Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infection-backdoor.legmir.bz


  • This topic is locked This topic is locked
13 replies to this topic

#1 graymass

graymass

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 05 March 2009 - 10:53 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/207348/backdoorlegmirbz/ ~ OB

before the scan I have deleted command.pif in the system32 folder cause that is what spyware doctor said te infection was but now im not sure what to do wit all the registry keys that the trojan modified that are probly corrupted now


DDS (Ver_09-02-01.01) - NTFSx86
Run by Holly at 20:44:31.55 on 05/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Ultimate 6.0.6001.1.1252.2.1033.18.2037.937 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\VistaDreams.org\Dream Manager\DreamManager.exe
C:\Program Files\Dell\DELL Webcam Manager\DellWMgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Holly\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: BhoMisc Class: {e3578b37-6346-4ec1-a82b-38273a100dcf} - c:\program files\trend micro\trendprotect\msie\wrs.dll
TB: TrendProtect: {f83be649-1cc3-48ee-b2e2-0826cef3822a} - c:\program files\trend micro\trendprotect\msie\wrs.dll
uRun: [DreamManager] "c:\program files\vistadreams.org\dream manager\DreamManager.exe" /startup
uRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1235432126975&h=cbc2339f9341100972585d95520c8d63/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - c:\program files\trend micro\trendprotect\msie\WRS.dll
Notify: igfxcui - igfxdev.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-23 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-2-27 130424]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-2-28 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-2-28 39184]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-2-26 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-27 348752]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-2-26 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-2-26 7424]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-2-28 33040]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2009-03-04 06:48 --d----- C:\AppDev
2009-03-04 00:27 --d----- c:\windows\system32\1033
2009-03-03 23:27 --d----- c:\program files\Microsoft Device Emulator
2009-03-03 23:27 --d----- c:\program files\Microsoft SQL Server 2005 Mobile Edition
2009-03-03 22:56 --d----- c:\programdata\PreEmptive Solutions
2009-03-03 22:56 --d----- c:\program files\common files\Business Objects
2009-03-03 22:56 --d----- c:\program files\CE Remote Tools
2009-03-03 22:56 --d----- c:\progra~2\PreEmptive Solutions
2009-03-03 22:56 --d----- c:\program files\HTML Help Workshop
2009-03-03 22:56 --d----- c:\program files\common files\Merge Modules
2009-03-03 22:36 --d----- c:\program files\Digi-Watcher.com
2009-03-03 21:35 --d----- c:\temp\cs110_XP
2009-03-03 21:35 --d----- C:\temp
2009-03-03 17:58 --d----- c:\users\holly\appdata\roaming\Printer Info Cache
2009-03-03 17:41 --d----- c:\programdata\WEBREG
2009-03-03 17:41 --d----- c:\progra~2\WEBREG
2009-03-03 17:21 --d----- c:\program files\common files\Hewlett-Packard
2009-03-03 17:16 --d----- c:\program files\HP
2009-03-03 17:14 --d----- c:\programdata\HP
2009-03-03 17:13 675,840 a------- c:\windows\system32\SETAE3B.tmp
2009-03-03 17:13 573,440 a------- c:\windows\system32\hpotscl1.dll
2009-03-03 17:13 303,104 a------- c:\windows\system32\hpovst01.dll
2009-03-03 17:13 258,048 a------- c:\windows\system32\hpzids01.dll
2009-03-03 01:33 --d----- c:\users\holly\appdata\roaming\Malwarebytes
2009-03-03 01:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-03 01:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 01:32 --d----- c:\programdata\Malwarebytes
2009-03-03 01:32 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 01:32 --d----- c:\progra~2\Malwarebytes
2009-02-28 23:32 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-02-28 23:32 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-02-28 23:32 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-02-28 23:32 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-02-28 23:32 --d----- c:\program files\ThreatFire
2009-02-28 08:57 --d-h--- c:\windows\PIF
2009-02-28 02:01 --d----- c:\program files\Microsoft SQL Server
2009-02-27 18:07 39 a------- c:\windows\vbaddin.ini
2009-02-27 18:06 --d----- c:\program files\common files\L&H
2009-02-27 18:05 --d----- c:\program files\Microsoft ActiveSync
2009-02-27 17:32 520 a------- c:\windows\ODBC.INI
2009-02-27 17:30 --d----- c:\windows\SHELLNEW
2009-02-27 17:21 --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-27 17:09 --d----- c:\windows\PCHEALTH
2009-02-27 17:09 --d----- c:\program files\Microsoft Visual Studio 8
2009-02-27 17:09 --d----- c:\programdata\Microsoft Help
2009-02-27 12:06 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-02-27 11:45 --d----- C:\PerfLogs
2009-02-27 11:15 1,076,224 a------- c:\windows\system32\vssapi.dll
2009-02-27 11:14 386,560 a------- c:\windows\system32\netcfgx.dll
2009-02-27 11:13 1,224,192 a------- c:\windows\system32\sud.dll
2009-02-27 11:12 97,280 a------- c:\windows\system32\OptionalFeatures.exe
2009-02-27 11:11 357,888 a------- c:\windows\system32\wbemcomn.dll
2009-02-27 11:11 704,512 a------- c:\windows\system32\SmiEngine.dll
2009-02-27 11:11 139,264 a------- c:\windows\system32\SmiInstaller.dll
2009-02-27 11:11 129,536 a------- c:\windows\system32\sqmapi.dll
2009-02-27 11:11 218,624 a------- c:\windows\system32\wdscore.dll
2009-02-27 11:11 130,560 a------- c:\windows\system32\PkgMgr.exe
2009-02-27 11:11 246,784 a------- c:\windows\system32\drvstore.dll
2009-02-27 11:11 305,152 a------- c:\windows\system32\msdelta.dll
2009-02-27 11:11 258,560 a------- c:\windows\system32\dpx.dll
2009-02-27 11:11 35,328 a------- c:\windows\system32\mspatcha.dll
2009-02-27 11:03 --d----- c:\windows\system32\appmgmt
2009-02-27 10:46 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-02-27 10:46 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-27 10:45 --d----- c:\program files\iPod
2009-02-27 10:44 --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-27 10:44 --d----- c:\program files\iTunes
2009-02-27 10:44 --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-27 10:42 --d----- c:\programdata\Apple Computer
2009-02-27 10:39 --d----- c:\programdata\Apple
2009-02-27 09:34 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-02-27 09:34 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-02-27 09:34 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-27 09:34 --d----- c:\program files\common files\PC Tools
2009-02-27 09:34 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-02-27 09:34 --d----- c:\users\holly\appdata\roaming\PC Tools
2009-02-27 09:34 --d----- c:\programdata\PC Tools
2009-02-27 09:34 --d----- c:\program files\Spyware Doctor
2009-02-27 09:34 --d----- c:\progra~2\PC Tools
2009-02-27 09:31 --d----- c:\program files\Trend Micro
2009-02-27 04:54 --d----- c:\program files\Creative Live! Cam
2009-02-27 04:53 --d----- c:\program files\Creative
2009-02-27 01:58 269,312 a------- c:\windows\system32\es.dll
2009-02-27 01:57 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-02-27 01:57 7,680 a------- c:\windows\system32\spwmp.dll
2009-02-27 01:57 4,096 a------- c:\windows\system32\msdxm.ocx
2009-02-27 01:57 4,096 a------- c:\windows\system32\dxmasf.dll
2009-02-27 01:57 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-02-26 12:01 --d----- c:\programdata\Stardock
2009-02-26 12:01 --d----- c:\progra~2\Stardock
2009-02-26 12:01 --d----- c:\program files\Stardock
2009-02-26 10:18 233,888 a------- c:\windows\system32\DreamScene.dll
2009-02-26 10:15 6,656 a------- c:\windows\system32\kbd106n.dll
2009-02-26 10:15 988,216 a------- c:\windows\system32\winload.exe
2009-02-26 10:15 927,288 a------- c:\windows\system32\winresume.exe
2009-02-26 10:15 40,960 a------- c:\windows\system32\srclient.dll
2009-02-26 10:15 378,368 a------- c:\windows\system32\srcore.dll
2009-02-26 10:15 318,464 a------- c:\windows\system32\rstrui.exe
2009-02-26 10:15 46,592 a------- c:\windows\system32\setbcdlocale.dll
2009-02-26 10:15 19,000 a------- c:\windows\system32\kd1394.dll
2009-02-26 10:15 14,848 a------- c:\windows\system32\srdelayed.exe
2009-02-26 10:15 615,992 a------- c:\windows\system32\ci.dll
2009-02-26 08:46 61,440 a------- c:\windows\system32\winipsec.dll
2009-02-26 08:46 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-02-26 08:46 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-02-26 08:46 272,896 a------- c:\windows\system32\polstore.dll
2009-02-26 08:43 1,820 a------- c:\windows\system32\rasctrnm.h
2009-02-26 08:40 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-02-26 08:40 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-02-26 08:40 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-02-26 08:25 827,392 a------- c:\windows\system32\wininet.dll
2009-02-26 08:25 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-02-26 08:12 296,960 a------- c:\windows\system32\gdi32.dll
2009-02-26 08:08 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-02-26 08:04 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-02-26 08:04 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-02-26 08:04 1,695,744 a------- c:\windows\system32\gameux.dll
2009-02-26 08:02 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-02-26 08:00 2,032,640 a------- c:\windows\system32\win32k.sys
2009-02-26 07:58 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-02-26 07:58 2,048 a------- c:\windows\system32\msxml3r.dll
2009-02-26 07:48 2,048 a------- c:\windows\system32\tzres.dll
2009-02-26 07:45 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-26 07:45 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-26 07:45 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-26 07:45 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-26 07:45 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-26 07:45 69,632 a------- c:\windows\system32\Mpeg2Data.ax
2009-02-26 07:44 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-02-26 07:32 2,927,104 a------- c:\windows\explorer.exe
2009-02-26 07:27 15,872 a------- c:\windows\system32\hcrstco.dll
2009-02-26 07:27 8,704 a------- c:\windows\system32\hccoin.dll
2009-02-26 07:21 3,104,768 a------- c:\windows\system32\NlsData004c.dll
2009-02-26 07:10 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-02-26 07:10 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-02-26 07:10 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-02-26 07:04 37,888 a------- c:\windows\system32\printcom.dll
2009-02-26 07:04 443,392 a------- c:\windows\system32\win32spl.dll
2009-02-26 07:02 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-02-26 07:02 14,848 a------- c:\windows\system32\wshrm.dll
2009-02-26 06:58 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-02-26 06:48 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-26 06:48 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-26 06:48 11,264 a------- c:\windows\system32\icardres.dll
2009-02-26 06:48 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-26 06:47 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-26 06:47 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-26 06:47 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-26 06:47 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-26 06:14 678,408 a------- c:\windows\system32\gpprefcl.dll
2009-02-26 06:13 --d----- c:\program files\VistaDreams.org
2009-02-26 05:53 --d----- C:\inetpub
2009-02-26 05:36 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-26 05:36 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-26 05:35 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-26 05:35 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-26 05:35 83,968 a------- c:\windows\system32\mscories.dll
2009-02-26 05:14 2,868,736 a------- c:\windows\system32\mf.dll
2009-02-26 05:14 98,816 a------- c:\windows\system32\mfps.dll
2009-02-26 05:13 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-02-26 05:13 24,576 a------- c:\windows\system32\mfpmp.exe
2009-02-26 05:13 2,048 a------- c:\windows\system32\mferror.dll
2009-02-26 05:13 94,720 a------- c:\windows\system32\logagent.exe
2009-02-26 05:13 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-02-26 05:12 84,480 a------- c:\windows\system32\INETRES.dll
2009-02-26 05:12 738,304 a------- c:\windows\system32\inetcomm.dll
2009-02-26 05:11 1,645,568 a------- c:\windows\system32\connect.dll
2009-02-26 05:11 1,314,816 a------- c:\windows\system32\quartz.dll
2009-02-26 05:08 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-26 05:08 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-02-26 05:08 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-02-26 05:08 2,048 a------- c:\windows\system32\msxml6r.dll
2009-02-26 04:20 --d----- c:\windows\Panther
2009-02-26 04:20 172,032 a------- c:\windows\system32\Uci32114.dll
2009-02-26 04:20 90,112 a------- c:\windows\system32\snymsico.dll
2009-02-26 04:20 43,520 a------- c:\windows\system32\drivers\rimsptsk.sys
2009-02-26 04:20 986,624 a------- c:\windows\system32\drivers\HSX_DPV.sys
2009-02-26 04:20 659,968 a------- c:\windows\system32\drivers\HSX_CNXT.sys
2009-02-26 04:20 386,560 a------- c:\windows\system32\drivers\XAudio.exe
2009-02-26 04:20 206,848 a------- c:\windows\system32\drivers\HSXHWAZL.sys
2009-02-26 04:20 144,360 a------- c:\windows\system32\drivers\del1028.cty
2009-02-26 04:20 94,208 a------- c:\windows\system32\mdmxsdk.dll
2009-02-26 04:20 12,672 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-02-26 04:20 8,192 a------- c:\windows\system32\drivers\XAudio.sys
2009-02-26 04:18 811,008 a------- c:\windows\system32\cximage.dll
2009-02-26 04:17 83,456 a------- c:\windows\system32\wudriver.dll
2009-02-26 04:16 162,064 a------- c:\windows\system32\wuwebv.dll
2009-02-26 04:16 31,232 a------- c:\windows\system32\wuapp.exe
2009-02-26 04:15 32 a---hr-- c:\windows\DELL_VERSION
2009-02-26 04:15 --d----- c:\windows\system32\OEM
2009-02-26 03:33 --d----- c:\users\Holly
2009-02-26 03:31 744,318 a------- c:\windows\system32\oem16.inf
2009-02-26 03:30 --d----- c:\program files\CONEXANT
2009-02-26 03:29 --d----- c:\program files\Sigmatel
2009-02-26 03:29 1,601,536 a------- c:\windows\system32\stlang.dll
2009-02-26 03:29 647,168 a------- c:\windows\system32\aestecap.dll
2009-02-26 03:29 131,072 a------- c:\windows\system32\aestacap.dll
2009-02-26 03:29 53,248 a------- c:\windows\system32\aestaren.dll
2009-02-26 03:29 102,400 -------- c:\windows\system32\stacsv.exe
2009-02-26 03:29 73,728 -------- c:\windows\system32\AEstSrv.exe
2009-02-26 03:29 4,947,968 a------- c:\windows\system32\stacgui.cpl
2009-02-26 03:29 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-02-26 03:29 --d----- c:\program files\DellTPad
2009-02-26 01:09 a-d----- c:\programdata\TEMP
2009-02-25 22:53 744,318 a------- c:\windows\system32\oem7.inf
2009-02-25 20:00 --d----- c:\windows\pss
2009-02-25 19:57 --d----- c:\program files\CCleaner
2009-02-25 18:30 --d----- c:\programdata\Windows Genuine Advantage
2009-02-25 17:59 21,412 a------- c:\windows\system32\emptyregdb.dat
2009-02-25 17:21 744,318 a------- c:\windows\system32\oem15.inf
2009-02-25 15:52 1,887 a------- c:\windows\diagwrn.xml
2009-02-25 15:52 1,887 a------- c:\windows\diagerr.xml
2009-02-25 14:39 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-02-25 03:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-25 03:00 --d----- c:\program files\MSXML 4.0
2009-02-24 18:21 99,176 a------- c:\windows\system32\drivers\DRVMCDB.SYS
2009-02-24 18:21 51,768 a------- c:\windows\system32\drivers\DRVNDDM.SYS
2009-02-24 18:21 92,920 a------- c:\windows\DLA.EXE
2009-02-24 18:21 56,056 a------- c:\windows\system32\DLAAPI_W.DLL
2009-02-24 18:21 28,120 a------- c:\windows\system32\drivers\DLARTL_M.SYS
2009-02-24 18:21 12,856 a------- c:\windows\system32\drivers\DLACDBHM.SYS
2009-02-23 21:47 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-23 21:45 -cd-h--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-23 21:45 -cd-h--- c:\progra~2\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-23 21:45 --d----- c:\programdata\Lavasoft
2009-02-23 21:45 --d----- c:\program files\Lavasoft
2009-02-23 18:38 --d----- c:\programdata\InstallShield
2009-02-23 18:35 --d----- c:\programdata\Sonic
2009-02-23 18:32 --d----- c:\program files\common files\SureThing Shared
2009-02-23 18:31 226 a------- c:\windows\wininit.ini
2009-02-23 18:31 --d----- c:\windows\system32\DLA
2009-02-23 18:28 --d----- c:\programdata\Roxio
2009-02-23 18:28 --d----- c:\program files\common files\Sonic Shared
2009-02-23 18:26 --d----- c:\program files\Roxio
2009-02-23 17:30 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-23 17:30 348,160 a------- c:\windows\system32\msvcr71.dll
2009-02-23 17:29 --d----- c:\windows\system32\Adobe
2009-02-23 17:26 --d----- c:\programdata\Adobe
2009-02-23 17:24 --d----- c:\programdata\NOS
2009-02-23 16:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-23 16:04 22,872,064 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-02-23 16:04 458,752 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-23 16:04 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-23 14:29 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-02-23 14:29 333,203 a--shr-- C:\bootmgr
2009-02-23 14:29 --dsh--- C:\Boot
2009-02-23 14:13 --d----- c:\program files\Cisco
2009-02-23 14:13 744,318 a------- c:\windows\system32\oem8.inf
2009-02-23 14:00 172,032 a------- c:\windows\system32\igfxres.dll
2009-02-23 13:59 16,052 a------- c:\windows\system32\results.xml
2009-02-23 13:57 920,088 a------- c:\windows\system32\igxpun.exe
2009-02-23 13:57 --d----- c:\windows\system32\Lang
2009-02-23 13:54 319,456 a------- c:\windows\system32\difxapi.dll
2009-02-23 13:48 --d----- C:\Intel
2009-02-23 13:42 --d----- c:\program files\Dell
2009-02-23 13:41 --dsh--- c:\windows\Installer
2009-02-23 13:41 --d----- C:\dell

==================== Find3M ====================

2009-03-03 22:16 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-03 22:16 86,016 a------- c:\windows\inf\infstor.dat
2009-03-03 22:16 51,200 a------- c:\windows\inf\infpub.dat
2009-02-27 11:55 174 a--sh--- c:\program files\desktop.ini
2009-02-27 11:45 665,600 a------- c:\windows\inf\drvindex.dat
2009-02-27 11:31 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-02-27 11:31 82,432 a------- c:\windows\system32\axaltocm.dll
2009-02-26 08:04 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-02-26 08:04 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2009-02-26 08:04 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2009-02-26 08:04 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-02-26 08:04 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-02-26 08:04 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-02-26 07:21 3,104,768 a------- c:\windows\system32\NlsData004e.dll
2009-02-26 04:18 1,524,736 a------- c:\windows\system32\wucltux.dll
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 12:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:48:29.58 ===============

Edited by Orange Blossom, 05 March 2009 - 11:16 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:09:34 PM

Posted 18 March 2009 - 09:09 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 graymass

graymass
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 21 March 2009 - 08:13 AM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Holly at 6:58:30.87 on 21/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.2.1033.18.2037.906 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\dllhost.exe
C:\Windows\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\locator.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\VistaDreams.org\Dream Manager\DreamManager.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Holly\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: BhoMisc Class: {e3578b37-6346-4ec1-a82b-38273a100dcf} - c:\program files\trend micro\trendprotect\msie\wrs.dll
TB: TrendProtect: {f83be649-1cc3-48ee-b2e2-0826cef3822a} - c:\program files\trend micro\trendprotect\msie\wrs.dll
uRun: [DreamManager] "c:\program files\vistadreams.org\dream manager\DreamManager.exe" /startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1237059296065&h=3bb84f0fe47edde1e77805a48bce2082/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - c:\program files\trend micro\trendprotect\msie\WRS.dll
Notify: igfxcui - igfxdev.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-16 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-16 130424]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-16 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-16 38208]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-3-16 159600]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-3-14 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-16 348752]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-3-5 7424]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-3-16 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-16 33088]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-3-14 11264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2009-03-20 22:24 <DIR> --d-h--- c:\windows\PIF
2009-03-20 17:49 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-20 17:49 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-20 17:49 <DIR> --d----- c:\program files\iPod
2009-03-20 17:49 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 17:49 <DIR> --d----- c:\program files\iTunes
2009-03-20 17:49 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 17:47 <DIR> --d----- c:\programdata\Apple Computer
2009-03-20 17:45 <DIR> --d----- c:\programdata\Apple
2009-03-18 15:51 <DIR> --d----- c:\program files\VistaDreams.org
2009-03-18 14:53 <DIR> --d----- c:\programdata\Stardock
2009-03-18 14:53 <DIR> --d----- c:\progra~2\Stardock
2009-03-18 14:53 <DIR> --d----- c:\program files\Stardock
2009-03-17 06:43 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-17 06:43 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-17 06:42 <DIR> --d----- c:\windows\system32\Adobe
2009-03-16 20:25 51,520 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-03-16 20:25 38,208 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-03-16 20:25 33,088 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-03-16 20:25 12,608 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-03-16 20:16 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-16 20:16 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-16 20:16 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-16 20:16 <DIR> a-d----- c:\programdata\TEMP
2009-03-16 20:16 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-16 20:16 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\users\holly\appdata\roaming\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\programdata\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-16 20:16 <DIR> --d----- c:\progra~2\PC Tools
2009-03-16 12:54 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-16 05:17 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-16 05:06 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-16 05:06 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-16 05:05 <DIR> --d----- c:\programdata\Lavasoft
2009-03-16 05:05 <DIR> --d----- c:\program files\Lavasoft
2009-03-15 13:30 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-15 12:56 <DIR> --d----- C:\inetpub
2009-03-15 03:58 <DIR> --d----- c:\program files\CCleaner
2009-03-15 02:08 <DIR> --d----- c:\windows\system32\1033
2009-03-15 01:04 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-03-15 01:02 <DIR> --d----- c:\program files\Microsoft Device Emulator
2009-03-15 00:50 172 a------- c:\windows\ODBC.INI
2009-03-14 23:42 <DIR> --d----- c:\programdata\PreEmptive Solutions
2009-03-14 23:42 <DIR> --d----- c:\program files\common files\Business Objects
2009-03-14 23:42 <DIR> --d----- c:\program files\CE Remote Tools
2009-03-14 23:42 <DIR> --d----- c:\progra~2\PreEmptive Solutions
2009-03-14 23:42 <DIR> --d----- c:\program files\HTML Help Workshop
2009-03-14 23:42 <DIR> --d----- c:\program files\common files\Merge Modules
2009-03-14 23:38 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-14 22:56 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-03-14 21:53 <DIR> --d----- c:\windows\PCHEALTH
2009-03-14 21:50 <DIR> --d----- c:\windows\SHELLNEW
2009-03-14 21:49 <DIR> --d----- c:\programdata\Microsoft Help
2009-03-14 21:41 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-14 21:08 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-03-14 17:22 <DIR> --d----- C:\PerfLogs
2009-03-14 16:47 1,675,264 a------- c:\windows\system32\xpssvcs.dll
2009-03-14 16:46 1,382,912 a------- c:\windows\system32\WMVSDECD.DLL
2009-03-14 16:45 990,208 a------- c:\windows\system32\bthprops.cpl
2009-03-14 16:44 357,888 a------- c:\windows\system32\wbemcomn.dll
2009-03-14 16:44 129,536 a------- c:\windows\system32\sqmapi.dll
2009-03-14 16:44 704,512 a------- c:\windows\system32\SmiEngine.dll
2009-03-14 16:44 139,264 a------- c:\windows\system32\SmiInstaller.dll
2009-03-14 16:44 218,624 a------- c:\windows\system32\wdscore.dll
2009-03-14 16:44 130,560 a------- c:\windows\system32\PkgMgr.exe
2009-03-14 16:44 305,152 a------- c:\windows\system32\msdelta.dll
2009-03-14 16:44 258,560 a------- c:\windows\system32\dpx.dll
2009-03-14 16:44 246,784 a------- c:\windows\system32\drvstore.dll
2009-03-14 16:44 35,328 a------- c:\windows\system32\mspatcha.dll
2009-03-14 16:17 269,312 a------- c:\windows\system32\es.dll
2009-03-14 16:12 678,408 a------- c:\windows\system32\gpprefcl.dll
2009-03-14 16:05 <DIR> --d----- c:\program files\Trend Micro
2009-03-14 16:00 233,888 a------- c:\windows\system32\DreamScene.dll
2009-03-14 15:59 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-03-14 15:04 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-03-14 15:04 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-03-14 15:04 272,896 a------- c:\windows\system32\polstore.dll
2009-03-14 15:04 61,440 a------- c:\windows\system32\winipsec.dll
2009-03-14 15:03 1,820 a------- c:\windows\system32\rasctrnm.h
2009-03-14 15:02 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-03-14 15:02 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-03-14 15:02 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-03-14 14:58 827,392 a------- c:\windows\system32\wininet.dll
2009-03-14 14:58 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-03-14 14:54 296,960 a------- c:\windows\system32\gdi32.dll
2009-03-14 14:52 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-03-14 14:51 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-03-14 14:51 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-03-14 14:51 1,695,744 a------- c:\windows\system32\gameux.dll
2009-03-14 14:50 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-03-14 14:49 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-03-14 14:49 2,048 a------- c:\windows\system32\msxml3r.dll
2009-03-14 14:46 2,048 a------- c:\windows\system32\tzres.dll
2009-03-14 14:44 428,544 a------- c:\windows\system32\EncDec.dll
2009-03-14 14:44 293,376 a------- c:\windows\system32\psisdecd.dll
2009-03-14 14:44 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-14 14:44 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-03-14 14:44 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-14 14:44 69,632 a------- c:\windows\system32\Mpeg2Data.ax
2009-03-14 14:44 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-03-14 14:44 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-14 14:44 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-14 14:44 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-14 14:44 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-14 14:40 2,927,104 a------- c:\windows\explorer.exe
2009-03-14 14:38 15,872 a------- c:\windows\system32\hcrstco.dll
2009-03-14 14:38 8,704 a------- c:\windows\system32\hccoin.dll
2009-03-14 14:34 6,656 a------- c:\windows\system32\kbd106n.dll
2009-03-14 14:34 988,216 a------- c:\windows\system32\winload.exe
2009-03-14 14:34 927,288 a------- c:\windows\system32\winresume.exe
2009-03-14 14:34 378,368 a------- c:\windows\system32\srcore.dll
2009-03-14 14:34 318,464 a------- c:\windows\system32\rstrui.exe
2009-03-14 14:34 46,592 a------- c:\windows\system32\setbcdlocale.dll
2009-03-14 14:34 40,960 a------- c:\windows\system32\srclient.dll
2009-03-14 14:34 19,000 a------- c:\windows\system32\kd1394.dll
2009-03-14 14:34 14,848 a------- c:\windows\system32\srdelayed.exe
2009-03-14 14:34 615,992 a------- c:\windows\system32\ci.dll
2009-03-14 14:31 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-03-14 14:31 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-03-14 14:31 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-03-14 14:28 443,392 a------- c:\windows\system32\win32spl.dll
2009-03-14 14:28 37,888 a------- c:\windows\system32\printcom.dll
2009-03-14 14:28 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-03-14 14:28 14,848 a------- c:\windows\system32\wshrm.dll
2009-03-14 14:27 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-03-14 14:27 268,288 a------- c:\windows\system32\schannel.dll
2009-03-14 14:24 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-14 14:24 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-14 14:24 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-14 14:24 11,264 a------- c:\windows\system32\icardres.dll
2009-03-14 14:24 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-14 14:24 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-14 14:24 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-14 14:24 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-14 14:14 196,608 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-03-14 14:14 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-03-14 14:14 22,872,064 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-03-14 14:14 <DIR> --d----- c:\windows\Panther
2009-03-14 14:12 32 a---hr-- c:\windows\DELL_VERSION
2009-03-14 14:12 <DIR> --d----- c:\windows\system32\OEM
2009-03-14 14:12 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-14 14:12 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-14 13:46 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-14 13:46 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-14 13:46 83,968 a------- c:\windows\system32\mscories.dll
2009-03-14 13:38 2,868,736 a------- c:\windows\system32\mf.dll
2009-03-14 13:38 98,816 a------- c:\windows\system32\mfps.dll
2009-03-14 13:38 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-03-14 13:38 24,576 a------- c:\windows\system32\mfpmp.exe
2009-03-14 13:38 2,048 a------- c:\windows\system32\mferror.dll
2009-03-14 13:37 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-03-14 13:37 94,720 a------- c:\windows\system32\logagent.exe
2009-03-14 13:37 738,304 a------- c:\windows\system32\inetcomm.dll
2009-03-14 13:37 84,480 a------- c:\windows\system32\INETRES.dll
2009-03-14 13:37 1,645,568 a------- c:\windows\system32\connect.dll
2009-03-14 13:36 1,314,816 a------- c:\windows\system32\quartz.dll
2009-03-14 13:36 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-14 13:35 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-14 13:35 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-03-14 13:35 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-03-14 13:35 2,048 a------- c:\windows\system32\msxml6r.dll
2009-03-14 13:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-14 13:08 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-03-14 13:08 333,203 a--shr-- C:\bootmgr
2009-03-14 13:08 <DIR> --dsh--- C:\Boot
2009-03-14 12:39 <DIR> --d----- c:\windows\system32\Lang
2009-03-14 12:39 920,088 a------- c:\windows\system32\igxpun.exe
2009-03-14 12:33 319,456 a------- c:\windows\system32\difxapi.dll
2009-03-14 12:29 21,316 a------- c:\windows\system32\emptyregdb.dat
2009-03-14 12:26 <DIR> --d----- C:\Intel
2009-03-14 12:24 <DIR> --d----- c:\program files\Dell
2009-03-14 12:23 <DIR> --dsh--- c:\windows\Installer
2009-03-14 12:23 <DIR> --d----- C:\dell
2009-03-14 12:21 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-14 12:21 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-14 12:21 <DIR> --d----- c:\users\Holly
2009-03-14 12:21 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-14 12:21 31,232 a------- c:\windows\system32\wuapp.exe
2009-03-14 12:20 744,318 a------- c:\windows\system32\oem14.inf
2009-03-14 12:19 647,168 a------- c:\windows\system32\aestecap.dll
2009-03-14 12:19 131,072 a------- c:\windows\system32\aestacap.dll
2009-03-14 12:19 102,400 a------- c:\windows\system32\stacsv.exe
2009-03-14 12:19 53,248 a------- c:\windows\system32\aestaren.dll
2009-03-14 12:19 <DIR> --d----- c:\program files\Sigmatel
2009-03-14 12:19 73,728 -------- c:\windows\system32\AEstSrv.exe
2009-03-14 12:19 4,947,968 a------- c:\windows\system32\stacgui.cpl
2009-03-14 12:19 1,601,536 a------- c:\windows\system32\stlang.dll
2009-03-14 12:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-03-14 12:19 <DIR> --d----- c:\program files\DellTPad
2009-03-14 11:12 1,887 a------- c:\windows\diagwrn.xml
2009-03-14 11:12 1,887 a------- c:\windows\diagerr.xml
2009-03-14 11:06 <DIR> --d----- c:\program files\Cisco
2009-03-14 11:06 744,318 a------- c:\windows\system32\oem9.inf
2009-03-14 10:59 <DIR> --d----- c:\program files\Broadcom
2009-03-14 10:44 172,032 a------- c:\windows\system32\igfxres.dll
2009-03-14 10:44 16,038 a------- c:\windows\system32\results.xml

==================== Find3M ====================

2009-03-20 23:46 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-20 23:46 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 23:46 51,200 a------- c:\windows\inf\infpub.dat
2009-03-14 17:30 174 a--sh--- c:\program files\desktop.ini
2009-03-14 17:22 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-14 16:59 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-03-14 16:59 82,432 a------- c:\windows\system32\axaltocm.dll
2009-03-14 14:51 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-03-14 14:51 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2009-03-14 14:51 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-03-14 14:51 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2009-03-14 14:51 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-03-14 14:51 52,736 a------- c:\windows\apppatch\iebrshim.dll
2006-11-02 06:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 13:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 7:01:12.25 ===============

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 21 March 2009 - 12:53 PM

Hello.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


Seems you have an infection called 'W32.Inzae.B@mm' by Symantec: http://www.symantec.com/security_response/...-99&tabid=2

Could you show me the file and location of what Spyware Doctor is talking about? Does it still detect it? Also, from the description from Symantec if the infection does get succesfully installed it deletes a lot of files by their extensions.

Please run GMER for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

post back with:
-GMER log
-New DDs log
-Answer to my questions.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 graymass

graymass
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 22 March 2009 - 06:15 AM

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-22 04:48:35
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x82351240]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x82351432]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x82350EF0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8235163A]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 43C 81CFCA00 8 Bytes [40, 12, 35, 82, 32, 14, 35, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81CFCE18 4 Bytes [F0, 0E, 35, 82]
.text ntkrnlpa.exe!KeSetTimerEx + 918 81CFCEDC 4 Bytes [3A, 16, 35, 82]
? C:\Windows\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\inetsrv\inetinfo.exe[440] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\System32\hkcmd.exe[516] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F860F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [8B, 5F]
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F8D0F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F900F5A
.text C:\Windows\System32\hkcmd.exe[516] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\hkcmd.exe[516] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\hkcmd.exe[516] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\System32\hkcmd.exe[516] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\hkcmd.exe[516] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\hkcmd.exe[516] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\System32\hkcmd.exe[516] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\taskeng.exe[600] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\taskeng.exe[600] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\taskeng.exe[600] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F860F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [8B, 5F]
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F8D0F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F900F5A
.text C:\Windows\system32\taskeng.exe[600] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\taskeng.exe[600] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\taskeng.exe[600] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\taskeng.exe[600] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\taskeng.exe[600] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[644] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\csrss.exe[644] KERNEL32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\wininit.exe[688] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\wininit.exe[688] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\wininit.exe[688] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\wininit.exe[688] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\wininit.exe[688] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\wininit.exe[688] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\wininit.exe[688] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\csrss.exe[696] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\csrss.exe[696] KERNEL32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\services.exe[732] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[732] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\services.exe[732] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\services.exe[732] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\services.exe[732] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\services.exe[732] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\services.exe[732] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\services.exe[732] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\services.exe[732] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\services.exe[732] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\services.exe[732] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\lsass.exe[744] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\lsass.exe[744] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\lsass.exe[744] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\lsass.exe[744] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\lsass.exe[744] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\lsass.exe[744] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\lsass.exe[744] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\lsass.exe[744] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\lsass.exe[744] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\lsass.exe[744] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F7D0F5A
.text C:\Windows\system32\lsass.exe[744] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\lsass.exe[744] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\lsass.exe[744] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\lsm.exe[752] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\lsm.exe[752] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\lsm.exe[752] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\lsm.exe[752] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\lsm.exe[752] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\lsm.exe[752] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\lsm.exe[752] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\lsm.exe[752] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\lsm.exe[752] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\lsm.exe[752] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[788] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [9D, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [7F, 62] {JG 0x64}
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [6D, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [91, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [94, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [8B, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [73, 62] {JAE 0x64}
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [79, 62] {JNS 0x64}
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [E6, 62] {OUT 0x62, AL}
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [7C, 62] {JL 0x64}
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [88, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [76, 62] {JBE 0x64}
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [D4, 62] {AAM 0x62}
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [97, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [82, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [85, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [9A, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [8E, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 62A60F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 62BE0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 62BB0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 62A90F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 626F0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 62B20F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 62D60F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 62AF0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [A0, 62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 62AC0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 62D90F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 62CD0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 62A30F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 62E80F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 62B80F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 62DF0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!SetWinEventHook 7766915C 4 Bytes [FF, 25, 1E, 00]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!SetWinEventHook + 5 77669161 1 Byte [62]
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 62DC0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 62B50F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 62E20F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] USER32.dll!EndTask 776AACCF 6 Bytes JMP 62D00F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 62C40F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 62CA0F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 62C70F5A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[796] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 62C10F5A
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[824] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\winlogon.exe[824] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[936] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[936] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[936] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[936] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[996] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[996] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[996] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\igfxpers.exe[1036] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F7A0F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [7F, 5F] {JG 0x61}
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F810F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F840F5A
.text C:\Windows\System32\igfxpers.exe[1036] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\igfxpers.exe[1036] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\igfxpers.exe[1036] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F860F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [8B, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F8D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F900F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1140] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\System32\svchost.exe[1148] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\svchost.exe[1148] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\System32\svchost.exe[1148] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\svchost.exe[1148] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\svchost.exe[1148] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\svchost.exe[1148] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\svchost.exe[1148] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\svchost.exe[1148] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F830F5A
.text C:\Windows\System32\svchost.exe[1148] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F7D0F5A
.text C:\Windows\System32\svchost.exe[1148] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F7A0F5A
.text C:\Windows\System32\svchost.exe[1148] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F800F5A
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\svchost.exe[1192] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\System32\svchost.exe[1192] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\svchost.exe[1192] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\System32\svchost.exe[1192] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\svchost.exe[1192] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\svchost.exe[1192] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\svchost.exe[1192] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\System32\svchost.exe[1192] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\svchost.exe[1208] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[1208] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExW

#6 graymass

graymass
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 22 March 2009 - 06:18 AM

77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\svchost.exe[1208] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\svchost.exe[1208] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[1324] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[1324] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[1324] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[1324] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[1380] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[1380] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\svchost.exe[1380] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[1380] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\svchost.exe[1380] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[1380] shell32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[1380] shell32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[1380] shell32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\svchost.exe[1380] shell32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\svchost.exe[1528] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[1528] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\svchost.exe[1528] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[1528] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[1528] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\svchost.exe[1528] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[1528] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[1528] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\svchost.exe[1528] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[1528] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[1528] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[1528] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\svchost.exe[1528] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\locator.exe[1620] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\locator.exe[1620] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\locator.exe[1620] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\locator.exe[1620] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\locator.exe[1620] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\locator.exe[1620] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\locator.exe[1620] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\locator.exe[1620] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\locator.exe[1620] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\locator.exe[1620] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\Dwm.exe[1648] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\Dwm.exe[1648] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\Dwm.exe[1648] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\Dwm.exe[1648] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\Dwm.exe[1648] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\Dwm.exe[1648] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\Dwm.exe[1648] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\Dwm.exe[1648] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\Dwm.exe[1648] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\Dwm.exe[1648] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\WLANExt.exe[1704] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\WLANExt.exe[1704] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\WLANExt.exe[1704] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\WLANExt.exe[1704] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\WLANExt.exe[1704] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\WLANExt.exe[1704] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\WLANExt.exe[1704] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\WLANExt.exe[1704] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\WLANExt.exe[1704] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\WLANExt.exe[1704] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\spoolsv.exe[1868] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\spoolsv.exe[1868] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\spoolsv.exe[1868] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\System32\spoolsv.exe[1868] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\spoolsv.exe[1868] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\System32\spoolsv.exe[1868] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\spoolsv.exe[1868] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\spoolsv.exe[1868] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\spoolsv.exe[1868] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\spoolsv.exe[1868] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\spoolsv.exe[1868] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F7A0F5A
.text C:\Windows\System32\spoolsv.exe[1868] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F800F5A
.text C:\Windows\System32\spoolsv.exe[1868] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F7D0F5A
.text C:\Windows\System32\spoolsv.exe[1868] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\svchost.exe[1896] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[1896] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[1896] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\svchost.exe[1896] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[1896] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[1896] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\svchost.exe[1896] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[1896] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\svchost.exe[1896] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[1896] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[1896] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\aestsrv.exe[2032] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\aestsrv.exe[2032] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\aestsrv.exe[2032] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\aestsrv.exe[2032] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\aestsrv.exe[2032] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\aestsrv.exe[2032] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\aestsrv.exe[2032] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\aestsrv.exe[2032] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\aestsrv.exe[2032] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\aestsrv.exe[2032] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\svchost.exe[2044] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[2044] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[2044] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\svchost.exe[2044] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[2044] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[2044] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\svchost.exe[2044] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[2044] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[2044] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\svchost.exe[2044] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[2044] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[2044] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[2044] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\svchost.exe[2044] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [3B, 5F]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F250F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F220F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F190F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F160F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!CreateThread + 1A 773546E2 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F130F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F400F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F340F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F460F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F520F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F430F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F490F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F370F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] shell32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] shell32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F310F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] shell32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] shell32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F280F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2256] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2276] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\STacSV.exe[2292] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\STacSV.exe[2292] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\STacSV.exe[2292] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\STacSV.exe[2292] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\STacSV.exe[2292] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\STacSV.exe[2292] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\STacSV.exe[2292] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\STacSV.exe[2292] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\STacSV.exe[2292] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\STacSV.exe[2292] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\svchost.exe[2344] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[2344] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[2344] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\svchost.exe[2344] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[2344] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[2344] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\svchost.exe[2344] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[2344] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[2344] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\svchost.exe[2344] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[2344] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\svchost.exe[2344] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[2344] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\svchost.exe[2344] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\svchost.exe[2388] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\svchost.exe[2388] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\svchost.exe[2388] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\svchost.exe[2388] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\svchost.exe[2388] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\svchost.exe[2388] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\svchost.exe[2388] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\svchost.exe[2388] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\svchost.exe[2388] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\svchost.exe[2424] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\svchost.exe[2424] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\svchost.exe[2424] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\System32\svchost.exe[2424] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\svchost.exe[2424] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\System32\svchost.exe[2424] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\svchost.exe[2424] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\svchost.exe[2424] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\svchost.exe[2424] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\svchost.exe[2424] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\svchost.exe[2424] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F800F5A
.text C:\Windows\System32\svchost.exe[2424] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F7A0F5A
.text C:\Windows\System32\svchost.exe[2424] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F830F5A
.text C:\Windows\System32\svchost.exe[2424] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F7D0F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A


.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\WLTRYSVC.EXE[2456] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\SearchIndexer.exe[2500] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\System32\bcmwltry.exe[2508] KERNEL32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\System32\bcmwltry.exe[2508] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\System32\bcmwltry.exe[2508] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\System32\bcmwltry.exe[2508] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\System32\bcmwltry.exe[2508] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\System32\bcmwltry.exe[2508] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\System32\bcmwltry.exe[2508] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\System32\bcmwltry.exe[2508] shell32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] shell32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\System32\bcmwltry.exe[2508] shell32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\System32\bcmwltry.exe[2508] shell32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\system32\taskeng.exe[2616] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\taskeng.exe[2616] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\taskeng.exe[2616] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\system32\taskeng.exe[2616] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\taskeng.exe[2616] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\taskeng.exe[2616] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\system32\taskeng.exe[2616] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\system32\taskeng.exe[2616] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\taskeng.exe[2616] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\taskeng.exe[2616] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\taskeng.exe[2616] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\taskeng.exe[2616] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\taskeng.exe[2616] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\system32\taskeng.exe[2616] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F860F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [8B, 5F]
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F8D0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F900F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\DellTPad\Apoint.exe[3988] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Windows\Explorer.EXE[4012] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Windows\Explorer.EXE[4012] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\Explorer.EXE[4012] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Windows\Explorer.EXE[4012] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\Explorer.EXE[4012] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Windows\Explorer.EXE[4012] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Windows\Explorer.EXE[4012] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Windows\Explorer.EXE[4012] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\Explorer.EXE[4012] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Windows\Explorer.EXE[4012] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Windows\Explorer.EXE[4012] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Windows\Explorer.EXE[4012] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Windows\Explorer.EXE[4012] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Windows\Explorer.EXE[4012] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [4D, 5F] {DEC EBP; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [3B, 5F]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F250F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F220F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F190F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F160F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!CreateThread + 1A 773546E2 4 Bytes CALL 0044AB89 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F130F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F400F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F340F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F460F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F520F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F430F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F490F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F370F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] shell32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] shell32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F310F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] shell32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4124] shell32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F280F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F7A0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [7F, 5F] {JG 0x61}
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F810F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F840F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Windows\system32\igfxsrvc.exe[4148] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F7A0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [7F, 5F] {JG 0x61}
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F810F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F840F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Users\Holly\Desktop\gmer\gmer.exe[4308] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [7F, 5F] {JG 0x61}
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F810F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F840F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\DellTPad\ApMsgFwd.exe[4520] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [7F, 5F] {JG 0x61}
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F810F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F840F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\DellTPad\HidFind.exe[4592] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [72, 5F] {JB 0x61}
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [60, 5F] {PUSHA ; POP EDI}
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F620F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F650F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F590F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F6B0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F770F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [7F, 5F] {JG 0x61}
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F680F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F810F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F840F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F740F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F8A0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F900F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F8D0F5A
.text C:\Program Files\DellTPad\Apntex.exe[4648] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F870F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtClose 77557F48 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtClose + 4 77557F4C 2 Bytes [35, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateFile 77558008 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateFile + 4 7755800C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateKey 77558048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateKey + 4 7755804C 2 Bytes [05, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateProcess 775580C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateProcess + 4 775580CC 2 Bytes [29, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateProcessEx 775580D8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateProcessEx + 4 775580DC 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateSection 775580F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateSection + 4 775580FC 2 Bytes [23, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtDeleteKey 775583F8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtDeleteKey + 4 775583FC 2 Bytes [0B, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtDeleteValueKey 77558428 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtDeleteValueKey + 4 7755842C 2 Bytes [11, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtLoadDriver 77558698 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtLoadDriver + 4 7755869C 2 Bytes [7E, 5F] {JLE 0x61}
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtRenameKey 77558CF8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtRenameKey + 4 77558CFC 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtSetInformationFile 77558F18 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtSetInformationFile + 4 77558F1C 2 Bytes [20, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtSetValueKey 77559088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtSetValueKey + 4 7755908C 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtSuspendProcess 775590E8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtSuspendProcess + 4 775590EC 2 Bytes [6C, 5F] {INSB ; POP EDI}
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtTerminateProcess 77559128 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtTerminateProcess + 4 7755912C 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtWriteFile 77559278 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtWriteFile + 4 7755927C 2 Bytes [1A, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtWriteFileGather 77559288 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtWriteFileGather + 4 7755928C 2 Bytes [1D, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtWriteVirtualMemory 775592A8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtWriteVirtualMemory + 4 775592AC 2 Bytes [32, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateUserProcess 77559438 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ntdll.dll!NtCreateUserProcess + 4 7755943C 2 Bytes [26, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!TerminateProcess 773118EF 6 Bytes JMP 5F3E0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!CreateProcessW 77311C01 6 Bytes JMP 5F560F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!CreateProcessA 77311C36 6 Bytes JMP 5F530F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!WriteProcessMemory 77311CC6 6 Bytes JMP 5F410F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!LoadLibraryExW 773330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!LoadLibraryW 7733361F 6 Bytes JMP 5F4A0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!TerminateThread 77333B73 6 Bytes JMP 5F6E0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!LoadLibraryA 77339491 6 Bytes JMP 5F470F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!CreateRemoteThread 773546EF 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!CreateRemoteThread + 4 773546F3 2 Bytes [38, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!GetProcAddress 7735B8B6 6 Bytes JMP 5F440F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!DebugActiveProcess 77399178 6 Bytes JMP 5F710F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] kernel32.dll!WinExec 773A53E7 6 Bytes JMP 5F650F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ADVAPI32.dll!LsaRemoveAccountRights 76ECB699 6 Bytes JMP 5F3B0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] ADVAPI32.dll!CreateServiceA 76EE6C71 6 Bytes JMP 5F800F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!SetWindowsHookExW 77667B69 6 Bytes JMP 5F500F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!GetAsyncKeyState 77668DF4 6 Bytes JMP 5F770F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!SetWinEventHook 7766915C 6 Bytes JMP 5F830F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!SetForegroundWindow 7766B5F5 6 Bytes JMP 5F860F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!SetWindowPos 776721FE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!SetWindowPos + 4 77672202 2 Bytes [8B, 5F]
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!GetKeyState 776787C7 6 Bytes JMP 5F740F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!SetWindowsHookExA 7768BB0E 6 Bytes JMP 5F4D0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!ChangeDisplaySettingsExA 776913E2 6 Bytes JMP 5F8D0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!DdeConnect 776A997F 6 Bytes JMP 5F7A0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!ChangeDisplaySettingsExW 776AA981 6 Bytes JMP 5F900F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] USER32.dll!EndTask 776AACCF 6 Bytes JMP 5F680F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] SHELL32.dll!ShellExecuteW 75DEA2C5 6 Bytes JMP 5F5C0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] SHELL32.dll!ShellExecuteExW 75E3FFBD 6 Bytes JMP 5F620F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] SHELL32.dll!ShellExecuteEx 75FE8A6A 6 Bytes JMP 5F5F0F5A
.text C:\Program Files\Windows Mail\WinMail.exe[7340] SHELL32.dll!ShellExecuteA 75FE8B05 6 Bytes JMP 5F590F5A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044AE68] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2064] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044AE68] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[4124] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044ACE0] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[4124] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044ACE0] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp pctgntdi.sys
AttachedDevice \Driver\tdx \Device\RawIp pctgntdi.sys

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-03-16.01) - NTFSx86
Run by Holly at 4:50:38.03 on 22/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.2.1033.18.2037.782 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\locator.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Holly\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: BhoMisc Class: {e3578b37-6346-4ec1-a82b-38273a100dcf} - c:\program files\trend micro\trendprotect\msie\wrs.dll
TB: TrendProtect: {f83be649-1cc3-48ee-b2e2-0826cef3822a} - c:\program files\trend micro\trendprotect\msie\wrs.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1237059296065&h=3bb84f0fe47edde1e77805a48bce2082/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - c:\program files\trend micro\trendprotect\msie\WRS.dll
Notify: igfxcui - igfxdev.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-16 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-16 130424]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-16 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-16 38208]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-3-16 159600]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-3-14 73728]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-16 348752]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-3-5 7424]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-3-16 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-16 33088]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-3-14 11264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2009-03-20 22:24 <DIR> --d-h--- c:\windows\PIF
2009-03-20 17:49 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-20 17:49 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-20 17:49 <DIR> --d----- c:\program files\iPod
2009-03-20 17:49 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 17:49 <DIR> --d----- c:\program files\iTunes
2009-03-20 17:49 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 17:47 <DIR> --d----- c:\programdata\Apple Computer
2009-03-20 17:45 <DIR> --d----- c:\programdata\Apple
2009-03-18 15:51 <DIR> --d----- c:\program files\VistaDreams.org
2009-03-18 14:53 <DIR> --d----- c:\programdata\Stardock
2009-03-18 14:53 <DIR> --d----- c:\progra~2\Stardock
2009-03-18 14:53 <DIR> --d----- c:\program files\Stardock
2009-03-17 06:43 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-17 06:43 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-17 06:42 <DIR> --d----- c:\windows\system32\Adobe
2009-03-16 20:25 51,520 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-03-16 20:25 38,208 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-03-16 20:25 33,088 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-03-16 20:25 12,608 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-03-16 20:16 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-16 20:16 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-16 20:16 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-16 20:16 <DIR> a-d----- c:\programdata\TEMP
2009-03-16 20:16 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-16 20:16 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\users\holly\appdata\roaming\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\programdata\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-16 20:16 <DIR> --d----- c:\progra~2\PC Tools
2009-03-16 12:54 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-16 05:17 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-16 05:06 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-16 05:06 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-16 05:05 <DIR> --d----- c:\programdata\Lavasoft
2009-03-16 05:05 <DIR> --d----- c:\program files\Lavasoft
2009-03-15 13:30 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-15 12:56 <DIR> --d----- C:\inetpub
2009-03-15 03:58 <DIR> --d----- c:\program files\CCleaner
2009-03-15 02:08 <DIR> --d----- c:\windows\system32\1033
2009-03-15 01:04 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-03-15 01:02 <DIR> --d----- c:\program files\Microsoft Device Emulator
2009-03-15 00:50 172 a------- c:\windows\ODBC.INI
2009-03-14 23:42 <DIR> --d----- c:\programdata\PreEmptive Solutions
2009-03-14 23:42 <DIR> --d----- c:\program files\common files\Business Objects
2009-03-14 23:42 <DIR> --d----- c:\program files\CE Remote Tools
2009-03-14 23:42 <DIR> --d----- c:\progra~2\PreEmptive Solutions
2009-03-14 23:42 <DIR> --d----- c:\program files\HTML Help Workshop
2009-03-14 23:42 <DIR> --d----- c:\program files\common files\Merge Modules
2009-03-14 23:38 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-14 22:56 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-03-14 21:53 <DIR> --d----- c:\windows\PCHEALTH
2009-03-14 21:50 <DIR> --d----- c:\windows\SHELLNEW
2009-03-14 21:49 <DIR> --d----- c:\programdata\Microsoft Help
2009-03-14 21:41 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-14 21:08 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-03-14 17:22 <DIR> --d----- C:\PerfLogs
2009-03-14 16:47 1,675,264 a------- c:\windows\system32\xpssvcs.dll
2009-03-14 16:46 1,382,912 a------- c:\windows\system32\WMVSDECD.DLL
2009-03-14 16:45 990,208 a------- c:\windows\system32\bthprops.cpl
2009-03-14 16:44 357,888 a------- c:\windows\system32\wbemcomn.dll
2009-03-14 16:44 129,536 a------- c:\windows\system32\sqmapi.dll
2009-03-14 16:44 704,512 a------- c:\windows\system32\SmiEngine.dll
2009-03-14 16:44 139,264 a------- c:\windows\system32\SmiInstaller.dll
2009-03-14 16:44 218,624 a------- c:\windows\system32\wdscore.dll
2009-03-14 16:44 130,560 a------- c:\windows\system32\PkgMgr.exe
2009-03-14 16:44 305,152 a------- c:\windows\system32\msdelta.dll
2009-03-14 16:44 258,560 a------- c:\windows\system32\dpx.dll
2009-03-14 16:44 246,784 a------- c:\windows\system32\drvstore.dll
2009-03-14 16:44 35,328 a------- c:\windows\system32\mspatcha.dll
2009-03-14 16:17 269,312 a------- c:\windows\system32\es.dll
2009-03-14 16:12 678,408 a------- c:\windows\system32\gpprefcl.dll
2009-03-14 16:05 <DIR> --d----- c:\program files\Trend Micro
2009-03-14 16:00 233,888 a------- c:\windows\system32\DreamScene.dll
2009-03-14 15:59 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-03-14 15:04 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-03-14 15:04 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-03-14 15:04 272,896 a------- c:\windows\system32\polstore.dll
2009-03-14 15:04 61,440 a------- c:\windows\system32\winipsec.dll
2009-03-14 15:03 1,820 a------- c:\windows\system32\rasctrnm.h
2009-03-14 15:02 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-03-14 15:02 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-03-14 15:02 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-03-14 14:58 827,392 a------- c:\windows\system32\wininet.dll
2009-03-14 14:58 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-03-14 14:54 296,960 a------- c:\windows\system32\gdi32.dll
2009-03-14 14:52 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-03-14 14:51 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-03-14 14:51 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-03-14 14:51 1,695,744 a------- c:\windows\system32\gameux.dll
2009-03-14 14:50 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-03-14 14:49 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-03-14 14:49 2,048 a------- c:\windows\system32\msxml3r.dll
2009-03-14 14:46 2,048 a------- c:\windows\system32\tzres.dll
2009-03-14 14:44 428,544 a------- c:\windows\system32\EncDec.dll
2009-03-14 14:44 293,376 a------- c:\windows\system32\psisdecd.dll
2009-03-14 14:44 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-14 14:44 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-03-14 14:44 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-14 14:44 69,632 a------- c:\windows\system32\Mpeg2Data.ax
2009-03-14 14:44 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-03-14 14:44 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-14 14:44 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-14 14:44 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-14 14:44 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-14 14:40 2,927,104 a------- c:\windows\explorer.exe
2009-03-14 14:38 15,872 a------- c:\windows\system32\hcrstco.dll
2009-03-14 14:38 8,704 a------- c:\windows\system32\hccoin.dll
2009-03-14 14:34 6,656 a------- c:\windows\system32\kbd106n.dll
2009-03-14 14:34 988,216 a------- c:\windows\system32\winload.exe
2009-03-14 14:34 927,288 a------- c:\windows\system32\winresume.exe
2009-03-14 14:34 378,368 a------- c:\windows\system32\srcore.dll
2009-03-14 14:34 318,464 a------- c:\windows\system32\rstrui.exe
2009-03-14 14:34 46,592 a------- c:\windows\system32\setbcdlocale.dll
2009-03-14 14:34 40,960 a------- c:\windows\system32\srclient.dll
2009-03-14 14:34 19,000 a------- c:\windows\system32\kd1394.dll
2009-03-14 14:34 14,848 a------- c:\windows\system32\srdelayed.exe
2009-03-14 14:34 615,992 a------- c:\windows\system32\ci.dll
2009-03-14 14:31 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-03-14 14:31 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-03-14 14:31 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-03-14 14:28 443,392 a------- c:\windows\system32\win32spl.dll
2009-03-14 14:28 37,888 a------- c:\windows\system32\printcom.dll
2009-03-14 14:28 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-03-14 14:28 14,848 a------- c:\windows\system32\wshrm.dll
2009-03-14 14:27 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-03-14 14:27 268,288 a------- c:\windows\system32\schannel.dll
2009-03-14 14:24 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-14 14:24 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-14 14:24 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-14 14:24 11,264 a------- c:\windows\system32\icardres.dll
2009-03-14 14:24 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-14 14:24 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-14 14:24 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-14 14:24 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-14 14:14 196,608 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-03-14 14:14 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-03-14 14:14 22,872,064 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-03-14 14:14 <DIR> --d----- c:\windows\Panther
2009-03-14 14:12 32 a---hr-- c:\windows\DELL_VERSION
2009-03-14 14:12 <DIR> --d----- c:\windows\system32\OEM
2009-03-14 14:12 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-14 14:12 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-14 13:46 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-14 13:46 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-14 13:46 83,968 a------- c:\windows\system32\mscories.dll
2009-03-14 13:38 2,868,736 a------- c:\windows\system32\mf.dll
2009-03-14 13:38 98,816 a------- c:\windows\system32\mfps.dll
2009-03-14 13:38 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-03-14 13:38 24,576 a------- c:\windows\system32\mfpmp.exe
2009-03-14 13:38 2,048 a------- c:\windows\system32\mferror.dll
2009-03-14 13:37 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-03-14 13:37 94,720 a------- c:\windows\system32\logagent.exe
2009-03-14 13:37 738,304 a------- c:\windows\system32\inetcomm.dll
2009-03-14 13:37 84,480 a------- c:\windows\system32\INETRES.dll
2009-03-14 13:37 1,645,568 a------- c:\windows\system32\connect.dll
2009-03-14 13:36 1,314,816 a------- c:\windows\system32\quartz.dll
2009-03-14 13:36 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-14 13:35 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-14 13:35 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-03-14 13:35 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-03-14 13:35 2,048 a------- c:\windows\system32\msxml6r.dll
2009-03-14 13:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-14 13:08 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-03-14 13:08 333,203 a--shr-- C:\bootmgr
2009-03-14 13:08 <DIR> --dsh--- C:\Boot
2009-03-14 12:39 <DIR> --d----- c:\windows\system32\Lang
2009-03-14 12:39 920,088 a------- c:\windows\system32\igxpun.exe
2009-03-14 12:33 319,456 a------- c:\windows\system32\difxapi.dll
2009-03-14 12:29 21,316 a------- c:\windows\system32\emptyregdb.dat
2009-03-14 12:26 <DIR> --d----- C:\Intel
2009-03-14 12:24 <DIR> --d----- c:\program files\Dell
2009-03-14 12:23 <DIR> --dsh--- c:\windows\Installer
2009-03-14 12:23 <DIR> --d----- C:\dell
2009-03-14 12:21 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-14 12:21 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-14 12:21 <DIR> --d----- c:\users\Holly
2009-03-14 12:21 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-14 12:21 31,232 a------- c:\windows\system32\wuapp.exe
2009-03-14 12:20 744,318 a------- c:\windows\system32\oem14.inf
2009-03-14 12:19 647,168 a------- c:\windows\system32\aestecap.dll
2009-03-14 12:19 131,072 a------- c:\windows\system32\aestacap.dll
2009-03-14 12:19 102,400 a------- c:\windows\system32\stacsv.exe
2009-03-14 12:19 53,248 a------- c:\windows\system32\aestaren.dll
2009-03-14 12:19 <DIR> --d----- c:\program files\Sigmatel
2009-03-14 12:19 73,728 -------- c:\windows\system32\AEstSrv.exe
2009-03-14 12:19 4,947,968 a------- c:\windows\system32\stacgui.cpl
2009-03-14 12:19 1,601,536 a------- c:\windows\system32\stlang.dll
2009-03-14 12:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-03-14 12:19 <DIR> --d----- c:\program files\DellTPad
2009-03-14 11:12 1,887 a------- c:\windows\diagwrn.xml
2009-03-14 11:12 1,887 a------- c:\windows\diagerr.xml
2009-03-14 11:06 <DIR> --d----- c:\program files\Cisco
2009-03-14 11:06 744,318 a------- c:\windows\system32\oem9.inf
2009-03-14 10:59 <DIR> --d----- c:\program files\Broadcom
2009-03-14 10:44 172,032 a------- c:\windows\system32\igfxres.dll
2009-03-14 10:44 16,038 a------- c:\windows\system32\results.xml

==================== Find3M ====================

2009-03-20 23:46 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-20 23:46 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 23:46 51,200 a------- c:\windows\inf\infpub.dat
2009-03-14 17:30 174 a--sh--- c:\program files\desktop.ini
2009-03-14 17:22 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-14 16:59 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-03-14 16:59 82,432 a------- c:\windows\system32\axaltocm.dll
2009-03-14 14:51 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-03-14 14:51 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2009-03-14 14:51 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-03-14 14:51 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2009-03-14 14:51 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-03-14 14:51 52,736 a------- c:\windows\apppatch\iebrshim.dll
2006-11-02 06:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 13:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 4:52:47.59 ===============

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 22 March 2009 - 05:19 PM

Hello.

Could you answer my questions please. We need to communicate here to understand how your computer is at the moment.

Also, you didn't attach the Attach.zip file to me. One question in addition to what I have asked in my previous post, what problems do you still have with your computer?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 graymass

graymass
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 23 March 2009 - 02:09 AM

Hi sorry about the miscommunication. The command.pif file in my system 32 folder was the infection spyware doctor detected. I deleted that file manually that day the infection was found. My computer is slower than usual but performance has improved since I have been fixing the registry where corruption was left from the malware. I am not sure if I actually fixed it all or not and was wondering if you could tell me. thank you so kindly.

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 23 March 2009 - 02:53 PM

Hello.

It seems you pretty much did everything. Please run the two scans below.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-MBAM log
-Kaspersky log
-New DDS log only


With Regards,
extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 graymass

graymass
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 March 2009 - 06:25 AM

Hello, I did the Kaspersky scan but there was no report to save.

Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 6.0.6001 Service Pack 1

24/03/2009 1:43:44 AM
mbam-log-2009-03-24 (01-43-44).txt

Scan type: Quick Scan
Objects scanned: 65542
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS (Ver_09-03-16.01) - NTFSx86
Run by Holly at 5:18:27.94 on 24/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.2.1033.18.2037.1067 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\dllhost.exe
C:\Windows\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\locator.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\VistaDreams.org\Dream Manager\DreamManager.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Holly\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: BhoMisc Class: {e3578b37-6346-4ec1-a82b-38273a100dcf} - c:\program files\trend micro\trendprotect\msie\wrs.dll
TB: TrendProtect: {f83be649-1cc3-48ee-b2e2-0826cef3822a} - c:\program files\trend micro\trendprotect\msie\wrs.dll
uRun: [DreamManager] "c:\program files\vistadreams.org\dream manager\DreamManager.exe" /startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [<NO NAME>]
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1237059296065&h=3bb84f0fe47edde1e77805a48bce2082/&filename=jinstall-6u12-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - c:\program files\trend micro\trendprotect\msie\WRS.dll
Notify: igfxcui - igfxdev.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-16 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-16 130424]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-16 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-16 38208]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-3-16 159600]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-3-14 73728]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-3-5 7424]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-3-16 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-16 348752]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-16 33088]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-3-14 11264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2009-03-24 01:35 <DIR> --d----- c:\users\holly\appdata\roaming\Malwarebytes
2009-03-24 01:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 01:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 01:33 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-24 01:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 01:33 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-23 06:55 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-22 22:02 99,176 a------- c:\windows\system32\drivers\DRVMCDB.SYS
2009-03-22 22:02 51,768 a------- c:\windows\system32\drivers\DRVNDDM.SYS
2009-03-22 22:02 12,856 a------- c:\windows\system32\drivers\DLACDBHM.SYS
2009-03-22 22:02 92,920 a------- c:\windows\DLA.EXE
2009-03-22 22:02 56,056 a------- c:\windows\system32\DLAAPI_W.DLL
2009-03-22 22:02 28,120 a------- c:\windows\system32\drivers\DLARTL_M.SYS
2009-03-22 21:21 <DIR> --d----- c:\programdata\InstallShield
2009-03-22 21:18 <DIR> --d----- c:\programdata\Sonic
2009-03-22 21:14 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-03-22 21:13 228 a------- c:\windows\wininit.ini
2009-03-22 21:13 <DIR> --d----- c:\windows\system32\DLA
2009-03-22 21:08 <DIR> --d----- c:\programdata\Roxio
2009-03-22 21:08 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-03-22 21:06 <DIR> --d----- c:\program files\Roxio
2009-03-20 22:24 <DIR> --d-h--- c:\windows\PIF
2009-03-20 17:49 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-20 17:49 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-20 17:49 <DIR> --d----- c:\program files\iPod
2009-03-20 17:49 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 17:49 <DIR> --d----- c:\program files\iTunes
2009-03-20 17:49 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 17:47 <DIR> --d----- c:\programdata\Apple Computer
2009-03-20 17:45 <DIR> --d----- c:\programdata\Apple
2009-03-18 15:51 <DIR> --d----- c:\program files\VistaDreams.org
2009-03-18 14:53 <DIR> --d----- c:\programdata\Stardock
2009-03-18 14:53 <DIR> --d----- c:\progra~2\Stardock
2009-03-18 14:53 <DIR> --d----- c:\program files\Stardock
2009-03-17 06:43 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-17 06:43 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-17 06:42 <DIR> --d----- c:\windows\system32\Adobe
2009-03-16 20:25 51,520 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-03-16 20:25 38,208 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-03-16 20:25 33,088 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-03-16 20:25 12,608 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-03-16 20:16 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-16 20:16 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-16 20:16 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-16 20:16 <DIR> a-d----- c:\programdata\TEMP
2009-03-16 20:16 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-16 20:16 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\users\holly\appdata\roaming\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\programdata\PC Tools
2009-03-16 20:16 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-16 20:16 <DIR> --d----- c:\progra~2\PC Tools
2009-03-16 12:54 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-16 05:17 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-16 05:06 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-16 05:06 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-16 05:05 <DIR> --d----- c:\programdata\Lavasoft
2009-03-16 05:05 <DIR> --d----- c:\program files\Lavasoft
2009-03-15 13:30 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-15 12:56 <DIR> --d----- C:\inetpub
2009-03-15 03:58 <DIR> --d----- c:\program files\CCleaner
2009-03-15 02:08 <DIR> --d----- c:\windows\system32\1033
2009-03-15 01:04 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-03-15 01:02 <DIR> --d----- c:\program files\Microsoft Device Emulator
2009-03-15 00:50 172 a------- c:\windows\ODBC.INI
2009-03-14 23:42 <DIR> --d----- c:\programdata\PreEmptive Solutions
2009-03-14 23:42 <DIR> --d----- c:\program files\common files\Business Objects
2009-03-14 23:42 <DIR> --d----- c:\program files\CE Remote Tools
2009-03-14 23:42 <DIR> --d----- c:\progra~2\PreEmptive Solutions
2009-03-14 23:42 <DIR> --d----- c:\program files\HTML Help Workshop
2009-03-14 23:42 <DIR> --d----- c:\program files\common files\Merge Modules
2009-03-14 23:38 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-14 22:56 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-03-14 21:53 <DIR> --d----- c:\windows\PCHEALTH
2009-03-14 21:50 <DIR> --d----- c:\windows\SHELLNEW
2009-03-14 21:49 <DIR> --d----- c:\programdata\Microsoft Help
2009-03-14 21:41 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-14 21:08 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-03-14 17:22 <DIR> --d----- C:\PerfLogs
2009-03-14 16:47 1,675,264 a------- c:\windows\system32\xpssvcs.dll
2009-03-14 16:46 1,382,912 a------- c:\windows\system32\WMVSDECD.DLL
2009-03-14 16:45 990,208 a------- c:\windows\system32\bthprops.cpl
2009-03-14 16:44 357,888 a------- c:\windows\system32\wbemcomn.dll
2009-03-14 16:44 129,536 a------- c:\windows\system32\sqmapi.dll
2009-03-14 16:44 704,512 a------- c:\windows\system32\SmiEngine.dll
2009-03-14 16:44 139,264 a------- c:\windows\system32\SmiInstaller.dll
2009-03-14 16:44 218,624 a------- c:\windows\system32\wdscore.dll
2009-03-14 16:44 130,560 a------- c:\windows\system32\PkgMgr.exe
2009-03-14 16:44 305,152 a------- c:\windows\system32\msdelta.dll
2009-03-14 16:44 258,560 a------- c:\windows\system32\dpx.dll
2009-03-14 16:44 246,784 a------- c:\windows\system32\drvstore.dll
2009-03-14 16:44 35,328 a------- c:\windows\system32\mspatcha.dll
2009-03-14 16:17 269,312 a------- c:\windows\system32\es.dll
2009-03-14 16:12 678,408 a------- c:\windows\system32\gpprefcl.dll
2009-03-14 16:05 <DIR> --d----- c:\program files\Trend Micro
2009-03-14 16:00 233,888 a------- c:\windows\system32\DreamScene.dll
2009-03-14 15:59 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-03-14 15:04 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-03-14 15:04 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-03-14 15:04 272,896 a------- c:\windows\system32\polstore.dll
2009-03-14 15:04 61,440 a------- c:\windows\system32\winipsec.dll
2009-03-14 15:03 1,820 a------- c:\windows\system32\rasctrnm.h
2009-03-14 15:02 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-03-14 15:02 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-03-14 15:02 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-03-14 14:58 827,392 a------- c:\windows\system32\wininet.dll
2009-03-14 14:58 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-03-14 14:54 296,960 a------- c:\windows\system32\gdi32.dll
2009-03-14 14:52 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-03-14 14:51 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-03-14 14:51 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-03-14 14:51 1,695,744 a------- c:\windows\system32\gameux.dll
2009-03-14 14:50 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-03-14 14:49 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-03-14 14:49 2,048 a------- c:\windows\system32\msxml3r.dll
2009-03-14 14:46 2,048 a------- c:\windows\system32\tzres.dll
2009-03-14 14:44 428,544 a------- c:\windows\system32\EncDec.dll
2009-03-14 14:44 293,376 a------- c:\windows\system32\psisdecd.dll
2009-03-14 14:44 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-14 14:44 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-03-14 14:44 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-14 14:44 69,632 a------- c:\windows\system32\Mpeg2Data.ax
2009-03-14 14:44 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-03-14 14:44 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-14 14:44 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-14 14:44 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-14 14:44 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-14 14:40 2,927,104 a------- c:\windows\explorer.exe
2009-03-14 14:38 15,872 a------- c:\windows\system32\hcrstco.dll
2009-03-14 14:38 8,704 a------- c:\windows\system32\hccoin.dll
2009-03-14 14:34 6,656 a------- c:\windows\system32\kbd106n.dll
2009-03-14 14:34 988,216 a------- c:\windows\system32\winload.exe
2009-03-14 14:34 927,288 a------- c:\windows\system32\winresume.exe
2009-03-14 14:34 378,368 a------- c:\windows\system32\srcore.dll
2009-03-14 14:34 318,464 a------- c:\windows\system32\rstrui.exe
2009-03-14 14:34 46,592 a------- c:\windows\system32\setbcdlocale.dll
2009-03-14 14:34 40,960 a------- c:\windows\system32\srclient.dll
2009-03-14 14:34 19,000 a------- c:\windows\system32\kd1394.dll
2009-03-14 14:34 14,848 a------- c:\windows\system32\srdelayed.exe
2009-03-14 14:34 615,992 a------- c:\windows\system32\ci.dll
2009-03-14 14:31 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-03-14 14:31 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-03-14 14:31 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-03-14 14:28 443,392 a------- c:\windows\system32\win32spl.dll
2009-03-14 14:28 37,888 a------- c:\windows\system32\printcom.dll
2009-03-14 14:28 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-03-14 14:28 14,848 a------- c:\windows\system32\wshrm.dll
2009-03-14 14:27 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-03-14 14:27 268,288 a------- c:\windows\system32\schannel.dll
2009-03-14 14:24 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-14 14:24 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-14 14:24 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-14 14:24 11,264 a------- c:\windows\system32\icardres.dll
2009-03-14 14:24 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-14 14:24 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-14 14:24 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-14 14:24 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-14 14:14 196,608 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-03-14 14:14 65,536 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-03-14 14:14 22,872,064 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-03-14 14:14 <DIR> --d----- c:\windows\Panther
2009-03-14 14:12 32 a---hr-- c:\windows\DELL_VERSION
2009-03-14 14:12 <DIR> --d----- c:\windows\system32\OEM
2009-03-14 14:12 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-14 14:12 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-14 13:46 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-14 13:46 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-14 13:46 83,968 a------- c:\windows\system32\mscories.dll
2009-03-14 13:38 2,868,736 a------- c:\windows\system32\mf.dll
2009-03-14 13:38 98,816 a------- c:\windows\system32\mfps.dll
2009-03-14 13:38 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-03-14 13:38 24,576 a------- c:\windows\system32\mfpmp.exe
2009-03-14 13:38 2,048 a------- c:\windows\system32\mferror.dll
2009-03-14 13:37 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-03-14 13:37 94,720 a------- c:\windows\system32\logagent.exe
2009-03-14 13:37 738,304 a------- c:\windows\system32\inetcomm.dll
2009-03-14 13:37 84,480 a------- c:\windows\system32\INETRES.dll
2009-03-14 13:37 1,645,568 a------- c:\windows\system32\connect.dll
2009-03-14 13:36 1,314,816 a------- c:\windows\system32\quartz.dll
2009-03-14 13:36 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-14 13:35 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-14 13:35 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-03-14 13:35 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-03-14 13:35 2,048 a------- c:\windows\system32\msxml6r.dll
2009-03-14 13:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-14 13:08 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-03-14 13:08 333,203 a--shr-- C:\bootmgr
2009-03-14 13:08 <DIR> --dsh--- C:\Boot
2009-03-14 12:39 <DIR> --d----- c:\windows\system32\Lang
2009-03-14 12:39 920,088 a------- c:\windows\system32\igxpun.exe
2009-03-14 12:33 319,456 a------- c:\windows\system32\difxapi.dll
2009-03-14 12:29 21,316 a------- c:\windows\system32\emptyregdb.dat
2009-03-14 12:26 <DIR> --d----- C:\Intel
2009-03-14 12:24 <DIR> --d----- c:\program files\Dell
2009-03-14 12:23 <DIR> --dsh--- c:\windows\Installer
2009-03-14 12:23 <DIR> --d----- C:\dell
2009-03-14 12:21 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-14 12:21 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-14 12:21 <DIR> --d----- c:\users\Holly
2009-03-14 12:21 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-14 12:21 31,232 a------- c:\windows\system32\wuapp.exe
2009-03-14 12:20 744,318 a------- c:\windows\system32\oem14.inf
2009-03-14 12:19 647,168 a------- c:\windows\system32\aestecap.dll
2009-03-14 12:19 131,072 a------- c:\windows\system32\aestacap.dll
2009-03-14 12:19 102,400 a------- c:\windows\system32\stacsv.exe
2009-03-14 12:19 53,248 a------- c:\windows\system32\aestaren.dll
2009-03-14 12:19 <DIR> --d----- c:\program files\Sigmatel
2009-03-14 12:19 73,728 -------- c:\windows\system32\AEstSrv.exe
2009-03-14 12:19 4,947,968 a------- c:\windows\system32\stacgui.cpl
2009-03-14 12:19 1,601,536 a------- c:\windows\system32\stlang.dll
2009-03-14 12:19 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-03-14 12:19 <DIR> --d----- c:\program files\DellTPad
2009-03-14 11:12 1,887 a------- c:\windows\diagwrn.xml
2009-03-14 11:12 1,887 a------- c:\windows\diagerr.xml
2009-03-14 11:06 <DIR> --d----- c:\program files\Cisco
2009-03-14 11:06 744,318 a------- c:\windows\system32\oem9.inf
2009-03-14 10:59 <DIR> --d----- c:\program files\Broadcom
2009-03-14 10:44 172,032 a------- c:\windows\system32\igfxres.dll
2009-03-14 10:44 16,038 a------- c:\windows\system32\results.xml

==================== Find3M ====================

2009-03-20 23:46 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-20 23:46 86,016 a------- c:\windows\inf\infstor.dat
2009-03-20 23:46 51,200 a------- c:\windows\inf\infpub.dat
2009-03-14 17:30 174 a--sh--- c:\program files\desktop.ini
2009-03-14 17:22 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-14 16:59 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-03-14 16:59 82,432 a------- c:\windows\system32\axaltocm.dll
2009-03-14 14:51 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-03-14 14:51 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2009-03-14 14:51 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-03-14 14:51 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2009-03-14 14:51 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-03-14 14:51 52,736 a------- c:\windows\apppatch\iebrshim.dll
2006-11-02 06:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 5:19:13.39 ===============

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 24 March 2009 - 12:11 PM

Hello.

Hello, I did the Kaspersky scan but there was no report to save.

I believe the scan was clean and no malware infections were found then?

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 graymass

graymass
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 March 2009 - 05:45 PM

So my system is clean and all my logs are fine.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 24 March 2009 - 06:44 PM

Hello.

Yes, log looks fine. If the Kaspersky didn't find anything else then you're good to go.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 26 March 2009 - 03:35 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users