Solved Ebay log-in asking for credit card info.

a1b2c3 · 2010/03/26

[Resolved] Ebay log-in asking for credit card info.

I was using AVG, which I have removed. I regularly use Malwarebytes Anti-virus, CCleaner. Microsofts Malicious software tool when it updates. I bought pc tools spyware doctor and it found a backdoor trojan that it said it removed and that there are no threats. But the ebay login page asking for credit card information keeps coming up.

I've deleted cache, cookies and temp files.

Thanks in advance for any help with this.

Here are the request logs.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Eric at 17:42:50.81 on Fri 03/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2166 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Defender Pro Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.msn.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe "
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe "
StartupFolder: c:\docume~1\eric~1.e-6\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: download.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220267475953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220268559562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: vrkdzn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-23 217032]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-3-23 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-3-23 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-3-23 233136]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-23 112592]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-23 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-23 1142224]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-1-15 14424]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-3-23 70408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-3-23 33552]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-10-21 98984]

=============== Created Last 30 ================

2010-03-25 22:24:08 0 d--h--w- c:\windows\PIF
2010-03-24 23:24:37 0 dc-h--w- c:\windows\ie8
2010-03-23 23:09:49 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-23 23:09:49 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-23 23:09:49 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-23 22:41:43 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-23 22:41:42 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-23 22:41:42 879 ----a-w- c:\windows\RegISSImport.xml
2010-03-23 22:41:42 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-23 22:41:42 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-23 22:41:42 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-23 22:41:42 131 ----a-w- c:\windows\IDB.zip
2010-03-23 22:41:42 1152444 ----a-w- c:\windows\UDB.zip
2010-03-23 22:39:57 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-23 22:39:57 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-23 22:39:42 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-23 22:39:42 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-23 22:39:42 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-23 22:39:42 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-23 22:39:32 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-23 22:39:32 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-23 22:39:25 0 d-----w- c:\program files\common files\PC Tools
2010-03-23 22:39:24 0 d-----w- c:\program files\Spyware Doctor
2010-03-23 22:39:24 0 d-----w- c:\docume~1\eric~1.e-6\applic~1\PC Tools
2010-03-23 22:39:24 0 d-----w- c:\docume~1\alluse~1.win\applic~1\PC Tools
2010-03-23 22:05:03 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-21 01:08:41 0 d-----w- c:\program files\Defender Pro
2010-03-10 18:04:22 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 18:07:11 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 00:38:14 87608 ----a-w- c:\docume~1\eric~1.e-6\applic~1\inst.exe
2010-01-07 00:38:14 47360 ----a-w- c:\docume~1\eric~1.e-6\applic~1\pcouffin.sys
2008-09-01 13:34:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080901\index.dat
2008-09-01 13:34:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 17:46:28.10 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/30/2008 11:13:35 PM
System Uptime: 3/26/2010 4:42:10 PM (1 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 228 GiB total, 197.236 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP577: 12/27/2009 1:05:31 AM - System Checkpoint
RP578: 12/28/2009 2:51:54 AM - System Checkpoint
RP579: 12/29/2009 4:06:15 AM - System Checkpoint
RP580: 12/30/2009 4:22:33 AM - System Checkpoint
RP581: 12/31/2009 4:52:29 AM - System Checkpoint
RP582: 12/31/2009 8:11:40 AM - Avg8 Update
RP583: 1/1/2010 8:52:28 AM - System Checkpoint
RP584: 1/2/2010 9:52:30 AM - System Checkpoint
RP585: 1/3/2010 1:05:30 PM - System Checkpoint
RP586: 1/4/2010 1:19:31 PM - System Checkpoint
RP587: 1/5/2010 1:52:32 PM - System Checkpoint
RP588: 1/6/2010 2:52:32 PM - System Checkpoint
RP589: 1/7/2010 3:05:19 PM - System Checkpoint
RP590: 1/8/2010 4:05:25 PM - System Checkpoint
RP591: 1/9/2010 12:10:53 AM - Removed Roxio Update Manager
RP592: 1/9/2010 12:20:43 AM - Software Distribution Service 3.0
RP593: 1/10/2010 1:05:18 AM - System Checkpoint
RP594: 1/11/2010 1:47:17 AM - System Checkpoint
RP595: 1/12/2010 2:47:16 AM - System Checkpoint
RP596: 1/13/2010 3:47:17 AM - System Checkpoint
RP597: 1/13/2010 6:41:16 AM - Software Distribution Service 3.0
RP598: 1/14/2010 6:43:34 AM - System Checkpoint
RP599: 1/15/2010 7:43:34 AM - System Checkpoint
RP600: 1/16/2010 8:12:52 AM - System Checkpoint
RP601: 1/17/2010 9:10:15 AM - System Checkpoint
RP602: 1/18/2010 9:12:31 AM - Avg8 Update
RP603: 1/19/2010 9:24:47 AM - System Checkpoint
RP604: 1/20/2010 10:10:17 AM - System Checkpoint
RP605: 1/20/2010 5:12:47 PM - Software Distribution Service 3.0
RP606: 1/21/2010 5:23:27 PM - System Checkpoint
RP607: 1/22/2010 7:12:49 AM - Software Distribution Service 3.0
RP608: 1/23/2010 8:09:56 AM - System Checkpoint
RP609: 1/24/2010 10:03:54 AM - System Checkpoint
RP610: 1/25/2010 1:18:37 PM - System Checkpoint
RP611: 1/26/2010 1:39:12 PM - System Checkpoint
RP612: 1/27/2010 8:18:29 AM - Avg8 Update
RP613: 1/28/2010 8:41:42 AM - System Checkpoint
RP614: 1/29/2010 8:50:08 AM - System Checkpoint
RP615: 1/30/2010 9:02:08 AM - System Checkpoint
RP616: 1/31/2010 9:04:05 AM - System Checkpoint
RP617: 2/1/2010 9:31:26 AM - System Checkpoint
RP618: 2/2/2010 7:52:42 PM - System Checkpoint
RP619: 2/3/2010 8:02:39 PM - System Checkpoint
RP620: 2/4/2010 8:11:46 PM - System Checkpoint
RP621: 2/5/2010 11:13:10 PM - System Checkpoint
RP622: 2/7/2010 12:03:14 AM - System Checkpoint
RP623: 2/8/2010 12:52:18 AM - System Checkpoint
RP624: 2/9/2010 1:52:18 AM - System Checkpoint
RP625: 2/10/2010 3:01:20 AM - System Checkpoint
RP626: 2/10/2010 7:14:32 AM - Software Distribution Service 3.0
RP627: 2/11/2010 7:35:26 AM - System Checkpoint
RP628: 2/12/2010 7:55:37 AM - System Checkpoint
RP629: 2/13/2010 7:58:02 AM - System Checkpoint
RP630: 2/14/2010 10:50:34 AM - System Checkpoint
RP631: 2/15/2010 11:58:16 AM - System Checkpoint
RP632: 2/17/2010 6:30:30 AM - System Checkpoint
RP633: 2/18/2010 7:42:54 AM - System Checkpoint
RP634: 2/19/2010 7:45:13 AM - System Checkpoint
RP635: 2/19/2010 10:45:09 PM - Software Distribution Service 3.0
RP636: 2/21/2010 1:45:41 PM - Removed Roxio Update Manager
RP637: 2/22/2010 1:53:11 PM - Software Distribution Service 3.0
RP638: 2/23/2010 4:06:29 PM - Software Distribution Service 3.0
RP639: 2/24/2010 5:36:56 PM - System Checkpoint
RP640: 2/25/2010 7:33:25 PM - System Checkpoint
RP641: 2/27/2010 10:16:02 AM - System Checkpoint
RP642: 3/2/2010 8:00:12 AM - System Checkpoint
RP643: 3/3/2010 8:37:22 AM - System Checkpoint
RP644: 3/3/2010 9:13:19 PM - Installed MSN Toolbar
RP645: 3/3/2010 9:16:09 PM - Installed Windows Internet Explorer 8.
RP646: 3/3/2010 9:17:05 PM - Software Distribution Service 3.0
RP647: 3/4/2010 5:07:41 PM - Software Distribution Service 3.0
RP648: 3/6/2010 12:03:46 PM - Restore Operation
RP649: 3/6/2010 5:20:23 PM - Installed Chipset Software Installer
RP650: 3/6/2010 6:30:17 PM - Software Distribution Service 3.0
RP651: 3/8/2010 11:28:54 AM - System Checkpoint
RP652: 3/9/2010 12:50:43 PM - System Checkpoint
RP653: 3/10/2010 1:39:19 PM - System Checkpoint
RP654: 3/10/2010 4:38:24 PM - Software Distribution Service 3.0
RP655: 3/10/2010 4:45:47 PM - Software Distribution Service 3.0
RP656: 3/13/2010 3:10:27 PM - System Checkpoint
RP657: 3/14/2010 7:13:42 PM - System Checkpoint
RP658: 3/15/2010 8:43:21 PM - Software Distribution Service 3.0
RP659: 3/16/2010 10:40:54 PM - System Checkpoint
RP660: 3/17/2010 5:07:59 PM - Avg8 Update
RP661: 3/17/2010 5:09:59 PM - Avg Update
RP662: 3/18/2010 8:21:41 PM - System Checkpoint
RP663: 3/21/2010 7:12:27 AM - System Checkpoint
RP664: 3/22/2010 2:40:13 PM - System Checkpoint
RP665: 3/22/2010 8:54:29 PM - Software Distribution Service 3.0
RP666: 3/24/2010 7:01:52 AM - Spyware Doctor: Cleaning Threats
RP667: 3/24/2010 7:02:55 AM - Software Distribution Service 3.0
RP668: 3/24/2010 6:26:40 PM - Installed Windows Internet Explorer 8.
RP669: 3/24/2010 6:28:39 PM - Software Distribution Service 3.0
RP670: 3/24/2010 6:55:50 PM - Software Distribution Service 3.0
RP671: 3/25/2010 6:50:47 AM - Spyware Doctor: Cleaning Threats
RP672: 3/25/2010 5:31:05 PM - Removed MSN Toolbar
RP673: 3/25/2010 5:33:27 PM - Removed Windows Defender
RP674: 3/25/2010 9:33:55 PM - Removed AVG Free 9.0
RP675: 3/25/2010 9:36:57 PM - Installed AVG Free 9.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9.3.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.3
Browser Defender 2.0.6.15
CCleaner
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
ConvertXtoDVD 4.0.10.324
Corel Paint Shop Pro Photo XI
Critical Update for Windows Media Player 11 (KB959772)
Defender Pro File Burner
Dell Resource CD
DNA
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections
Intel(R) PRO Network Connections Drivers
Intel® Viiv™ Software
Java(TM) 6 Update 16
Lexmark 3600-4600 Series
Lexmark Fax Solutions
LimeWire 5.5.6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Motorola Wireless Network Adapter
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Otto
PeerBlock 1.0.0 (r181)
QuickTime
RealPlayer
Roxio Update Manager
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SigmaTel Audio
Sonic Activation Module
Sonic Encoders
Spelling Dictionaries Support For Adobe Reader 9
Spyware Doctor 7.0
Unlocker 1.8.8
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vodei Multimedia Processor 2.10
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
XP Codec Pack

==== Event Viewer Messages From Past Week ========

3/25/2010 4:45:53 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxdxCATSCustConnectService service to connect.
3/25/2010 4:45:53 PM, error: Service Control Manager [7000] - The lxdxCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/24/2010 7:18:47 PM, error: Service Control Manager [7000] - The ASCTRM service failed to start due to the following error: The system cannot find the file specified.
3/21/2010 10:37:11 PM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
3/20/2010 8:31:15 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/20/2010 8:09:47 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg9wd service.

==== End Of File ===========================

Admin. · 2010/03/26

Hi,

Read this post as indicated at the top of this forum & follow the instructions.

Admin. · 2010/03/26

I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, and read the links above for educational value!

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

a1b2c3 · 2010/03/26

I've read the listed/suggested readings. Thanks.

broni · 2010/03/26

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

a1b2c3 · 2010/03/27

ComboFix 10-03-26.02 - Eric 03/27/2010 1:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2408 [GMT -5:00]
Running from: c:\documents and settings\Eric.E-6BBAC174EFC44\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\inst.exe
c:\recycler\S-1-5-21-1078081533-1965331169-725345543-1003
c:\recycler\S-1-5-21-3226952747-2783548079-81835591-1006
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM061 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM061 .MRK

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-27 05:51 . 2010-03-27 05:51 -------- d-----w- c:\program files\Trend Micro
2010-03-25 22:24 . 2010-03-25 22:24 -------- d--h--w- c:\windows\PIF
2010-03-24 23:24 . 2010-03-24 23:28 -------- dc-h--w- c:\windows\ie8
2010-03-23 23:09 . 2010-02-02 15:13 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-23 23:09 . 2010-02-02 15:13 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-23 23:09 . 2010-02-02 15:13 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-23 22:47 . 2010-03-23 22:47 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\Threat Expert
2010-03-23 22:41 . 2010-01-22 14:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-23 22:41 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-23 22:41 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-23 22:41 . 2010-01-22 14:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-23 22:41 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-23 22:41 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-03-23 22:39 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-23 22:39 . 2010-03-10 16:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-23 22:39 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-23 22:39 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-23 22:39 . 2010-03-23 22:41 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-23 22:39 . 2010-03-27 06:16 -------- d-----w- c:\program files\Spyware Doctor
2010-03-23 22:39 . 2010-03-23 23:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-03-23 22:39 . 2010-03-23 22:39 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\PC Tools
2010-03-23 22:38 . 2010-03-27 06:37 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-23 22:05 . 2010-03-23 22:05 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-21 01:08 . 2010-03-21 01:08 -------- d-----w- c:\program files\Defender Pro
2010-03-10 18:04 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 23:38 . 2010-03-06 23:38 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\InstallShield
2010-03-06 18:07 . 2010-03-06 18:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-05 14:24 . 2010-03-05 14:24 -------- d-sh--w- c:\documents and settings\Administrator.E-6BBAC174EFC44\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 06:59 . 2009-04-01 12:05 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\DNA
2010-03-27 06:49 . 2010-01-15 19:23 -------- d-----w- c:\program files\PeerBlock
2010-03-27 05:59 . 2009-04-01 12:05 -------- d-----w- c:\program files\DNA
2010-03-27 04:02 . 2008-02-18 16:52 -------- d-----w- c:\program files\LimeWire
2010-03-27 03:59 . 2008-08-21 03:36 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\LimeWire
2010-03-27 03:59 . 2009-03-28 20:52 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Vso
2010-03-25 22:39 . 2008-08-19 19:09 52256 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\AVS4YOU
2010-03-24 00:48 . 2008-04-27 21:16 -------- d-----w- c:\documents and settings\Eric\Application Data\Move Networks
2010-03-23 00:36 . 2008-09-01 13:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 06:25 . 2008-09-01 13:41 -------- d-----w- c:\program files\CCleaner
2010-02-26 03:38 . 2008-09-21 03:08 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Corel
2010-02-26 03:37 . 2008-09-21 03:08 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-24 15:16 . 2009-10-03 06:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 21:54 . 2010-02-20 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ThumbnailCache4R
2010-02-18 10:35 . 2010-02-18 10:35 -------- d-----w- c:\documents and settings\Administrator.E-6BBAC174EFC44\Application Data\FaxCtr
2010-01-07 21:07 . 2008-09-01 13:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-09-01 13:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2009-12-31 16:50 . 2004-08-10 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2009-11-11 323392]
"PeerBlock "= "c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-07-22 98304]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-07-22 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-31 149280]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-19 185872]
"SigmatelSysTrayApp "= "stsystra.exe" [2006-03-20 282624]
"ISTray "= "c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 21:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 19:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2008-06-13 16:00 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-22 01:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-22 01:48 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 18:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 18:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxamon]
2008-06-13 16:04 16040 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxmon.exe]
2008-06-13 16:04 668328 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-22 01:47 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-19 03:47 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2009-10-26 07:33 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=
"c:\\Program Files\\CCleaner\\CCleaner.exe "=
"c:\\WINDOWS\\system32\\lxdxcoms.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe "=
"c:\\WINDOWS\\system32\\lxdxcfg.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"4227:TCP "= 4227:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop
"1771:TCP "= 1771:TCP:Services
"3246:TCP "= 3246:TCP:Services
"2233:TCP "= 2233:TCP:Services
"2966:TCP "= 2966:TCP:Services

R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2008-02-28 98984]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-10 217032]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-02-05 233136]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 594600]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 14424]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-02-05 70408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: download.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 02:00
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A37D600]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f5fcb8
\Driver\atapi -> atapi.sys @ 0xb9e1c852
\Driver\iaStor -> iaStor.sys @ 0xb9e40ae6
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Motorola Wireless PCI Adapter WPCI810G -> SendCompleteHandler -> 0x897e9330
PacketIndicateHandler -> NDIS.sys @ 0xb9cb2a0d
SendHandler -> NDIS.sys @ 0xb9cc6b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
c:\program files\Spyware Doctor\TFEngine\TFMon.dll
c:\program files\Spyware Doctor\TFEngine\TFRK.dll

- - - - - - - > 'lsass.exe'(936)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
.
Completion time: 2010-03-27 02:21:27
ComboFix-quarantined-files.txt 2010-03-27 07:21

Pre-Run: 215,453,544,448 bytes free
Post-Run: 216,315,236,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect windows xp professional

- - End Of File - - 8AC94A0E8610E88CC5901CC35C26EEE1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:17 AM, on 3/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe "
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.download.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220267475953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220268559562
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7115 bytes

broni · 2010/03/27

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

a1b2c3 · 2010/03/27

10:53:54:356 1132 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
10:53:54:356 1132 ================================================================================
10:53:54:356 1132 SystemInfo:

10:53:54:356 1132 OS Version: 5.1.2600 ServicePack: 3.0
10:53:54:356 1132 Product type: Workstation
10:53:54:356 1132 ComputerName: E-6BBAC174EFC44
10:53:54:356 1132 UserName: Eric
10:53:54:356 1132 Windows directory: C:\WINDOWS
10:53:54:356 1132 Processor architecture: Intel x86
10:53:54:356 1132 Number of processors: 1
10:53:54:356 1132 Page size: 0x1000
10:53:54:403 1132 Boot type: Normal boot
10:53:54:403 1132 ================================================================================
10:53:54:419 1132 UnloadDriverW: NtUnloadDriver error 2
10:53:54:419 1132 ForceUnloadDriverW: UnloadDriverW(klmd21) error 0
10:53:54:825 1132 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:53:54:825 1132 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:53:54:825 1132 wfopen_ex: Trying to KLMD file open
10:53:54:825 1132 wfopen_ex: File opened ok (Flags 2)
10:53:54:825 1132 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:53:54:825 1132 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:53:54:825 1132 wfopen_ex: Trying to KLMD file open
10:53:54:825 1132 wfopen_ex: File opened ok (Flags 2)
10:53:54:825 1132 Initialize success
10:53:54:825 1132
10:53:54:825 1132 Scanning Services ...
10:53:55:278 1132 Raw services enum returned 355 services
10:53:55:310 1132
10:53:55:310 1132 Scanning Kernel memory ...
10:53:55:310 1132 Devices to scan: 4
10:53:55:310 1132
10:53:55:310 1132 Driver Name: Disk
10:53:55:310 1132 IRP_MJ_CREATE : BA0EEBB0
10:53:55:310 1132 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
10:53:55:310 1132 IRP_MJ_CLOSE : BA0EEBB0
10:53:55:310 1132 IRP_MJ_READ : BA0E8D1F
10:53:55:310 1132 IRP_MJ_WRITE : BA0E8D1F
10:53:55:310 1132 IRP_MJ_QUERY_INFORMATION : 804F355A
10:53:55:310 1132 IRP_MJ_SET_INFORMATION : 804F355A
10:53:55:310 1132 IRP_MJ_QUERY_EA : 804F355A
10:53:55:310 1132 IRP_MJ_SET_EA : 804F355A
10:53:55:310 1132 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
10:53:55:310 1132 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
10:53:55:310 1132 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
10:53:55:310 1132 IRP_MJ_DIRECTORY_CONTROL : 804F355A
10:53:55:310 1132 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
10:53:55:310 1132 IRP_MJ_DEVICE_CONTROL : BA0E93BB
10:53:55:310 1132 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
10:53:55:310 1132 IRP_MJ_SHUTDOWN : BA0E92E2
10:53:55:310 1132 IRP_MJ_LOCK_CONTROL : 804F355A
10:53:55:310 1132 IRP_MJ_CLEANUP : 804F355A
10:53:55:310 1132 IRP_MJ_CREATE_MAILSLOT : 804F355A
10:53:55:310 1132 IRP_MJ_QUERY_SECURITY : 804F355A
10:53:55:310 1132 IRP_MJ_SET_SECURITY : 804F355A
10:53:55:310 1132 IRP_MJ_POWER : BA0EAC82
10:53:55:310 1132 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
10:53:55:310 1132 IRP_MJ_DEVICE_CHANGE : 804F355A
10:53:55:310 1132 IRP_MJ_QUERY_QUOTA : 804F355A
10:53:55:325 1132 IRP_MJ_SET_QUOTA : 804F355A
10:53:55:341 1132 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:53:55:341 1132
10:53:55:341 1132 Driver Name: Disk
10:53:55:341 1132 IRP_MJ_CREATE : BA0EEBB0
10:53:55:341 1132 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
10:53:55:341 1132 IRP_MJ_CLOSE : BA0EEBB0
10:53:55:341 1132 IRP_MJ_READ : BA0E8D1F
10:53:55:341 1132 IRP_MJ_WRITE : BA0E8D1F
10:53:55:341 1132 IRP_MJ_QUERY_INFORMATION : 804F355A
10:53:55:341 1132 IRP_MJ_SET_INFORMATION : 804F355A
10:53:55:341 1132 IRP_MJ_QUERY_EA : 804F355A
10:53:55:341 1132 IRP_MJ_SET_EA : 804F355A
10:53:55:341 1132 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
10:53:55:341 1132 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
10:53:55:341 1132 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
10:53:55:341 1132 IRP_MJ_DIRECTORY_CONTROL : 804F355A
10:53:55:341 1132 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
10:53:55:341 1132 IRP_MJ_DEVICE_CONTROL : BA0E93BB
10:53:55:341 1132 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
10:53:55:341 1132 IRP_MJ_SHUTDOWN : BA0E92E2
10:53:55:341 1132 IRP_MJ_LOCK_CONTROL : 804F355A
10:53:55:341 1132 IRP_MJ_CLEANUP : 804F355A
10:53:55:341 1132 IRP_MJ_CREATE_MAILSLOT : 804F355A
10:53:55:341 1132 IRP_MJ_QUERY_SECURITY : 804F355A
10:53:55:341 1132 IRP_MJ_SET_SECURITY : 804F355A
10:53:55:341 1132 IRP_MJ_POWER : BA0EAC82
10:53:55:341 1132 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
10:53:55:341 1132 IRP_MJ_DEVICE_CHANGE : 804F355A
10:53:55:341 1132 IRP_MJ_QUERY_QUOTA : 804F355A
10:53:55:341 1132 IRP_MJ_SET_QUOTA : 804F355A
10:53:55:356 1132 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:53:55:356 1132
10:53:55:356 1132 Driver Name: Disk
10:53:55:356 1132 IRP_MJ_CREATE : BA0EEBB0
10:53:55:356 1132 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
10:53:55:356 1132 IRP_MJ_CLOSE : BA0EEBB0
10:53:55:356 1132 IRP_MJ_READ : BA0E8D1F
10:53:55:356 1132 IRP_MJ_WRITE : BA0E8D1F
10:53:55:356 1132 IRP_MJ_QUERY_INFORMATION : 804F355A
10:53:55:356 1132 IRP_MJ_SET_INFORMATION : 804F355A
10:53:55:356 1132 IRP_MJ_QUERY_EA : 804F355A
10:53:55:356 1132 IRP_MJ_SET_EA : 804F355A
10:53:55:356 1132 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
10:53:55:356 1132 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
10:53:55:356 1132 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
10:53:55:356 1132 IRP_MJ_DIRECTORY_CONTROL : 804F355A
10:53:55:356 1132 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
10:53:55:356 1132 IRP_MJ_DEVICE_CONTROL : BA0E93BB
10:53:55:356 1132 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
10:53:55:356 1132 IRP_MJ_SHUTDOWN : BA0E92E2
10:53:55:356 1132 IRP_MJ_LOCK_CONTROL : 804F355A
10:53:55:356 1132 IRP_MJ_CLEANUP : 804F355A
10:53:55:356 1132 IRP_MJ_CREATE_MAILSLOT : 804F355A
10:53:55:372 1132 IRP_MJ_QUERY_SECURITY : 804F355A
10:53:55:372 1132 IRP_MJ_SET_SECURITY : 804F355A
10:53:55:372 1132 IRP_MJ_POWER : BA0EAC82
10:53:55:372 1132 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
10:53:55:372 1132 IRP_MJ_DEVICE_CHANGE : 804F355A
10:53:55:372 1132 IRP_MJ_QUERY_QUOTA : 804F355A
10:53:55:372 1132 IRP_MJ_SET_QUOTA : 804F355A
10:53:55:403 1132 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:53:55:403 1132
10:53:55:403 1132 Driver Name: atapi
10:53:55:403 1132 IRP_MJ_CREATE : B9E206F2
10:53:55:403 1132 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
10:53:55:403 1132 IRP_MJ_CLOSE : B9E206F2
10:53:55:403 1132 IRP_MJ_READ : 804F355A
10:53:55:403 1132 IRP_MJ_WRITE : 804F355A
10:53:55:403 1132 IRP_MJ_QUERY_INFORMATION : 804F355A
10:53:55:403 1132 IRP_MJ_SET_INFORMATION : 804F355A
10:53:55:403 1132 IRP_MJ_QUERY_EA : 804F355A
10:53:55:403 1132 IRP_MJ_SET_EA : 804F355A
10:53:55:403 1132 IRP_MJ_FLUSH_BUFFERS : 804F355A
10:53:55:403 1132 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
10:53:55:403 1132 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
10:53:55:403 1132 IRP_MJ_DIRECTORY_CONTROL : 804F355A
10:53:55:403 1132 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
10:53:55:403 1132 IRP_MJ_DEVICE_CONTROL : B9E20712
10:53:55:403 1132 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9E1C852
10:53:55:403 1132 IRP_MJ_SHUTDOWN : 804F355A
10:53:55:403 1132 IRP_MJ_LOCK_CONTROL : 804F355A
10:53:55:403 1132 IRP_MJ_CLEANUP : 804F355A
10:53:55:403 1132 IRP_MJ_CREATE_MAILSLOT : 804F355A
10:53:55:403 1132 IRP_MJ_QUERY_SECURITY : 804F355A
10:53:55:403 1132 IRP_MJ_SET_SECURITY : 804F355A
10:53:55:403 1132 IRP_MJ_POWER : B9E2073C
10:53:55:403 1132 IRP_MJ_SYSTEM_CONTROL : B9E27336
10:53:55:403 1132 IRP_MJ_DEVICE_CHANGE : 804F355A
10:53:55:403 1132 IRP_MJ_QUERY_QUOTA : 804F355A
10:53:55:403 1132 IRP_MJ_SET_QUOTA : 804F355A
10:53:55:435 1132 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
10:53:55:435 1132
10:53:55:435 1132 Completed
10:53:55:435 1132
10:53:55:435 1132 Results:
10:53:55:435 1132 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
10:53:55:435 1132 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:53:55:435 1132 File objects infected / cured / cured on reboot: 0 / 0 / 0
10:53:55:435 1132
10:53:55:435 1132 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:53:55:435 1132 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:53:55:435 1132 KLMD(ARK) unloaded successfully

broni · 2010/03/27

Please, re-run Combofix and post fresh log.

a1b2c3 · 2010/03/27

ComboFix 10-03-26.02 - Eric 03/27/2010 11:44:14.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2407 [GMT -5:00]
Running from: c:\documents and settings\Eric.E-6BBAC174EFC44\Desktop\ComboFix.exe
AV: Defender Pro Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Defender Pro Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-27 05:51 . 2010-03-27 05:51 -------- d-----w- c:\program files\Trend Micro
2010-03-25 22:24 . 2010-03-25 22:24 -------- d--h--w- c:\windows\PIF
2010-03-24 23:24 . 2010-03-24 23:28 -------- dc-h--w- c:\windows\ie8
2010-03-23 23:09 . 2010-02-02 15:13 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-23 23:09 . 2010-02-02 15:13 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-23 23:09 . 2010-02-02 15:13 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-23 22:47 . 2010-03-23 22:47 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\Threat Expert
2010-03-23 22:41 . 2010-01-22 14:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-23 22:41 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-23 22:41 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-23 22:41 . 2010-01-22 14:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-23 22:41 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-23 22:41 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-03-23 22:39 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-23 22:39 . 2010-03-10 16:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-23 22:39 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-23 22:39 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-23 22:39 . 2010-03-23 22:41 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-23 22:39 . 2010-03-27 15:17 -------- d-----w- c:\program files\Spyware Doctor
2010-03-23 22:39 . 2010-03-23 23:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-03-23 22:39 . 2010-03-23 22:39 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\PC Tools
2010-03-23 22:38 . 2010-03-27 16:44 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-23 22:05 . 2010-03-23 22:05 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-21 01:08 . 2010-03-21 01:08 -------- d-----w- c:\program files\Defender Pro
2010-03-10 18:04 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 23:38 . 2010-03-06 23:38 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\InstallShield
2010-03-06 18:07 . 2010-03-06 18:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-05 14:24 . 2010-03-05 14:24 -------- d-sh--w- c:\documents and settings\Administrator.E-6BBAC174EFC44\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 17:18 . 2010-01-15 19:23 -------- d-----w- c:\program files\PeerBlock
2010-03-27 17:11 . 2009-04-01 12:05 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\DNA
2010-03-27 14:11 . 2009-04-01 12:05 -------- d-----w- c:\program files\DNA
2010-03-27 04:02 . 2008-02-18 16:52 -------- d-----w- c:\program files\LimeWire
2010-03-27 03:59 . 2008-08-21 03:36 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\LimeWire
2010-03-27 03:59 . 2009-03-28 20:52 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Vso
2010-03-25 22:39 . 2008-08-19 19:09 52256 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\AVS4YOU
2010-03-24 00:48 . 2008-04-27 21:16 -------- d-----w- c:\documents and settings\Eric\Application Data\Move Networks
2010-03-23 00:36 . 2008-09-01 13:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 06:25 . 2008-09-01 13:41 -------- d-----w- c:\program files\CCleaner
2010-02-26 03:38 . 2008-09-21 03:08 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Corel
2010-02-26 03:37 . 2008-09-21 03:08 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-24 15:16 . 2009-10-03 06:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 21:54 . 2010-02-20 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ThumbnailCache4R
2010-02-18 10:35 . 2010-02-18 10:35 -------- d-----w- c:\documents and settings\Administrator.E-6BBAC174EFC44\Application Data\FaxCtr
2010-01-07 21:07 . 2008-09-01 13:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-09-01 13:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2009-12-31 16:50 . 2004-08-10 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_07.00.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-27 14:11 . 2010-03-27 14:11 16384 c:\windows\Temp\Perflib_Perfdata_1e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2009-11-11 323392]
"PeerBlock "= "c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-07-22 98304]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-07-22 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-31 149280]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-19 185872]
"SigmatelSysTrayApp "= "stsystra.exe" [2006-03-20 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 21:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 19:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2008-06-13 16:00 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-22 01:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-22 01:48 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 18:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 18:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxamon]
2008-06-13 16:04 16040 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxmon.exe]
2008-06-13 16:04 668328 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-22 01:47 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-19 03:47 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2009-10-26 07:33 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=
"c:\\Program Files\\CCleaner\\CCleaner.exe "=
"c:\\WINDOWS\\system32\\lxdxcoms.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe "=
"c:\\WINDOWS\\system32\\lxdxcfg.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"4227:TCP "= 4227:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop
"1771:TCP "= 1771:TCP:Services
"3246:TCP "= 3246:TCP:Services
"2233:TCP "= 2233:TCP:Services
"2966:TCP "= 2966:TCP:Services
"1662:TCP "= 1662:TCP:Services
"1824:TCP "= 1824:TCP:Services

R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2008-02-28 98984]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-02-05 70408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-10 217032]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-02-05 233136]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 594600]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 14424]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD21
*NewlyCreated* - PBFILTER
*Deregistered* - klmd21
*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: download.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 12:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89E37D10]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f5fcb8
\Driver\atapi -> atapi.sys @ 0xb9e1c852
\Driver\iaStor -> iaStor.sys @ 0xb9e40ae6
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Motorola Wireless PCI Adapter WPCI810G -> SendCompleteHandler -> 0x89719330
PacketIndicateHandler -> NDIS.sys @ 0xb9cb2a0d
SendHandler -> NDIS.sys @ 0xb9cc6b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\COMRes.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
c:\program files\Spyware Doctor\TFEngine\TFMon.dll
c:\program files\Spyware Doctor\TFEngine\TFRK.dll

- - - - - - - > 'lsass.exe'(936)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll

- - - - - - - > 'explorer.exe'(988)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Spyware Doctor\TFEngine\TfWah.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-27 12:37:20
ComboFix-quarantined-files.txt 2010-03-27 17:37
ComboFix2.txt 2010-03-27 07:21

Pre-Run: 216,286,269,440 bytes free
Post-Run: 216,248,434,688 bytes free

- - End Of File - - 2E0FDEE38ED90805BA25541939083769

broni · 2010/03/27

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

File::

Folder::

Driver::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
 "65533:TCP "=-
 "52344:TCP "=-
 "2479:TCP "=-
 "4227:TCP "=-
 "3389:TCP "=-
 "1771:TCP "=-
 "3246:TCP "=-
 "2233:TCP "=-
 "2966:TCP "=-
 "1662:TCP "=-
 "1824:TCP "=-


RegLockDel::

SecCenter::
{2C4D4BC6-0793-4956-A9F9-E252435469C0}

MBR::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

a1b2c3 · 2010/03/27

ComboFix 10-03-27.02 - Eric 03/27/2010 20:09:45.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2427 [GMT -5:00]
Running from: c:\documents and settings\Eric.E-6BBAC174EFC44\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric.E-6BBAC174EFC44\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-27 05:51 . 2010-03-27 05:51 -------- d-----w- c:\program files\Trend Micro
2010-03-25 22:24 . 2010-03-25 22:24 -------- d--h--w- c:\windows\PIF
2010-03-24 23:24 . 2010-03-24 23:28 -------- dc-h--w- c:\windows\ie8
2010-03-23 23:09 . 2010-02-02 15:13 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-23 23:09 . 2010-02-02 15:13 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-23 23:09 . 2010-02-02 15:13 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-23 22:47 . 2010-03-23 22:47 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\Threat Expert
2010-03-23 22:41 . 2010-01-22 14:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-23 22:41 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-23 22:41 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-23 22:41 . 2010-01-22 14:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-23 22:41 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-23 22:41 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-03-23 22:39 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-23 22:39 . 2010-03-10 16:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-23 22:39 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-23 22:39 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-23 22:39 . 2010-03-23 22:41 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-23 22:39 . 2010-03-28 00:58 -------- d-----w- c:\program files\Spyware Doctor
2010-03-23 22:39 . 2010-03-23 23:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-03-23 22:39 . 2010-03-23 22:39 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\PC Tools
2010-03-23 22:38 . 2010-03-28 01:40 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-23 22:05 . 2010-03-23 22:05 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-21 01:08 . 2010-03-21 01:08 -------- d-----w- c:\program files\Defender Pro
2010-03-10 18:04 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 23:38 . 2010-03-06 23:38 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\InstallShield
2010-03-06 18:07 . 2010-03-06 18:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-05 14:24 . 2010-03-05 14:24 -------- d-sh--w- c:\documents and settings\Administrator.E-6BBAC174EFC44\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 01:43 . 2010-01-15 19:23 -------- d-----w- c:\program files\PeerBlock
2010-03-28 01:40 . 2009-04-01 12:05 -------- d-----w- c:\program files\DNA
2010-03-28 01:40 . 2009-04-01 12:05 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\DNA
2010-03-27 04:02 . 2008-02-18 16:52 -------- d-----w- c:\program files\LimeWire
2010-03-27 03:59 . 2008-08-21 03:36 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\LimeWire
2010-03-27 03:59 . 2009-03-28 20:52 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Vso
2010-03-25 22:39 . 2008-08-19 19:09 52256 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\AVS4YOU
2010-03-24 00:48 . 2008-04-27 21:16 -------- d-----w- c:\documents and settings\Eric\Application Data\Move Networks
2010-03-23 00:36 . 2008-09-01 13:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 06:25 . 2008-09-01 13:41 -------- d-----w- c:\program files\CCleaner
2010-02-26 03:38 . 2008-09-21 03:08 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Corel
2010-02-26 03:37 . 2008-09-21 03:08 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-24 15:16 . 2009-10-03 06:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 21:54 . 2010-02-20 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ThumbnailCache4R
2010-02-18 10:35 . 2010-02-18 10:35 -------- d-----w- c:\documents and settings\Administrator.E-6BBAC174EFC44\Application Data\FaxCtr
2010-01-07 21:07 . 2008-09-01 13:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-09-01 13:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2009-12-31 16:50 . 2004-08-10 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2009-11-11 323392]
"PeerBlock "= "c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-07-22 98304]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-07-22 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-31 149280]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-19 185872]
"SigmatelSysTrayApp "= "stsystra.exe" [2006-03-20 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 21:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 19:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2008-06-13 16:00 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-22 01:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-22 01:48 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 18:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 18:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxamon]
2008-06-13 16:04 16040 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxmon.exe]
2008-06-13 16:04 668328 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-22 01:47 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-19 03:47 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2009-10-26 07:33 15872 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=
"c:\\Program Files\\CCleaner\\CCleaner.exe "=
"c:\\WINDOWS\\system32\\lxdxcoms.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe "=
"c:\\WINDOWS\\system32\\lxdxcfg.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6786:TCP "= 6786:TCP:Services
"6787:TCP "= 6787:TCP:Services
"7864:TCP "= 7864:TCP:Services
"7865:TCP "= 7865:TCP:Services
"9162:TCP "= 9162:TCP:Services
"9161:TCP "= 9161:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/23/2010 5:39 PM 217032]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [3/23/2010 6:09 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [3/23/2010 6:09 PM 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [3/23/2010 5:39 PM 233136]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/23/2010 5:41 PM 112592]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [1/15/2010 2:23 PM 14424]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [10/21/2009 7:48 PM 98984]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [3/23/2010 5:39 PM 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/23/2010 5:39 PM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [3/23/2010 6:09 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: download.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 20:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A021D00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f5fcb8
\Driver\atapi -> atapi.sys @ 0xb9e1c852
\Driver\iaStor -> iaStor.sys @ 0xb9e40ae6
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Motorola Wireless PCI Adapter WPCI810G -> SendCompleteHandler -> 0x8970e330
PacketIndicateHandler -> NDIS.sys @ 0xb9cd0a21
SendHandler -> NDIS.sys @ 0xb9cae87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(940)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\stsystra.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdxcoms.exe
c:\windows\System32\wltrysvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\System32\bcmwltry.exe
.
**************************************************************************
.
Completion time: 2010-03-27 20:49:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 01:49
ComboFix2.txt 2010-03-28 00:49
ComboFix3.txt 2010-03-27 17:37
ComboFix4.txt 2010-03-27 07:21

Pre-Run: 216,181,030,912 bytes free
Post-Run: 216,137,367,552 bytes free

- - End Of File - - 8856C9AF14B316A2D79A2D64797AD4E3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:07 PM, on 3/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe "
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.download.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220267475953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220268559562
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6672 bytes

broni · 2010/03/28

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

a1b2c3 · 2010/03/28

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-28 15:24:17
Windows 5.1.2600 Service Pack 3
Running: nmccm6ol.exe; Driver: C:\DOCUME~1\ERIC~1.E-6\LOCALS~1\Temp\kfpoapog.sys

---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xB9DA8AC2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9DBEEEE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9DBF0E0]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xB9DA8CB6]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xB9DA8D5C]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xB9DA89B2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9DDFD72]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xB9DA8EF8]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xB9DAABD6]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [7F, 71] {JG 0x73}
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [94, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [88, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A0, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9A, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [97, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8B, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [9D, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [85, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [91, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [8E, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [82, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01380001
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7084000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7063000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 708D000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7087000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 708A000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70A2000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 705D000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A8000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7054000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7075000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7072000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70A5000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7057000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7060000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 705A000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 709F000A
.text C:\WINDOWS\system32\spoolsv.exe[188] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 709C000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 7093000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 706F000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 706C000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7096000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7099000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\spoolsv.exe[188] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7066000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7078000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 707E000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 707B000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7069000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 7081000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\system32\spoolsv.exe[188] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\spoolsv.exe[188] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\spoolsv.exe[188] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\system32\spoolsv.exe[188] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\spoolsv.exe[188] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\spoolsv.exe[188] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [7F, 71] {JG 0x73}
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [94, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [88, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A0, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9A, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [97, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8B, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [9D, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [85, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [91, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [8E, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [82, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A50001
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 707E000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 705D000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 7087000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 708A000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7081000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7084000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 709C000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7057000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A2000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 704E000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 706F000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 706C000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 709F000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7051000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 705A000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7054000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7099000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7060000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7072000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 7078000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 7075000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7063000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 707B000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 7096000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 708D000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 7069000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 7066000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7093000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01402862
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ws2_32.dll!send 71AB4C27 5 Bytes JMP 014026EE
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014027E0
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ws2_32.dll!recv 71AB676F 5 Bytes JMP 01402726
.text C:\WINDOWS\system32\lxdxcoms.exe[500] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0140275E
.text C:\WINDOWS\system32\lxdxcoms.exe[500] WININET.dll!InternetOpenUrlA 3D95F3A4 6 Bytes JMP 70A8000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] WININET.dll!InternetOpenUrlW 3D9A6DDF 6 Bytes JMP 70A5000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\lxdxcoms.exe[500] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [84, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [99, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [8D, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A5, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9F, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9C, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [90, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A2, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8A, 71]

a1b2c3 · 2010/03/28

.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [96, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [93, 71]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [87, 71]
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01710001
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 707E000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 705D000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 7087000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 708A000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7081000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7084000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 709C000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7057000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A2000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 704E000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 706F000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 706C000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 709F000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7051000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 705A000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7054000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7099000A
.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 7096000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 708D000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 7069000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 7066000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7093000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\Explorer.EXE[588] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7060000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7072000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 7078000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 7075000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7063000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 707B000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[588] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\Explorer.EXE[588] WININET.dll!InternetOpenUrlA 3D95F3A4 6 Bytes JMP 70A8000A
.text C:\WINDOWS\Explorer.EXE[588] WININET.dll!InternetOpenUrlW 3D9A6DDF 6 Bytes JMP 70A5000A
.text C:\WINDOWS\Explorer.EXE[588] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\Explorer.EXE[588] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\Explorer.EXE[588] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\Explorer.EXE[588] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\Explorer.EXE[588] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\Explorer.EXE[588] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01D92862
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01D926EE
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01D927E0
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01D92726
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01D9275E
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [83, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [98, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [8C, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A4, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9E, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9B, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8F, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A1, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [89, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [92, 71]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [86, 71]
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009A0001
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7084000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7063000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 708D000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7087000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 708A000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70A2000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 705D000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A8000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7054000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7075000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7072000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70A5000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7057000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7060000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 705A000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 709F000A
.text C:\WINDOWS\System32\svchost.exe[600] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 709C000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 7093000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 706F000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 706C000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7096000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7099000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\System32\svchost.exe[600] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7066000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7078000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 707E000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 707B000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7069000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 7081000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[600] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\System32\svchost.exe[600] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\System32\svchost.exe[600] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\System32\svchost.exe[600] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\System32\svchost.exe[600] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\System32\svchost.exe[600] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\System32\svchost.exe[600] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [89, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [9E, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [92, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [AA, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [A4, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [21, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [A1, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [95, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A7, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [39, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8F, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [9B, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [98, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [8C, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AA000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DD000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7125000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D1000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716A000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00760001
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715E000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7164000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7161000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 714F000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7152000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D4000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 707D000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70BF000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 705C000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7113000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715B000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 7086000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7089000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7080000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7083000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710D000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6C, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D7000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E0000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 709B000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7137000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7056000A

a1b2c3 · 2010/03/28

.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A1000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7110000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B3000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BC000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70B9000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 704D000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 706E000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 706B000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 709E000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7050000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7059000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7134000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7053000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B6000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7140000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7098000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DA000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7155000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 705F000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7131000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C5000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712E000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C1, 70]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7071000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2A, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 7077000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 7074000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7062000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7158000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 7119000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C8000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 707A000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7128000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713D000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [15, 71]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F5000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E3000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7107000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F8000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FB000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 7095000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E6000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70EF000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70E9000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710A000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F2000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FE000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 708C000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 7068000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 7065000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CB000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CD, 70] {INT 0x70}
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 708F000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7101000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegQueryValueA 77DFBB8D 6 Bytes JMP 70EC000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7104000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7092000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7167000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 711F000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711C000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7143000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B0000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AD000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7146000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714C000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7149000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] WININET.dll!InternetOpenUrlA 3D95F3A4 6 Bytes JMP 70A7000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] WININET.dll!InternetOpenUrlW 3D9A6DDF 6 Bytes JMP 70A4000A
.text C:\WINDOWS\eHome\ehRecvr.exe[612] WS2_32.dll!closesocket 01133E2B 5 Bytes JMP 00FA2862
.text C:\WINDOWS\eHome\ehRecvr.exe[612] WS2_32.dll!send 01134C27 5 Bytes JMP 00FA26EE
.text C:\WINDOWS\eHome\ehRecvr.exe[612] WS2_32.dll!WSARecv 01134CB5 5 Bytes JMP 00FA27E0
.text C:\WINDOWS\eHome\ehRecvr.exe[612] WS2_32.dll!recv 0113676F 5 Bytes JMP 00FA2726
.text C:\WINDOWS\eHome\ehRecvr.exe[612] WS2_32.dll!WSASend 011368FA 5 Bytes JMP 00FA275E
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [83, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [98, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [8C, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A4, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9E, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9B, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8F, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A1, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [89, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [92, 71]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [86, 71]
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009A0001
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7084000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7063000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 708D000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7087000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 708A000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70A2000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 705D000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A8000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7054000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7075000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7072000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70A5000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7057000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7060000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 705A000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 709F000A
.text C:\WINDOWS\System32\svchost.exe[660] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 709C000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 7093000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 706F000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 706C000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7096000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7099000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\System32\svchost.exe[660] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7066000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7078000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 707E000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 707B000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7069000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 7081000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[660] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\System32\svchost.exe[660] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\System32\svchost.exe[660] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\System32\svchost.exe[660] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\System32\svchost.exe[660] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\System32\svchost.exe[660] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\System32\svchost.exe[660] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [87, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [9C, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [90, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A8, 71] {TEST AL, 0x71}
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [A2, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9F, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [93, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A5, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8D, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [99, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [96, 71]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[856] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [8A, 71]
.text C:\WINDOWS\system32\csrss.exe[856] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01750001
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [83, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [98, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [8C, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A4, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9E, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9B, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8F, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A1, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [89, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [92, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [86, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00880001
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7084000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7063000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 708D000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7090000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7087000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 708A000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70A2000A

a1b2c3 · 2010/03/28

.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 705D000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A8000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7054000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7075000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7072000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70A5000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7057000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7060000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 705A000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 709F000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7066000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7078000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 707E000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 707B000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7069000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 7081000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 709C000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 7093000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 706F000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 706C000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7096000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7099000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[860] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [84, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [99, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [8D, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A5, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9F, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9C, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [90, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A2, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8A, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [96, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [93, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [87, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C50001
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 712C000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 7117000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 716E000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 70AE000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 713B000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 7141000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 70C3000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 7123000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [25, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!LookupPrivilegeValueW + 5 77DFB8E4 1 Byte [70]
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegQueryValueA 77DFBB8D 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\winlogon.exe[880] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [19, 71]
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 70CF000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\winlogon.exe[880] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\winlogon.exe[880] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\winlogon.exe[880] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [7F, 71] {JG 0x73}
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [94, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [88, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A0, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9A, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [97, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8B, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [9D, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [85, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [91, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [8E, 71]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [82, 71]
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 027F0001
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 707E000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 705D000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 7087000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 708A000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7081000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7084000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 709C000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7057000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A2000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 704E000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 706F000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 706C000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 709F000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7051000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 705A000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7054000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7099000A
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 7096000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 708D000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 7069000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 7066000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7093000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7060000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7072000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 7078000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 7075000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7063000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 707B000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[924] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\system32\services.exe[924] WININET.dll!InternetOpenUrlA 3D95F3A4 6 Bytes JMP 70A8000A
.text C:\WINDOWS\system32\services.exe[924] WININET.dll!InternetOpenUrlW 3D9A6DDF 6 Bytes JMP 70A5000A
.text C:\WINDOWS\system32\services.exe[924] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\services.exe[924] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\services.exe[924] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A

a1b2c3 · 2010/03/28

.text C:\WINDOWS\system32\services.exe[924] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\services.exe[924] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\services.exe[924] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [7F, 71] {JG 0x73}
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [94, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [88, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A0, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9A, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [97, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8B, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [9D, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [85, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [91, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [8E, 71]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [82, 71]
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BE0001
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7084000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7063000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 708D000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7087000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 708A000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70A2000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 705D000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A8000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7054000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7075000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7072000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70A5000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7057000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7060000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 705A000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 709F000A
.text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 709C000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 7093000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 706F000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 706C000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7096000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7099000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7066000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7078000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 707E000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 707B000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7069000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 7081000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\system32\lsass.exe[936] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\lsass.exe[936] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\lsass.exe[936] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\system32\lsass.exe[936] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\lsass.exe[936] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\lsass.exe[936] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [87, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [9C, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [90, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A8, 71] {TEST AL, 0x71}
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [A2, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9F, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [93, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A5, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8D, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [99, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [96, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [8A, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AA0001
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7084000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7063000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 708D000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7087000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 708A000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70A2000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 705D000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A8000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7054000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7075000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7072000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70A5000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7057000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7060000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 705A000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 709F000A
.text C:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 709C000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 7093000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 706F000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 706C000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7096000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7099000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0B0F5A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7066000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [09, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7078000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 707E000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 707B000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7069000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 7081000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F0E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[988] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\system32\ctfmon.exe[988] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\ctfmon.exe[988] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\ctfmon.exe[988] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\system32\ctfmon.exe[988] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\ctfmon.exe[988] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\ctfmon.exe[988] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [89, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [9E, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [92, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [AA, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [A4, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [21, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [A1, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [95, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A7, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]

a1b2c3 · 2010/03/28

.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [39, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8F, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [9B, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [98, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [8C, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AA000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DD000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7125000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D1000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716A000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715E000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7164000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7161000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 714F000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7152000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D4000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 7083000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70BF000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 7062000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7113000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715B000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 708C000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 708F000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7086000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7089000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710D000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6C, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D7000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E0000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 70A1000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7137000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 705C000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A7000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7110000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B3000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BC000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70B9000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 7053000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 7074000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 7071000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 70A4000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7056000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 705F000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7134000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7059000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B6000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7140000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 709E000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DA000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F5000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E3000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7107000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F8000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FB000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 709B000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E6000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70EF000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70E9000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710A000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F2000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FE000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 7092000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 706E000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 706B000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CB000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CD, 70] {INT 0x70}
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7095000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7101000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegQueryValueA 77DFBB8D 6 Bytes JMP 70EC000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7104000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7098000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7167000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 711F000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711C000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7155000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7065000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7131000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C5000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712E000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C1, 70]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7077000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2A, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 707D000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 707A000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7068000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7158000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 7119000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C8000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 7080000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7128000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713D000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [15, 71]
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7143000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B0000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AD000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7146000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714C000A
.text C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\nmccm6ol.exe[1000] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 7149000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AA000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DD000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D1000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D4000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 707D000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70BF000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 705C000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7113000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 7086000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 7089000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7080000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7083000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710D000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D7000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E0000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 709B000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7056000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A1000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7110000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B3000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BC000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70B9000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 704D000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 706E000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 706B000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 709E000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7050000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 7059000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7053000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B6000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7098000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DA000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F5000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E3000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7107000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F8000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FB000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 7095000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E6000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70EF000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70E9000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710A000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F2000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FE000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 708C000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 7068000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 7065000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CB000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CD, 70] {INT 0x70}
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 708F000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7101000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegQueryValueA 77DFBB8D 6 Bytes JMP 70EC000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7104000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7092000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 705F000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C5000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C1, 70]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7071000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 7077000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 7074000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7062000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 7119000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C8000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 707A000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [15, 71]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 04542862
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] WS2_32.dll!send 71AB4C27 5 Bytes JMP 045426EE
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 045427E0
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] WS2_32.dll!recv 71AB676F 5 Bytes JMP 04542726
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0454275E
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] shell32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] shell32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B0000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] shell32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AD000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] shell32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] shell32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] shell32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] WININET.dll!InternetOpenUrlA 3D95F3A4 6 Bytes JMP 70A7000A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1064] WININET.dll!InternetOpenUrlW 3D9A6DDF 6 Bytes JMP 70A4000A
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [84, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [99, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [8D, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A5, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9F, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9C, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [90, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A2, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8A, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [96, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [93, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [87, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B00001
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 707E000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 705D000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 7087000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 708A000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7081000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7084000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 709C000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7057000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A2000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 704E000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 706F000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 706C000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 709F000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7051000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 705A000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7054000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A

a1b2c3 · 2010/03/28

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7099000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 7096000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 708D000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 7069000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 7066000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7093000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7060000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7072000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 7078000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 7075000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7063000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 707B000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\system32\svchost.exe[1108] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\svchost.exe[1108] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\svchost.exe[1108] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\system32\svchost.exe[1108] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\svchost.exe[1108] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\svchost.exe[1108] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 3D95F3A4 6 Bytes JMP 70A8000A
.text C:\WINDOWS\system32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 3D9A6DDF 6 Bytes JMP 70A5000A
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [87, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [9C, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [90, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A8, 71] {TEST AL, 0x71}
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [A2, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [9F, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [93, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [A5, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [8D, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [99, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [96, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\internet explorer\iexplore.exe[1160] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [8A, 71]
.text C:\Program Files\internet explorer\iexplore.exe[1160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\Program Files\internet explorer\iexplore.exe[1160] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 025C290A
.text C:\Program Files\internet explorer\iexplore.exe[1160] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 025C28BA
.text C:\Program Files\internet explorer\iexplore.exe[1160] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 025C287E
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1160] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 025C2CF3
.text C:\Program Files\internet explorer\iexplore.exe[1160] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 025C2D4F
.text C:\Program Files\internet explorer\iexplore.exe[1160] WININET.dll!HttpOpenRequestA 3D94D508 2 Bytes JMP 025C2AC2
.text C:\Program Files\internet explorer\iexplore.exe[1160] WININET.dll!HttpOpenRequestA + 3 3D94D50B 2 Bytes [C7, C4]
.text C:\Program Files\internet explorer\iexplore.exe[1160] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 025C2926
.text C:\Program Files\internet explorer\iexplore.exe[1160] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 025C30EB
.text C:\Program Files\internet explorer\iexplore.exe[1160] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 025C2B71
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [7F, 71] {JG 0x73}
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [94, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [88, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A0, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9A, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [22, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [97, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8B, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [9D, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [3A, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [85, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [91, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [8E, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [82, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AB000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DE000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 7126000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 70D2000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FF0001
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 715F000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 7165000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 7162000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7150000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7153000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualAlloc 7C809AF1 6 Bytes JMP 70D5000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!MultiByteToWideChar 7C809C98 6 Bytes JMP 707E000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 70C0000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WideCharToMultiByte 7C80A174 6 Bytes JMP 705D000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 7114000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 715C000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateMutexW 7C80E957 6 Bytes JMP 7087000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateMutexA 7C80E9DF 6 Bytes JMP 708A000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!OpenMutexW 7C80EA35 6 Bytes JMP 7081000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!OpenMutexA 7C80EABB 6 Bytes JMP 7084000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetVolumeInformationW 7C80FA85 6 Bytes JMP 710E000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [6D, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 70D8000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 70E1000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 709C000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 7138000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!MoveFileW 7C821261 6 Bytes JMP 7057000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateDirectoryA 7C8217AC 6 Bytes JMP 70A2000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 7111000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 70B4000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CopyFileA 7C8286EE 6 Bytes JMP 70BD000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CopyFileW 7C82F87B 6 Bytes JMP 70BA000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!OpenProcess 7C8309E9 6 Bytes JMP 704E000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!DeleteFileA 7C831EDD 6 Bytes JMP 706F000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!DeleteFileW 7C831F63 6 Bytes JMP 706C000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateDirectoryW 7C832402 6 Bytes JMP 709F000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 7051000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!MoveFileA 7C835EBF 6 Bytes JMP 705A000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 7135000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!MoveFileExA 7C85E49B 6 Bytes JMP 7054000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CopyFileExA 7C85F39C 6 Bytes JMP 70B7000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 7141000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!SetThreadContext 7C863C09 6 Bytes JMP 7099000A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 70DB000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 6 Bytes JMP 70F6000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueExW 77DD6FFF 6 Bytes JMP 70E4000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD776C 6 Bytes JMP 7108000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 70F9000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7946 6 Bytes JMP 70FC000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!OpenProcessToken 77DD798B 6 Bytes JMP 7096000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueExA 77DD7ABB 6 Bytes JMP 70E7000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 70F0000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueW 77DDD87A 6 Bytes JMP 70EA000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 710B000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 70F3000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 6 Bytes JMP 70FF000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!AdjustTokenPrivileges 77DDF00C 6 Bytes JMP 708D000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegDeleteKeyA 77DE42A0 6 Bytes JMP 7069000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegDeleteKeyW 77DE559B 6 Bytes JMP 7066000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!OpenSCManagerW 77DE6F55 6 Bytes JMP 70CC000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [CE, 70]
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!LookupPrivilegeValueW 77DFB8DF 6 Bytes JMP 7090000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA55 6 Bytes JMP 7102000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueA 77DFBB8D 4 Bytes [FF, 25, 1E, 00]
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueA + 5 77DFBB92 1 Byte [70]
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 6 Bytes JMP 7105000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!LookupPrivilegeValueA 77DFC238 6 Bytes JMP 7093000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 7168000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 7120000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 711D000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 7156000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowTextW 7E42960E 6 Bytes JMP 7060000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 7132000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!GetWindowTextW 7E42A5CD 6 Bytes JMP 70C6000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 712F000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [C2, 70]
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!CreateWindowExW 7E42D0A3 6 Bytes JMP 7072000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!GetKeyboardState 7E42D226 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!GetKeyboardState + 4 7E42D22A 2 Bytes [2B, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!DrawTextW 7E42D7E2 6 Bytes JMP 7078000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!CreateWindowExA 7E42E4A9 6 Bytes JMP 7075000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowTextA 7E42F56B 6 Bytes JMP 7063000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 7159000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 711A000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 70C9000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!DrawTextA 7E43C702 6 Bytes JMP 707B000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 7129000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 713E000A
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [16, 71]
.text C:\WINDOWS\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 7144000A
.text C:\WINDOWS\system32\svchost.exe[1176] SHELL32.dll!Shell_NotifyIcon 7CA28C56 6 Bytes JMP 70B1000A
.text C:\WINDOWS\system32\svchost.exe[1176] SHELL32.dll!Shell_NotifyIconW 7CA2A5BF 6 Bytes JMP 70AE000A
.text C:\WINDOWS\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 7147000A
.text C:\WINDOWS\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 714D000A
.text C:\WINDOWS\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 714A000A
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenUrlA 3D95F3A4 6 Bytes JMP 70A8000A
.text C:\WINDOWS\system32\svchost.exe[1176] WININET.dll!InternetOpenUrlW 3D9A6DDF 6 Bytes JMP 70A5000A
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] kernel32.dll!CreateRemoteThread + 174 7C810640 4 Bytes [00, 00, 6E, 71]
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02592862
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] WS2_32.dll!send 71AB4C27 5 Bytes JMP 025926EE
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 025927E0
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02592726
.text C:\Program Files\Spyware Doctor\TFEngine\TFService.exe[1200] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0259275E
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [81, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [96, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [AE, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [8A, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [A2, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [9C, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [21, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [99, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [8D, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [9F, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [39, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [87, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [93, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [90, 71]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[1232] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [84, 71]
.text C:\WINDOWS\System32\alg.exe[1232] kernel32.dll!DeviceIoControl 7C801629 6 Bytes JMP 70AA000A
.text C:\WINDOWS\System32\alg.exe[1232] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 70DD000A

Log in or Sign up

Solved Ebay log-in asking for credit card info.

a1b2c3 Inactive Thread Starter

Admin. Administrator Administrator Staff

Admin. Administrator Administrator Staff

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Ebay log-in asking for credit card info.

a1b2c3 Inactive Thread Starter

Admin. Administrator Administrator Staff

Admin. Administrator Administrator Staff

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

Share This Page

Useful Searches