 19:39   --------   d-----w-   c:\program files\IObit
2009-09-14 18:59 . 2009-09-14 19:39   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\IObit
2009-09-13 22:23 . 2009-09-13 22:23   --------   d-----w-   c:\windows\system32\wbem\Repository

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 19:11 . 2009-06-18 13:17   71764   ----a-w-   c:\windows\system32\pguard.dat
2009-10-12 19:10 . 2009-06-20 22:57   148216   ----a-w-   c:\windows\system32\pghash.dat
2009-10-12 06:59 . 2009-08-16 00:49   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\vlc
2009-10-12 01:27 . 2007-10-02 00:25   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\Skype
2009-10-08 07:03 . 2009-06-18 20:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 20:06 . 2007-10-01 19:32   --------   d-----w-   c:\program files\World of Warcraft
2009-09-30 01:17 . 2007-10-01 20:38   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\uTorrent
2009-09-25 03:19 . 2007-10-01 00:13   --------   d-----w-   c:\program files\Computer + Important
2009-09-23 00:02 . 2009-06-18 15:29   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-09-22 18:01 . 2009-09-22 18:01   22328   ----a-w-   c:\documents and settings\Yoshi\Application Data\PnkBstrK.sys
2009-09-22 18:00 . 2007-09-30 23:44   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-09-17 20:30 . 2009-07-10 03:27   --------   d-----w-   c:\program files\Starcraft
2009-09-16 19:50 . 2009-08-14 04:10   --------   d-----w-   c:\program files\Warcraft III
2009-09-15 06:01 . 2007-10-01 23:44   --------   d-----w-   c:\program files\Diablo II
2009-09-14 18:45 . 2007-10-10 00:25   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\Lavasoft
2009-09-14 18:35 . 2007-10-06 18:45   --------   d-----w-   c:\program files\Magic Workstation
2009-09-13 23:17 . 2009-06-19 02:36   --------   d-----w-   c:\program files\NCSoft
2009-09-10 18:54 . 2009-06-18 15:29   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-06-18 15:29   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-09-07 21:19 . 2009-09-07 21:19   --------   d-----w-   c:\program files\Creative Labs
2009-09-07 21:19 . 2009-09-07 21:16   --------   d-----w-   c:\program files\EidosNet
2009-09-07 21:16 . 2009-09-07 21:16   --------   d-----w-   c:\program files\Eidos Interactive
2009-09-03 02:28 . 2009-09-03 02:09   --------   d-----w-   c:\documents and settings\Yoshi\Application Data\DC++
2009-08-28 01:57 . 2009-08-14 04:15   77383   ----a-w-   c:\windows\War3Unin.dat
2009-08-21 03:35 . 2009-08-19 00:33   --------   d-----w-   c:\program files\WC3Banlist
2009-08-19 22:47 . 2009-08-19 22:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-19 00:33 . 2009-08-19 00:33   --------   d-----w-   c:\program files\WinPcap
2009-08-17 02:44 . 2007-10-08 21:00   --------   d-----w-   c:\program files\DivX
2009-08-17 00:59 . 2009-08-17 00:58   --------   d-----w-   c:\program files\GameSpy Arcade
2009-08-17 00:56 . 2009-08-17 00:56   --------   d-----w-   c:\program files\Microsoft Games
2009-08-16 00:47 . 2009-08-16 00:47   --------   d-----w-   c:\program files\VideoLAN
2009-08-15 03:54 . 2009-06-23 19:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-14 04:26 . 2009-08-14 04:15   2829   ----a-w-   c:\windows\War3Unin.pif
2009-08-14 04:26 . 2009-08-14 04:15   139264   ----a-w-   c:\windows\War3Unin.exe
2009-08-11 16:52 . 2007-10-02 01:02   111528   ----a-w-   c:\documents and settings\Yoshi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2007-10-01 02:33   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2009-06-29 02:56   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2001-08-23 12:00   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-17 07:27 . 2009-07-17 07:27   107888   ----a-w-   c:\windows\system32\CmdLineExt.dll
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"!1_ProcessGuard_Startup"="c:\program files\ProcessGuard\procguard.exe" [2008-07-25 267287]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-28 8531968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-28 81920]
"!1_pgaccount"="c:\program files\ProcessGuard\pgaccount.exe" [2008-07-25 120832]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-04-28 2045128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-28 1626112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-04-28 335048]

[HKLM\~\startupfolder\C:^Documents and Settings^Yoshi^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Yoshi\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"LightScribeService"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iPhone Tunnel Suite\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Paradox Interactive\\Majesty 2\\Majesty2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"z:\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/18/2009 4:24 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/22/2009 10:19 AM 198224]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/22/2009 10:19 AM 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/22/2009 10:19 AM 29776]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/18/2009 4:24 PM 20560]
R2 DCSPGSRV;DiamondCS ProcessGuard Service v3.500;c:\program files\ProcessGuard\DCSUserProt.exe [6/20/2009 6:51 PM 31744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/22/2009 10:19 AM 361672]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [6/20/2009 6:51 PM 26688]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/22/2009 10:19 AM 3052744]
S3 HCW848NT;Hauppauge Win/TV;c:\windows\system32\drivers\HCW848NT.sys [6/18/2009 7:37 PM 140440]
S3 Nbdrv;NetBalancer Service;c:\windows\system32\DRIVERS\nbdrv.sys --> c:\windows\system32\DRIVERS\nbdrv.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 Tfsphckmbr;Tfsphckmbr;
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yoshi\Application Data\Mozilla\Firefox\Profiles\fj41nmqy.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 15:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  !1_pgaccount = "c:\program files\ProcessGuard\pgaccount.exe"*Spammer**Spammer**Spammer*??????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-10-12 15:31
ComboFix-quarantined-files.txt  2009-10-12 19:31
ComboFix2.txt  2009-10-12 19:20

Pre-Run: 19,410,472,960 bytes free
Post-Run: 19,393,359,872 bytes free

176   --- E O F ---   2009-09-09 07:07

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1575
    • View Profile
Re: Unidentified Process
« Reply #18 on: October 16, 2009, 10:48:22 PM »
I am fully aware about what it says about running combofix.. (This is what my backups are for)

I also hope you are aware you might also have backed up your problem ..



Paddy.. :thud:
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Unidentified Process
« Reply #19 on: October 17, 2009, 12:17:57 AM »
Quote
(I also created a restore point, on a external drive, before I ran combofix, just in case. Since Combofix, at times, has done some unusual things in the past.)
Quote
I am fully aware about what it says about running combofix..

I am fully aware that you have no clue about what you are doing:  

-- ComboFix creates a restore point prior to running.
-- Do you know why you ran this the Command switches used :: \u ?

That said, I need to see this log:  ComboFix-quarantined-files.txt  2009-10-12 19:31

I also referred you to the new Log Instructions.  Please follow the instructions there for RootRepeal and post the resultant log.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #20 on: October 27, 2009, 06:26:54 PM »
Yes I am aware the the problem was backed up.. I have 2 backups..

The first is a completely fresh install from the first day I installed this OS. (Nothing yet installed nothing but the basic drivers etc)

The second is my computer before I started messing with it INCLUDING the problem. I started to do this, so I can backup to that point again if I screw up later on.
     This way I can mess around with a screw things up as much as I want without much worry. (Then if you require me to start over, I can easily do so)

Additionally both backups are on 2 Separate External Hard drives.


The ComboFix-quarantined-files.txt log does not exist. It may have been deleted when I used the /u combofix.exe command/ For it does not exist in the proper drive or combofix folder.
Now if you wish I can use my second backup of my computer to restore it to where it was before I used combofix and start over.

Also the command line /u usually deals with uninstalling..

I am fully aware about what it says about running combofix.. (This is what my backups are for)

I also hope you are aware you might also have backed up your problem ..



Paddy.. :thud:

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #21 on: October 27, 2009, 06:39:28 PM »
Here is the rootrepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/10/27 15:38
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5CA6000   Size: 49152   File Visible: No   Signed: -
Status: -

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bd790

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bddb0

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bc2a0

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba053c

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2678

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bbf50

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64b9220

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64b95f0

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64b8d40

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba3534

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bb230

#: 062   Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64cb320

#: 063   Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2d71

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2c6f

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bbc70

#: 071   Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ca830

#: 073   Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ca860

#: 084   Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba055e

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bd260

#: 098   Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64c9f00

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba051e

#: 119   Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2644

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ba0e0

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba20b3

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bab90

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2452

#: 160   Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ca7d0

#: 177   Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ca800

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bdf30

#: 186   Function Name: NtReadVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba242f

#: 193   Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ca2a0

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba17c8

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ca500

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bb920

#: 207   Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64ca7b0

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bc660

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba39b4

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba31f7

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2816

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bd160

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2475

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba39f2

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bb590

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba2410

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba39d3

#: 262   Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb64bd480

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xbaba23ed

==EOF==