Ok this malware recently sneak into my system somehow. I got rid of the desktop icon and delete the link the icon links to. Then I did a scan using avast in safe mode. But after some time, the security tool icon get back into my desktop somehow.

And theres also this x inside a red circle icon on my taskbar at bottom of the screen.

Also, I got occasional outlook express compose email box popups and ad popups.

How to get rid of this problem for good?

Please research and wipe out this malware from my system.

Here is a guide for the removal process.
(I was just going to recommend MBAM, but the guide above looks a bit more complete.)

See how you go with it.

I have problem with MBAM. I got this error message when I tried to run.

-setup

Unable to execute file:

c\program\malwarebytes’anti-malware\mbam.exe

create process failed code 2

the system cannot find the file specified.

Did you download and save the MBAM installer file? (title mbam-setup.exe)
Did the program install OK, or were there errors during the install?

You quote:

c\program\malwarebytes’anti-malware\mbam.exe

Should this have read: C:\Program Files\Mal…etc

If the answers to these questions are “yes”, please go to the program files location for MBAM.exe (on the path indicated in the error message) and confirm it actually exists. It looks like the icon pictured below.

If it exists, rename it to ineedhelp.exe, * then double click it to run it from that location. (Using any installed shortcut will not work after renaming.)

• This is a random file name unlikely to be used by any other process, and hopefully not recognized by the malware you have.

Ok that didn’t work. I renamed it and click on it but it wouldn’t open. Also I tried installing mbam multiple times but the best I got at opening the soft was just seeing it option menu flashing and disappearing.

Please read:
Procedures to help resolve issues preventing MBAM from running
http://www.malwarebytes.org/forums/index.php?showtopic=17607

I’m infected - What do I do now?, Please follow these instructions to clean your system

NOTE: If Malwarebytes won’t run or HijackThis won’t run please still create a new post in the Malware Removal - HijackThis Logs forum and explain what happens.

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Its very busy there and may take a day or 2 to receive an answer.

Ok. It hasn’t installed correctly, if at all.

Had you also run process explorer, and located the process to kill, and did that work? (or appear to work?) If so, open it and kill the process immediately before attempting to install MBAM. And if necessary, immediately before attempting to install/run MBAM.

If still no luck, Try it again in safe mode.

Next time Avast updates, (I’ve had two updates today) run a scan and see if Avast can detect and clean it.
Getting late, here, running out of ideas a bit. I’ll think on this overnight.

Just seen YoKenny has posted some info. Try his links, too, especially the one about finding MBAM disabled. (I’m not fully sure from what you post whether it has installed but just won’t run, or hasn’t even installed. Can you look at the program files folder and let us know, please.)

None of the others on kenny’s link worked.

Tried RootRepeal, it found c:\hilfil.sys. but its locked in window, I couldn’t wipe it out.

I can’t get into safe mode ,it told me like esc/cancel for d347bus.sys. did security tool do this? How to fix this?

I can only get into directory service restore mode. Is this good mode to try stuff like with avast for the updates?

Try using killbox to unlock/delete the file, then immediately attempt to run MBAM.

Did you attempt to find and manually delete the files listed? (Manual removal at the Bleeping computer link above.) That might be a worthwhile step. Also use process explorer (see YoKenny’s link) to attempt to terminate the malicious process so that MBAM can then (hopefully) be installed and run.

Do you need any advice regarding removal of registry entries? This can be problematic, especially if you delete the wrong one.
Good luck.

ok, killbox didn’t kill hibfil.sys. said like file doesn’t seem to exist.

about the remove secuirty tool page. if i should remove the listed stuff on the page, please advice how. i quote:

Associated Security Tool Files:

Please note that the files and folders for Security Tool and SecurityTool have random names.

%UserProfile%\Application Data\4946550101
%UserProfile%\Application Data\4946550101\4946550101.bat
%UserProfile%\Application Data\4946550101\4946550101.cfg
%UserProfile%\Application Data\4946550101\4946550101.exe
%UserProfile%\Desktop\Security Tool.lnk
%UserProfile%\Start Menu\Programs\Security Tool.lnk 

Associated Security Tool Windows Registry Information:

Please note that the files and folders for Security Tool and SecurityTool have random names.

HKEY_CURRENT_USER\Software\Security Tool
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "4946550101"</blockquote>

First, Show your hidden and system files.
Try and find the file Rootrepeal says it found. It should be on the C drive, by itself, (not in a folder) according to the path you indicated.

Using WInodws explorer, navigate through the folders on your computer to “C:\Documents and Settings\Your computer user name and a bunch of alphanumerics\Application Data” And see if you can find any of those files in that folder. The warning that the names might be random will make it a bit more difficult. See if you can find a group of files named a bit like the examples.

Report back. If you can post a screenshot of the names once you think you’ve found them, or list the names (There’s a lot of legitimate stuff in that folder), that may help.

Ti find the registry entries, click “start” then “run” then type regedit then click enter.
An explorer style window belonging to the registry editor will open.
Navigate to the keys listed above (in turn) the same way you’d navigate through any windows folder structure.

The first one might exist as listed. The second, if it exists, is likely to have the same name as any “dodgy” entries you’ve been able to see in your application data folder.

Post back, please.

dang, i can’t apply unhide file feature. under tool tab for my computer window, as you can see no option to unhide file. did secuirty tool do this?

moreover, for regedit, i look in this folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. the blue highlight problem?

did secuirty tool do this

I don't know. But something has, and it probably is Security Tool, or a variant, or one of its henchmen. And that is probably true of all the symptoms, such as being unable to install/run MBAM.

I’ll see if I can find a fix to restore your folder options, but it’s late here so don’t expect a reply soon, sorry.
Here is a link for a step by step in how to maybe re-enable folder options. It’s probably worth trying.
Another thing worth checking is to see if “folder options”, in the control panel, will be available, but I doubt it.
If you can get it working, the folder "C:\Documents and Settings\All user~1.… " and whatever comes next: (see below*) might be a good place to start looking.

moreover, for regedit, i look in this folder:

Well at least regedit hasn't been disabled. (Whew.) You'll need to slide the tab header across to view more of the key, on the right side of the regedit panel. (Just to the right of the word "data" near the top middle of the picture, is a small vertical divider line. You can drag that with a mouse to it, left click and hold, then mouse to the right.) That will reveal more of the data name. *It will also give a good pointer as to the folder it's hiding in*. I think you may have hit gold..or at least a small vein. I'm not saying "delete these", just that they look very likely culprits. (To delete them you'd right click each in turn and select "delete"from the context menu. They would probably resist, in which case you'd have to change their permissions, which you would do by right clicking the corresponding entry in the left pane, and going through the "change permissions" option. Can be involved. Just so you know what's likely to be next, if these are bad.) It is fairly easy to bork your computer by taking a wrong step in regedit. So it would pay to wait for a detailed step by step.

Please also look in this area of regedit:
HKEY_CURRENT_USER\Software\Security Tool
and advise if that data is present.

Hopefully someone else, trained in the ways of malware removal, will see this thread and post to it while I’m hibernating.
As you may have gathered, I’m not that sharp when it comes to malware removal, so am erring on the side of caution. If I’ve given you enough pointers to go on with, and you’re confident about proceeding, and you are able to delete any of those files (with killbox or otherwise), especially a .exe. or .dll file, I’d try MBAM straight away again, before rebooting. If you can kill some but not others, and have a partial success, do not reboot the machine, and do leave it disconnected from the net. (You actually should have it disconnected anyway. I should’ve posted that earlier.)
If you are not confident about proceeding, post back with the result of moving the column header; wait for more info.
PS, I’d look at backing up your important files, just in case. (It’s wise to make this a regular event, anyway.)

Hi could you run these two programmes so that I can see what you have

Please save this file to your desktop. Double-click on it to run a scan. When it’s finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

We Need to check for Rootkits with RootRepeal

[]Download RootRepeal from the following location and save it to your desktop.
[list]
[*]Zip Mirrors (Recommended)
[list]
[]Primary Mirror
[]Secondary Mirror
[]Secondary Mirror

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*][url=http://ad13.geekstogo.com/RootRepeal.rar]Primary Mirror[/url]
[*][url=http://ad13.geekstogo.com/RootRepeal.rar]Secondary Mirror[/url]
[*][url=http://rootrepeal.psikotick.com/RootRepeal.rar]Secondary Mirror[/url]

[/list]
[]Extract RootRepeal.exe from the archive.
[]Open
http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png
on your desktop.
[]Click the
http://billy-oneal.com/forums/rootRepeal/reportTab.png
tab.
[]Click the
http://billy-oneal.com/forums/rootRepeal/btnScan.png
button.
[*]Check all seven boxes:
http://billy-oneal.com/forums/rootRepeal/checkBoxes2.png

[]Push Ok
[]Check the box for your main system drive (Usually C:), and press Ok.
[]Allow RootRepeal to run a scan of your system. This may take some time.
[]Once the scan completes, push the
http://billy-oneal.com/forums/rootRepeal/saveReport.png
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Running from: C:\removesecuirtytool\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching ‘C:\WINDOWS’…

Finished!

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/10/29 08:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3

Drivers

Name:
Image Path:
Address: 0xF83A2000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE26F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89BD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF8A09000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC4A5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\owner\local settings\temp\uac8c31.tmp
Status: Allocation size mismatch (API: 81920, Raw: 0)

Path: c:\documents and settings\guest\local settings\temporary internet files\content.ie5\wvqpuvb2\ma[1].jpg
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M6ZBEIYP\s1014414466_3932[1].jpg
Status: Could not get file information (Error 0xc0000008)

SSDT

#: 025 Function Name: NtClose
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b3618

#: 041 Function Name: NtCreateKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b34d4

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by “d347bus.sys” at address 0xf8419a20

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b39b2

#: 068 Function Name: NtDuplicateObject
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b30ac

#: 071 Function Name: NtEnumerateKey
Status: Hooked by “d347bus.sys” at address 0xf841a2a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by “d347bus.sys” at address 0xf8425910

#: 119 Function Name: NtOpenKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b35ae

#: 122 Function Name: NtOpenProcess
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b2fec

#: 128 Function Name: NtOpenThread
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b3050

#: 160 Function Name: NtQueryKey
Status: Hooked by “d347bus.sys” at address 0xf841a2c8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b36ce

#: 204 Function Name: NtRestoreKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b368e

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by “d347bus.sys” at address 0xf84250b0

#: 247 Function Name: NtSetValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xee2b380e

Stealth Objects

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82d9ee78 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82858c00 Size: 11

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x82a5a428 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x82988f00 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_READ]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP]
Process: System Address: 0x82a61a88 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x82a370d0 Size: 11

Object: Hidden Code [Driver: InCDfs, IRP_MJ_READ]
Process: System Address: 0x82a98fb0 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x82bc6360 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82a200d0 Size: 11

Object: Hidden Code [Driver: NpfsЅం扏楄, IRP_MJ_READ]
Process: System Address: 0x829c3228 Size: 11

Object: Hidden Code [Driver: Msfsȅఆ剒敬ఈ, IRP_MJ_READ]
Process: System Address: 0x82a6ab58 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x82aa5c10 Size: 11

Object: Hidden Code [Driver: CdfsЅ
瑎てЁః瑎て, IRP_MJ_READ]
Process: System Address: 0x828913c8 Size: 11

Object: Hidden Code [Driver: InCDrec, IRP_MJ_READ]
Process: System Address: 0x82a6af10 Size: 11

==EOF==