Jump to content
Sign in to follow this  
caspertone2003

bad hooks?

Recommended Posts

was unsure where to post in relation to AVZ!!

 

Windows 7; I got infected with virut-c. All was nicely cleared with virutkiller. Windows exes were disinfected exe but do not have the proper signatures.

scf reports that cannot replace some modules (still pending to do scf in safe mode, but I am not able now - long story).

 

Machine looks ok ... but internet goes very slowly ...

 

I checked with all - only GMER and AVZ point to something ... the use of 29211539AC.sys ... a file I cannot locate anywhere in the disk.

 

AVZ report goes bellow. I am running trueimage and mcaffee.

 

Is is bad that 29211539AC.sys?

How can I remove that?

 

Thanks in advance.

 

CTone.

 

= = = = = = = = log follows

 

 

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=169B00)

Kernel ntkrnlpa.exe found in memory at address 83819000

SDT = 83982B00

KiST = 8389743C (401)

Function NtCreateProcess (4F) - machine code modification Method of JmpTo. jmp 8C39C91C\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted

Function NtCreateProcessEx (50) - machine code modification Method of JmpTo. jmp 8C39C930\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted

Function NtCreateThread (57) intercepted (83AF5FE2->B77B2982), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtCreateThreadEx (58) intercepted (83A8A4BB->B77B2A10), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtCreateUserProcess (5D) - machine code modification Method of JmpTo. jmp 8C39C946\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted

Function NtMakeTemporaryObject (A4) intercepted (83A25A34->B77B2774), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtQueueApcThread (10D) intercepted (83A15E54->B77B2AA0), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtQueueApcThreadEx (10E) intercepted (83A12011->B77B2B30), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtSetContextThread (13C) intercepted (83AF7857->B77B2BC0), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtSetInformationProcess (14D) - machine code modification Method of JmpTo. jmp 8C39C95A\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted

Function NtSetSystemInformation (15E) intercepted (83A6838A->B77AF2BE), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtSetSystemTime (160) intercepted (83AAA21E->B77AF474), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtTerminateProcess (172) - machine code modification Method of JmpTo. jmp 8C39C908\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted

Function NtUnmapViewOfSection (181) intercepted (83A7E9CA->B77B26E6), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtWriteVirtualMemory (18F) intercepted (83A79AA7->B77B09A0), hook C:\Users\cba\AppData\Local\Temp\29211539AC.sys

Function NtSetInformationProcess (83A52885) - machine code modification Method of JmpTo. jmp 8C39C95A \SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted

Functions checked: 401, intercepted: 10, restored: 0

Share this post


Link to post

Welcome. Please see: Kaspersky Lab Forum > English User Forum > Virus-related issues > the fourth Important topic. There, you will find instructions for GSI and AVZ logs.

 

Please see the small print that is located at the bottom of this message.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.