well as the topic says a virus wont let me install or update any anti virus programs and i cant update the malware, spyware software already on my computer. its not just that whenever i try to go to a known antivirus website or any website that might help, i get blocked and from time to time i get attcked by rogue anti spyware( like right now!) the rouge spy ware are the least of my worries i just want control of my pc back. i use windows xp sp 2 really need you guys and gals help i'm not picky, just please help me fix my problem thanks

Recommended Answers

All 94 Replies

i get attcked by rogue anti spyware( like right now!) the rouge spy ware are the least of my worries i just want control of my pc back.

Hi and welcome to daniweb...had to laugh, sorry, but it appears your problem IS rogue spyware, not the least of your worries..it is your worry.
Are you able to boot to Safe Mode with Networking? If so this may allow you to download some programs needed for cleaning.
If you cannot download them directly to the computer do you have access to another computer? If so you could download the install file to the other computer, transfer them via either a burned cd or flash drive to the infected computer and then run the programs. Try both ways and see if it is possible. Here is what you need, obviously the first one should be updated and can be if you are using safe mode with networking. If it cannot be updated because you are installing via outside source that is fine. Even non-updated is better than none.
Now if at all possible MBA-M should most definitely be run in NORMAL mode, it is designed to run in NORMAL mode. Running in Safe mode does not allow it to load all of it's drivers. If that is 100% impossible to do then go ahead and run in Safe Mode but please make the attempt first to run it in NORMAL mode.
If you can only run in safe mode then do so, following the exact same instructions below. Then once you have run it in safe mode you MUST attempt to run it in Normal mode following same steps.
Here is what you need to begin with:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
Rename this file to winlogon.exe

* DoubleClick the renamed mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

Download HiJackThis. Do a System Scan with it and save the log.
Post back here with the MBA-M log and the HJT log.
Judy

thanks for the welcome, now lets get down to brass tacks : ) i already have mba-m installed on my computer, and i'll get you that log asap. but i have to use anouther computer to update. because whatever is on my computer cuts the program off from the internet so whenever i try to update i get an error message saying i have no internet connection, when thats just plain not true. and thats the case with all my other programs. thats the reason i cant install anti virus software thay all have to update or thay wont install

back! and i got what you asked for too here you go

mbam-log-2009-11-23 (15-09-22)

Malwarebytes' Anti-Malware 1.41
Database version: 3219
Windows 5.1.2600 Service Pack 2

11/23/2009 3:09:22 PM
mbam-log-2009-11-23 (15-09-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 191661
Time elapsed: 1 hour(s), 13 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP16\A0014038.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP16\A0014192.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP40\A0016570.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP40\A0016574.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP40\A0016585.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP41\A0016595.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP41\A0016601.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP41\A0016628.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP41\A0016645.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP41\A0016631.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP42\A0023222.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP42\A0023226.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP42\A0023242.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP42\A0023249.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
and heres hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:21 PM, on 11/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ashampoo\Ashampoo FireWall FREE\FireWall.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shortcut365.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ask.com/?o=101760&l=dis
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: zAdBHO.BHOMain - {447E64C2-C073-4C31-9D1F-FF37219C8524} - C:\WINDOWS\zAdBho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cn5ji02r.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.80.dll
O4 - HKLM\..\Run: [NetSoft] iexplore.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall FREE\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WSD_A] C:\WINDOWS\TEMP\ptxo.tmp /cs:0 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WSD_A] C:\WINDOWS\TEMP\ptxo.tmp /cs:0 (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: run_startmenu.cmd
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 4989 bytes

Whew! Ok, do this:
Please download Combofix from one of these locations:
HERE or HERE
It is very important that you save this file to your DESKTOP.
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html


Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

* Close any open browsers.
* Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.


Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program. While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

Also when it is complete, please run a new System Scan with HJT and post that log after you post the combofix log.
Judy

i cant run combo fix every time i try the little bar loads and then it says the contents are compramised and then deletes itself

Delete the first one.
Try downloading again and follow all the same directions on first rename combofix to bossy.exe. Then follow the same directions and see what happens.

yeah when it didnt work the first time i redownloaded combo fix and renamed it last best hope.exe and still no dice

Did you try the download the same way that you were able to get MBA-M to download?

yeah with mba-m i just put the program on a thumb drive and transferd it to my pc and i do the same to update it. but with combofix it starts up and then i get this screen that says its not safe to continue and then everything shuts down and the file deletes itself, i'v tried renameing the file winlogon.exe, and last best hope.exe and i get the same result

Did you turn off your antivirus program and your firewall?

yeah i did i exited my firewall program, i cant install anti virus thats why i'm here and i closed all windows so i was all set

Do you have a flash drive from which you can install combofix?

yeah i'll get right on it. but just to get everything stright do i open up my flash drive and click on the .exe?

Didn't ask this, when you renamed it was it all ready on the desktop?
If so I wasn't clear enough, when you go to download it and the box comes up asking where to save it and of course it needs to go to the desktop but THAT is also when you should rename it, not before it is downloaded to the desktop. So the box should come up, choose Save As...then rename it and have it go to the desktop. When you see it on the desktop then it should have that new name all ready. Is this how you did it?

You could also rename it on the flash drive and then SEND it to the desktop.

sorry, but yeah i renamed it on my flash drive and sent it to my desktop

sorry, but yeah i renamed it on my flash drive and sent it to my desktop

And it didn't run?

Just noticed something here, in a previous post you said this:

combofix it starts up and then i get this screen that says its not safe to continue and then everything shuts down and the file deletes itself

Do you mean one of the screens in the attachments? If it is the Security Warning you have press RUN or the program will exit and it it is the Warranty Disclaimer you have to press YES or the program will end. This warning you see must be coming from someplace...your av program, your firewall, it just won't pop up from no where. Is there anything there that tells you where this warning is coming from?

Answer my questions and wait for my reply before doing the step below.

Download Avenger and unzip to your desktop.
Run Avenger, make sure that the box next to "Scan for rootkits" has a tick in it and that the box next to "Automatically disable any rootkits found" does not have a tick in it, then click on ‘Execute’. Afterwards, Windows restarts, and opens the log generated by The Avenger so you can see the results.

Next try Combofix again...deleing ALL copies first of course and installing a brand new, RENAMED one. See what happens

no its not the Security Warning or the Warranty Disclaimer the message is comeing from the combofix program itself it says the contents are compremised and below that it says i might have something called a virut

Try the instructions I gave above concerning Avenger and running of combofix

i tried what you said but combofix still wont run if it helps heres the avenger log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ennhxhscvrlewrv" found!
DisplayName: ennhxhscvrlewrv
ImagePath: \??\C:\WINDOWS\system32\drivers\qkmazwv.sys
Start Type: 2 (Automatic)

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for us.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
Post back with the log.

ok i got the log you wanted, and i dont know how but things are getting worse now i get redirected from just about every website i try to visit i, mean websites i was at yesterday are inaccsisable now. i cant even surf the net on it anymore. i dont know what i have on my pc but its got go, heres the log

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 12:09:41
Windows 5.1.2600 Service Pack 2
Running: hate.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axtdypog.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F73E19F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\ennhxhscvrlewrv \Device\{9DD6AFA1-8646-4720-836B-EDCB1085864A} 000006AE

---- Threads - GMER 1.0.15 ----

Thread System [4:1736] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.1736] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.1736] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.1736] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.1736] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.1736] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.1736] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.1736] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.1736] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.1736] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.1736] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.1736] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.1736] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.1736] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.1736] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.1736] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread System [4:1740] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.1740] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.1740] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.1740] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.1740] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.1740] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.1740] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.1740] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.1740] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.1740] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.1740] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.1740] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.1740] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.1740] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.1740] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.1740] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread System [4:1744] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.1744] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.1744] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.1744] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.1744] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.1744] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.1744] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.1744] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.1744] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.1744] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.1744] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.1744] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.1744] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.1744] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.1744] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.1744] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread System [4:1748] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.1748] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.1748] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.1748] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.1748] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.1748] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.1748] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.1748] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.1748] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.1748] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.1748] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.1748] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.1748] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.1748] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.1748] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.1748] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread System [4:1752] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.1752] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.1752] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.1752] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.1752] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.1752] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.1752] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.1752] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.1752] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.1752] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.1752] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.1752] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.1752] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.1752] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.1752] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.1752] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread System [4:1956] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.1956] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.1956] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.1956] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.1956] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.1956] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.1956] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.1956] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.1956] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.1956] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.1956] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.1956] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.1956] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.1956] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.1956] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.1956] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread System [4:1960] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.1960] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.1960] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.1960] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.1960] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.1960] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.1960] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.1960] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.1960] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.1960] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.1960] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.1960] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.1960] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.1960] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.1960] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.1960] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread System [4:2736] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE System [4.2736] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE System [4.2736] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE System [4.2736] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE System [4.2736] ZwOpenKey [0xF2A7610F]
SSDT 000006AE System [4.2736] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE System [4.2736] ZwOpenThread [0xF2A75F01]
SSDT 000006AE System [4.2736] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE System [4.2736] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE System [4.2736] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE System [4.2736] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE System [4.2736] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE System [4.2736] ZwSetValueKey [0xF2A76413]
SSDT 000006AE System [4.2736] ZwSuspendThread [0xF2A76049]
SSDT 000006AE System [4.2736] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE System [4.2736] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnscfg.exe [140:1636] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE wmpnscfg.exe [140.1636] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnscfg.exe [140.1636] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnscfg.exe [140:108] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE wmpnscfg.exe [140.108] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnscfg.exe [140.108] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnscfg.exe [140.108] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnscfg.exe [140.108] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnscfg.exe [140.108] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnscfg.exe [140.108] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnscfg.exe [140.108] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnscfg.exe [140.108] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnscfg.exe [140.108] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnscfg.exe [140.108] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnscfg.exe [140.108] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnscfg.exe [140.108] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnscfg.exe [140.108] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnscfg.exe [140.108] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnscfg.exe [140.108] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnscfg.exe [140:500] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnscfg.exe [140.500] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnscfg.exe [140.500] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnscfg.exe [140.500] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnscfg.exe [140.500] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnscfg.exe [140.500] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnscfg.exe [140.500] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnscfg.exe [140.500] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnscfg.exe [140.500] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnscfg.exe [140.500] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnscfg.exe [140.500] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnscfg.exe [140.500] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnscfg.exe [140.500] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnscfg.exe [140.500] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnscfg.exe [140.500] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnscfg.exe [140.500] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnscfg.exe [140:656] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnscfg.exe [140.656] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnscfg.exe [140.656] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnscfg.exe [140.656] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnscfg.exe [140.656] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnscfg.exe [140.656] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnscfg.exe [140.656] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnscfg.exe [140.656] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnscfg.exe [140.656] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnscfg.exe [140.656] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnscfg.exe [140.656] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnscfg.exe [140.656] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnscfg.exe [140.656] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnscfg.exe [140.656] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnscfg.exe [140.656] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnscfg.exe [140.656] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnscfg.exe [140:684] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnscfg.exe [140.684] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnscfg.exe [140.684] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnscfg.exe [140.684] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnscfg.exe [140.684] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnscfg.exe [140.684] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnscfg.exe [140.684] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnscfg.exe [140.684] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnscfg.exe [140.684] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnscfg.exe [140.684] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnscfg.exe [140.684] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnscfg.exe [140.684] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnscfg.exe [140.684] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnscfg.exe [140.684] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnscfg.exe [140.684] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnscfg.exe [140.684] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnscfg.exe [140:1328] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE wmpnscfg.exe [140.1328] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnscfg.exe [140.1328] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnscfg.exe [140:3988] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnscfg.exe [140.3988] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnscfg.exe [140.3988] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread RaUI.exe [360:1324] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE RaUI.exe [360.1324] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE RaUI.exe [360.1324] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE RaUI.exe [360.1324] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE RaUI.exe [360.1324] ZwOpenKey [0xF2A7610F]
SSDT 000006AE RaUI.exe [360.1324] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE RaUI.exe [360.1324] ZwOpenThread [0xF2A75F01]
SSDT 000006AE RaUI.exe [360.1324] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE RaUI.exe [360.1324] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE RaUI.exe [360.1324] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE RaUI.exe [360.1324] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE RaUI.exe [360.1324] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE RaUI.exe [360.1324] ZwSetValueKey [0xF2A76413]
SSDT 000006AE RaUI.exe [360.1324] ZwSuspendThread [0xF2A76049]
SSDT 000006AE RaUI.exe [360.1324] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE RaUI.exe [360.1324] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread RaUI.exe [360:3092] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE RaUI.exe [360.3092] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE RaUI.exe [360.3092] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE RaUI.exe [360.3092] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE RaUI.exe [360.3092] ZwOpenKey [0xF2A7610F]
SSDT 000006AE RaUI.exe [360.3092] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE RaUI.exe [360.3092] ZwOpenThread [0xF2A75F01]
SSDT 000006AE RaUI.exe [360.3092] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE RaUI.exe [360.3092] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE RaUI.exe [360.3092] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE RaUI.exe [360.3092] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE RaUI.exe [360.3092] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE RaUI.exe [360.3092] ZwSetValueKey [0xF2A76413]
SSDT 000006AE RaUI.exe [360.3092] ZwSuspendThread [0xF2A76049]
SSDT 000006AE RaUI.exe [360.3092] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE RaUI.exe [360.3092] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread RaUI.exe [360:1476] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE RaUI.exe [360.1476] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE RaUI.exe [360.1476] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE RaUI.exe [360.1476] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE RaUI.exe [360.1476] ZwOpenKey [0xF2A7610F]
SSDT 000006AE RaUI.exe [360.1476] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE RaUI.exe [360.1476] ZwOpenThread [0xF2A75F01]
SSDT 000006AE RaUI.exe [360.1476] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE RaUI.exe [360.1476] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE RaUI.exe [360.1476] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE RaUI.exe [360.1476] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE RaUI.exe [360.1476] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE RaUI.exe [360.1476] ZwSetValueKey [0xF2A76413]
SSDT 000006AE RaUI.exe [360.1476] ZwSuspendThread [0xF2A76049]
SSDT 000006AE RaUI.exe [360.1476] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE RaUI.exe [360.1476] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:452] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.452] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.452] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.452] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.452] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.452] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.452] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.452] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.452] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.452] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.452] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.452] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.452] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.452] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.452] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.452] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:564] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.564] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.564] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.564] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.564] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.564] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.564] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.564] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.564] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.564] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.564] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.564] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.564] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.564] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.564] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.564] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:568] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.568] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.568] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.568] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.568] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.568] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.568] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.568] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.568] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.568] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.568] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.568] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.568] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.568] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.568] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.568] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:592] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.592] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.592] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.592] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.592] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.592] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.592] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.592] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.592] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.592] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.592] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.592] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.592] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.592] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.592] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.592] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:600] SSDT 0x84DFAB90 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.600] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.600] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.600] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.600] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.600] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.600] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.600] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.600] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.600] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.600] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.600] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.600] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.600] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.600] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.600] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:604] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.604] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.604] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.604] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.604] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.604] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.604] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.604] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.604] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.604] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.604] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.604] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.604] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.604] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.604] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.604] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:608] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.608] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.608] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.608] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.608] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.608] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.608] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.608] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.608] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.608] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.608] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.608] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.608] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.608] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.608] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.608] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:624] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.624] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.624] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.624] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.624] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.624] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.624] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.624] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.624] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.624] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.624] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.624] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.624] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.624] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.624] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.624] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:688] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.688] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.688] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.688] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.688] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.688] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.688] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.688] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.688] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.688] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.688] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.688] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.688] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.688] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.688] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.688] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:720] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.720] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.720] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.720] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE wmpnetwk.exe [448.720] ZwOpenKey [0xF2A7610F]
SSDT 000006AE wmpnetwk.exe [448.720] ZwOpenProcess [0xF2A75E79]
SSDT 000006AE wmpnetwk.exe [448.720] ZwOpenThread [0xF2A75F01]
SSDT 000006AE wmpnetwk.exe [448.720] ZwProtectVirtualMemory [0xF2A766DB]
SSDT 000006AE wmpnetwk.exe [448.720] ZwQueryDirectoryFile [0xF2A75CA0]
SSDT 000006AE wmpnetwk.exe [448.720] ZwQuerySystemInformation [0xF2A75D73]
SSDT 000006AE wmpnetwk.exe [448.720] ZwReadVirtualMemory [0xF2A7660F]
SSDT 000006AE wmpnetwk.exe [448.720] ZwSetContextThread [0xF2A760AC]
SSDT 000006AE wmpnetwk.exe [448.720] ZwSetValueKey [0xF2A76413]
SSDT 000006AE wmpnetwk.exe [448.720] ZwSuspendThread [0xF2A76049]
SSDT 000006AE wmpnetwk.exe [448.720] ZwTerminateThread [0xF2A75FE6]
SSDT 000006AE wmpnetwk.exe [448.720] ZwWriteVirtualMemory [0xF2A76675]

---- Threads - GMER 1.0.15 ----

Thread wmpnetwk.exe [448:728] SSDT 0x84CE9108 != 0x804E2D20

SSDT 000006AE wmpnetwk.exe [448.728] ZwDeleteValueKey [0xF2A76517]
SSDT 000006AE wmpnetwk.exe [448.728] ZwEnumerateKey [0xF2A761C7]
SSDT 000006AE wmpnetwk.exe [448.728] ZwEnumerateValueKey [0xF2A762D3]
SSDT 000006AE

Run Avenger again and in the Script window type all of this script:

Drivers to delete:
qkmazwv
str

Files to Delete:
C:\WINDOWS\system32\drivers\qkmazwv.sys
C:\WINDOWS\system32\drivers\str.sys

Be sure there is a check mark in Scan for Rootkits and then click the Execute button.

After that completes then try downloading and running combofix again.

no, not working i still cant run combofix is there anouther program i can use? i've downloaded and redownloaded combofix and i get the same result "alert the contents of the combofix package have been compromised download a fresh copy at ,blah , blah, blah" oh and i keep getting redirected to a wedsite call buyonlinedateing.net that sends me to other wedsites you know anywhay to stop this. thanks for your help

Did you run that Avenger Script? Did it produce a log? If so please post it here.

i ran avenger like you said and it asked me to restart wich is normal the problem is it restarted twice and nothing happed no log nothing like it never started at all. worse yet everything has gotten a hundred times worse, whenever i try to go into safe mode my computer restarts itself, i get the blue screen of death when i try to open my web browser and just recently when i ran mba-m , i cant use systum recovery because for some reason that option is not available any more but i guss that doesint matter because the last time i tried to run it i got the blue screen and i have no idea where the reovery disk that came with is at, all i have is my i386 burned to a disk i hope to use that to reinstall xp and format my drive. it boots up so i hope it works but i dont want to use it before i laid all my cards on the table and got your feed back if it helps heres the wedsite i got the idea and instructions from http://www.dslreports.com/forum/r19133441-Make-your-own-Windows-XP-CD oh and my pc gets real crappy when its connected to the internet

Geeze, I am so sorry. I have been consulting on Crunchie about this so I am going to have him take a look here and see what he suggests, ok?

thank you, no matter what i want you to know i am really thankful for your time and effort

Don't give up yet. Let's see what we can find out.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.