Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

playsushie won't go away!


  • This topic is locked This topic is locked
26 replies to this topic

#1 newgma

newgma

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 26 May 2010 - 09:09 PM

Having posted incorrectly previously, I sure hope I do it right this time! (I didn't READ FIRST!).

I've tried to remove the program several times with add/remove and with RevoUninstaller, to no avail.

Recently, I read some online posts that it can facilitate the upload of a "back door". Scares me.

I have a PC Presario M200 running on XP SP3.

Your help and skills are appreciated, in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:53 AM

Posted 28 May 2010 - 06:57 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 29 May 2010 - 08:28 AM

OK, I uploaded as files previously, but here are the copy and paste of the texts:


DDS:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Mschmokel at 14:56:03.73 on Wed 05/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.214 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Documents and Settings\Mschmokel\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\mschmo~1\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {E903940B-9AF9-422A-9D8B-7918D1C714E4} = 208.67.222.222,208.67.220.220
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mschmo~1\applic~1\mozilla\firefox\profiles\nxyff3me.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\mschmokel\application data\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-7-5 9472]
S3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [2010-2-14 251264]

=============== Created Last 30 ================

2010-07-11 18:59:12 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-07-11 18:50:30 0 d-----w- c:\windows\SHELLNEW
2010-07-11 17:45:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Applications
2010-07-05 14:38:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-07-05 14:38:17 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-07-05 14:38:11 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-07-05 14:35:18 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-07-05 14:35:17 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys
2010-07-05 14:35:17 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-07-05 14:35:17 0 d-----w- c:\program files\PdaNet for Android
2010-05-26 14:34:24 0 d-----w- c:\program files\CCleaner
2010-05-25 14:40:52 0 d-----w- c:\docume~1\mschmo~1\applic~1\Uniblue
2010-05-14 14:33:21 0 d-----w- c:\docume~1\mschmo~1\applic~1\OpenDNS Updater
2010-05-14 14:33:18 0 d-----w- c:\program files\OpenDNS Updater
2010-05-03 20:39:09 240944 ----a-w- c:\windows\system32\RICHED.DLL
2010-05-03 20:39:09 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2010-05-03 20:39:08 132880 ----a-w- c:\windows\system32\MSINET.OCX
2010-05-03 14:31:48 0 d-----w- c:\documents and settings\mschmokel\Calibre Library
2010-05-03 14:31:04 0 d-----w- c:\docume~1\mschmo~1\applic~1\calibre
2010-05-03 14:18:06 0 d-----w- c:\program files\Calibre2
2010-04-30 20:14:28 0 d-----w- c:\docume~1\mschmo~1\applic~1\Windows Desktop Search
2010-04-30 19:49:34 0 d-----w- c:\program files\Windows Desktop Search
2010-04-30 19:49:31 0 d-----w- c:\windows\system32\GroupPolicy
2010-04-30 19:45:20 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-04-30 19:45:20 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-04-30 19:45:20 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-02 02:37:32 762736 ----a-w- c:\windows\vVX1000.exe
2010-03-02 02:37:32 227696 ----a-w- c:\windows\vVX1000.dll
2010-03-02 02:37:32 101232 ----a-w- c:\windows\VX1000.dll
2010-03-02 02:37:30 677232 ----a-w- c:\windows\system32\LCCoin32.dll
2010-03-02 02:37:30 175472 ----a-w- c:\windows\system32\cVX1000.dll
2009-12-30 04:11:07 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-30 04:11:07 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122920091230\index.dat

============= FINISH: 14:57:20.15 ===============

GMR: (ark.txt)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-26 21:58:13
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MSCHMO~1\LOCALS~1\Temp\pwtyipow.sys


---- System - GMER 1.0.15 ----

SSDT sppy.sys ZwCreateKey [0xF754F0E0]
SSDT sppy.sys ZwEnumerateKey [0xF756DCA2]
SSDT sppy.sys ZwEnumerateValueKey [0xF756E030]
SSDT sppy.sys ZwOpenKey [0xF754F0C0]
SSDT sppy.sys ZwQueryKey [0xF756E108]
SSDT sppy.sys ZwQueryValueKey [0xF756DF88]
SSDT sppy.sys ZwSetValueKey [0xF756E19A]

INT 0x62 ? 85B8CBF8
INT 0x82 ? 85B8CBF8
INT 0x84 ? 859E3BF8
INT 0x94 ? 859E3BF8
INT 0xA4 ? 859E3BF8
INT 0xB4 ? 859E3BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 310 804E297C 2 Bytes [88, DF] {MOV BH, BL}
.text ntoskrnl.exe!_abnormal_termination + 313 804E297F 1 Byte [F7]
.text ntoskrnl.exe!RtlUnwind + 1F5 804F6E00 14 Bytes [8B, 08, 03, FA, 8D, 51, FF, ...]
.text ntoskrnl.exe!RtlUnwind + 204 804F6E0F 7 Bytes [85, DB, 0F, 84, DA, CE, 01]
.text ntoskrnl.exe!RtlUnwind + 20C 804F6E17 33 Bytes [8B, 50, F8, 2B, CA, 01, 4D, ...]
.text ntoskrnl.exe!RtlUnwind + 22E 804F6E39 17 Bytes [85, DB, 0F, 84, 96, CE, 01, ...]
.text ntoskrnl.exe!RtlUnwind + 240 804F6E4B 48 Bytes [00, 8B, 50, FC, 3B, D7, 0F, ...]
.text ...
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 33 804F6ED2 18 Bytes CALL 804E2486 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 49 804F6EE8 3 Bytes [F1, 6E, 4F] {INT1 ; OUTSB ; DEC EDI}
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 4D 804F6EEC 15 Bytes [90, 90, 90, 90, 90, 8B, 45, ...]
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 5D 804F6EFC 24 Bytes [C3, 33, DB, 8A, 18, 40, F7, ...]
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 76 804F6F15 16 Bytes [FA, FF, EB, F1, 8A, 00, 8B, ...]
.text ...
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + E 804F787F 12 Bytes [8B, 4D, 08, 8B, 11, 85, D2, ...]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 1B 804F788C 5 Bytes [0F, 85, 27, 86, 02]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 21 804F7892 11 Bytes [83, 4A, 20, 08, 8A, C8, FF, ...]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 2D 804F789E 6 Bytes [8A, C3, 5B, 5D, C2, 04]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 34 804F78A5 15 Bytes [32, DB, EB, ED, 90, 90, 90, ...]
.text ...
.text ntoskrnl.exe!KeInitializeMutant + 12 804F79E3 20 Bytes [C6, 46, 02, 08, 74, 63, 83, ...]
.text ntoskrnl.exe!KeInitializeMutant + 27 804F79F8 3 Bytes [C6, 46, 1C]
.text ntoskrnl.exe!KeInitializeMutant + 2B 804F79FC 3 Bytes [C6, 46, 1D]
.text ntoskrnl.exe!KeInitializeMutant + 2F 804F7A00 15 Bytes [5E, 5D, C2, 08, 00, 90, 90, ...]
.text ntoskrnl.exe!KeInitializeMutant + 3F 804F7A10 3 Bytes [2F, 8F, 60]
.text ...
.text ntoskrnl.exe!ZwQueryDebugFilterState + 13 804F7E70 71 Bytes [73, 2F, 8B, 14, 85, 78, D0, ...]
.text ntoskrnl.exe!ZwQueryDebugFilterState + 5B 804F7EB8 3 Bytes [04, 83, 60] {ADD AL, 0x83; PUSHA }
.text ntoskrnl.exe!ZwQueryDebugFilterState + 5F 804F7EBC 11 Bytes [90, 90, 90, 90, FF, FF, FF, ...]
.text ntoskrnl.exe!ZwQueryDebugFilterState + 6B 804F7EC8 3 Bytes [29, F6, 5F] {SUB ESI, ESI; POP EDI}
.text ntoskrnl.exe!ZwQueryDebugFilterState + 6F 804F7ECC 11 Bytes [90, 90, 90, 90, FF, FF, FF, ...]
.text ...
.text ntoskrnl.exe!MmSizeOfMdl + 10 804F7F4E 5 Bytes [8D, 84, 08, FF, 0F]
.text ntoskrnl.exe!MmSizeOfMdl + 16 804F7F54 9 Bytes CALL 05540C65
.text ntoskrnl.exe!MmSizeOfMdl + 20 804F7F5E 23 Bytes [00, 5D, C2, 08, 00, 8B, 4D, ...]
.text ntoskrnl.exe!MmSizeOfMdl + 38 804F7F76 1 Byte [00]
.text ntoskrnl.exe!MmSizeOfMdl + 38 804F7F76 5 Bytes [00, 00, 64, FF, 57]
.text ...
.text ntoskrnl.exe!FsRtlAllocateFileLock + A 804F82B4 55 Bytes CALL 804E9F72 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlAllocateFileLock + 42 804F82EC 7 Bytes [56, 57, FF, 15, 94, 76, 4D]
.text ntoskrnl.exe!FsRtlAllocateFileLock + 4A 804F82F4 45 Bytes [88, 45, FF, 8D, 7B, 10, 83, ...]
.text ntoskrnl.exe!FsRtlAllocateFileLock + 78 804F8322 12 Bytes CALL 804F82D5 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlAllocateFileLock + 85 804F832F 32 Bytes JMP 804ED1AF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlFreeFileLock + 15 804F8350 41 Bytes CALL 804E9F34 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlFreeFileLock + 3F 804F837A 5 Bytes [8B, 46, 18, 3D, 00]
.text ntoskrnl.exe!FsRtlFreeFileLock + 45 804F8380 1 Byte [10]
.text ntoskrnl.exe!FsRtlFreeFileLock + 45 804F8380 87 Bytes [10, 00, 76, 20, C1, E8, 12, ...]
.text ntoskrnl.exe!KeSetPriorityThread + 2A 804F83D8 29 Bytes [00, 8B, 40, 10, 8A, 40, 63, ...]
.text ntoskrnl.exe!KeSetPriorityThread + 48 804F83F6 29 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!KeSetPriorityThread + 66 804F8414 19 Bytes [85, F6, 74, 46, 53, 8A, C8, ...]
.text ntoskrnl.exe!KeSetPriorityThread + 7A 804F8428 5 Bytes [50, FF, B6, 68, 01]
.text ntoskrnl.exe!KeSetPriorityThread + 80 804F842E 9 Bytes CALL 804EA110 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!KeTerminateThread + F 804F84E8 17 Bytes [00, 8B, F0, 8B, 7E, 44, 8D, ...]
.text ntoskrnl.exe!KeTerminateThread + 21 804F84FA 9 Bytes [A1, A0, 13, 56, 80, 89, 86, ...]
.text ntoskrnl.exe!KeTerminateThread + 2B 804F8504 7 Bytes [00, 80, 3D, A4, 13, 56, 80]
.text ntoskrnl.exe!KeTerminateThread + 33 804F850C 5 Bytes [89, 35, A0, 13, 56]
.text ntoskrnl.exe!KeTerminateThread + 39 804F8512 3 Bytes [75, 18, 6A]
.text ...
.text ntoskrnl.exe!KeInitializeTimerEx + 31 804F87EE 11 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!KeInitializeTimer + 7 804F87FA 11 Bytes CALL 804F87BA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeInitializeTimer + 13 804F8806 12 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!KeInitializeTimer + 21 804F8814 13 Bytes [8B, 70, 44, FF, 15, 94, 76, ...]
.text ntoskrnl.exe!KeInitializeTimer + 30 804F8823 2 Bytes [80, 3A]
.text ntoskrnl.exe!KeInitializeTimer + 33 804F8826 5 Bytes [0F, 84, 06, 42, 00]
.text ...
.text ntoskrnl.exe!RtlAppendUnicodeToString + 71 804F8A72 79 Bytes JMP 804F3B28 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!RtlAppendUnicodeToString + C1 804F8AC2 9 Bytes [FF, FF, 63, A3, 5F, 80, 54, ...]
.text ntoskrnl.exe!RtlAppendUnicodeToString + CB 804F8ACC 8 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] {NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
.text ntoskrnl.exe!RtlAppendUnicodeToString + D4 804F8AD5 20 Bytes [EC, FF, 75, 10, FF, 75, 0C, ...]
.text ntoskrnl.exe!RtlAppendUnicodeToString + EA 804F8AEB 5 Bytes [0F, 85, 45, 38, 02]
.text ...
.text ntoskrnl.exe!RtlImageNtHeader + 31 804F8E86 19 Bytes [8D, 90, F8, 00, 00, 00, 3B, ...]
.text ntoskrnl.exe!RtlImageNtHeader + 45 804F8E9A 7 Bytes [0F, 85, B3, F2, 00, 00, 5D] {JNZ 0xf2b9; POP EBP}
.text ntoskrnl.exe!RtlImageNtHeader + 4F 804F8EA4 2 Bytes [33, D2] {XOR EDX, EDX}
.text ntoskrnl.exe!RtlImageNtHeader + 52 804F8EA7 29 Bytes CALL 804E471E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!RtlImageNtHeader + 70 804F8EC5 8 Bytes [D8, 85, DB, 0F, 84, 3E, 7B, ...] {FADD DWORD [EBP+0x3e840fdb]; JNP 0xa}
.text ...
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 19 804F900B 38 Bytes [FF, FF, 90, 5F, 80, 08, 91, ...]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 40 804F9032 9 Bytes [45, 1C, 33, F6, 46, 3B, C6, ...]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 4A 804F903C 5 Bytes [7A, 00, 00, 83, F8]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 50 804F9042 8 Bytes [74, 14, 3B, C3, 0F, 84, 42, ...]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 59 804F904B 13 Bytes [FF, 8D, 88, CC, 00, 00, 00, ...] {DEC DWORD [EBP+0xcc88]; ADD BH, BH; ADC EAX, 0x804d768c}
.text ...
.text ntoskrnl.exe!IoPageRead + 64 804F9658 31 Bytes [1F, EE, FE, FF, FF, 75, F8, ...]
.text ntoskrnl.exe!IoPageRead + 84 804F9678 2 Bytes [F0, 73]
.text ntoskrnl.exe!IoPageRead + 87 804F967B 107 Bytes [8B, 45, 14, 83, F8, 01, 0F, ...]
.text ntoskrnl.exe!IoPageRead + F3 804F96E7 7 Bytes [45, 08, FF, 05, 98, FB, 55]
.text ntoskrnl.exe!IoPageRead + FB 804F96EF 151 Bytes CALL 14549800
.text ...
.text ntoskrnl.exe!mbtowc + 22 804FA2B3 31 Bytes CALL 80578928 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!mbtowc + 42 804FA2D3 76 Bytes [80, 00, 00, 85, DE, 0F, 85, ...]
.text ntoskrnl.exe!mbtowc + 8F 804FA320 11 Bytes [0F, 8D, 75, FE, FF, FF, C7, ...]
.text ntoskrnl.exe!mbtowc + 9B 804FA32C 1 Byte [01]
.text ntoskrnl.exe!mbtowc + 9E 804FA32F 9 Bytes [00, 8B, C3, 0B, C7, 0F, 84, ...]
.text ...
.text ntoskrnl.exe!wcschr + A 804FA918 71 Bytes [55, 0C, EB, 00, 66, 8B, 08, ...]
.text ntoskrnl.exe!PsGetProcessSessionId + 25 804FA960 23 Bytes [FF, FF, FF, FF, BE, 66, 5F, ...]
.text ntoskrnl.exe!PsGetProcessSessionId + 3D 804FA978 137 Bytes [FF, FF, FF, FF, 1C, 67, 5F, ...]
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + 5D 804FAA02 67 Bytes [00, 8B, 44, D1, 78, 85, C0, ...]
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + A1 804FAA46 42 Bytes [90, 90, FF, FF, FF, FF, 78, ...]
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + CC 804FAA71 6 Bytes [00, 00, 00, 02, 6D, 5F] {ADD [EAX], AL; ADD [EDX], AL; INSD ; POP EDI}
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + D3 804FAA78 23 Bytes [03, 00, 00, 00, C1, 6C, 5F, ...]
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + EB 804FAA90 3 Bytes [05, 00, 00]
.text ...
.text ntoskrnl.exe!MmCreateMdl + 1A 804FAC74 192 Bytes [00, 66, 83, 60, 06, 00, 8B, ...]
.text ntoskrnl.exe!MmCreateMdl + DB 804FAD35 36 Bytes [55, 80, 41, 66, 89, 08, FF, ...]
.text ntoskrnl.exe!MmCreateMdl + 100 804FAD5A 98 Bytes [F8, 8D, 04, 7F, 8D, 34, C1, ...]
.text ntoskrnl.exe!MmCreateMdl + 163 804FADBD 72 Bytes [EC, 53, FF, 15, 94, 76, 4D, ...]
.text ntoskrnl.exe!MmCreateMdl + 1AC 804FAE06 81 Bytes [00, 00, 8B, 75, 08, 68, 52, ...]
.text ...
.text ntoskrnl.exe!PsGetProcessId + 6 804FB165 31 Bytes [45, 08, 8B, 80, 84, 00, 00, ...]
.text ntoskrnl.exe!PsGetProcessId + 26 804FB185 86 Bytes [72, 70, 20, 0F, B7, 4D, E0, ...]
.text ntoskrnl.exe!PsGetProcessId + 7D 804FB1DC 39 Bytes [A1, EC, 17, 55, 80, E9, 0C, ...]
.text ntoskrnl.exe!PsGetProcessId + A5 804FB204 19 Bytes [00, 60, 75, 0D, 6A, 01, 56, ...]
.text ntoskrnl.exe!PsGetProcessId + B9 804FB218 10 Bytes [01, 00, 00, 3B, 46, 04, 0F, ...]
.text ...
.text ntoskrnl.exe!ExConvertExclusiveToSharedLite + B 804FB5FE 118 Bytes [48, 2C, 80, 60, 0E, 7F, 33, ...]
.text ntoskrnl.exe!ExLocalTimeToSystemTime + 6 804FB675 9 Bytes [45, 08, 8B, 08, 03, 0D, 60, ...]
.text ntoskrnl.exe!ExLocalTimeToSystemTime + 10 804FB67F 97 Bytes [8B, 50, 04, 13, 15, 64, 25, ...]
.text ntoskrnl.exe!ExLocalTimeToSystemTime + 72 804FB6E1 17 Bytes [00, 00, 85, FF, 75, 7C, 8D, ...]
.text ntoskrnl.exe!ExLocalTimeToSystemTime + 84 804FB6F3 19 Bytes [00, 00, B9, 80, F2, 55, 80, ...]
.text ntoskrnl.exe!ExLocalTimeToSystemTime + 9A 804FB709 16 Bytes [C1, E1, 06, 81, C1, 80, B2, ...]
.text ...
.text ntoskrnl.exe!MmMapLockedPages + 2C 804FCA88 55 Bytes [71, AA, 5F, 80, 66, C7, 46, ...]
.text ntoskrnl.exe!MmMapLockedPages + 64 804FCAC0 119 Bytes [8B, 06, A8, 01, 0F, 84, 8E, ...]
.text ntoskrnl.exe!wcsstr + 35 804FCB38 19 Bytes [0F, B7, 1C, 08, 0F, B7, D2, ...]
.text ntoskrnl.exe!wcsstr + 49 804FCB4C 55 Bytes [00, 47, 47, 66, 8B, 17, 40, ...]
.text ntoskrnl.exe!wcsstr + 81 804FCB84 33 Bytes [90, 90, 90, 90, FF, FF, FF, ...]
.text ntoskrnl.exe!wcsstr + A3 804FCBA6 25 Bytes JMP 804F7641 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!wcsstr + BD 804FCBC0 8 Bytes [F6, C3, 20, 0F, 85, 9C, 73, ...]
.text ...
.text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 12 804FD841 18 Bytes [90, 90, 90, 90, 90, 90, 90, ...]
.text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 25 804FD854 7 Bytes [FF, FF, FF, FF, 04, FD, 5A]
.text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 2D 804FD85C 1 Byte [1C]
.text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 2D 804FD85C 11 Bytes [1C, FD, 5A, 80, FF, FF, FF, ...]
.text ntoskrnl.exe!PsGetProcessInheritedFromUniqueProcessId + 39 804FD868 3 Bytes [04, FF, 5A] {ADD AL, 0xff; POP EDX}
.text ...
.text ntoskrnl.exe!RtlEnumerateGenericTableWithoutSplayingAvl + 18 804FD9C5 54 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 32 804FD9FC 15 Bytes [8B, 4D, 08, 8B, 71, 04, 85, ...]
.text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 43 804FDA0D 6 Bytes [75, 0F, 8D, 41, 08, 39]
.text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 4A 804FDA14 20 Bytes [74, 08, 8B, 55, 0C, E8, 5D, ...]
.text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 5F 804FDA29 12 Bytes CALL 804DB77A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!RtlEnumerateGenericTableAvl + 6C 804FDA36 1 Byte [0C]
.text ...
.text ntoskrnl.exe!FsRtlProcessFileLock + 21 804FE057 6 Bytes [48, 0F, 84, 7E, D2, 01]
.text ntoskrnl.exe!FsRtlProcessFileLock + 28 804FE05E 58 Bytes [48, 0F, 85, 33, D2, 01, 00, ...]
.text ntoskrnl.exe!FsRtlProcessFileLock + 63 804FE099 40 Bytes [F6, 41, 2D, 08, 75, 0A, 8B, ...]
.text ntoskrnl.exe!FsRtlProcessFileLock + 8C 804FE0C2 28 Bytes [00, 00, 8B, 10, 89, 11, 89, ...]
.text ntoskrnl.exe!RtlSecondsSince1970ToTime + B 804FE0DF 54 Bytes [8B, 45, 08, 33, C9, 03, C2, ...]
.text ntoskrnl.exe!RtlSecondsSince1970ToTime + 42 804FE116 68 Bytes [66, F7, 45, F8, FF, 0F, 0F, ...]
.text ntoskrnl.exe!RtlSecondsSince1970ToTime + 87 804FE15B 66 Bytes [8B, 55, F8, B9, 58, F9, 55, ...]
.text ntoskrnl.exe!MmForceSectionClosed + E 804FE19E 28 Bytes [8D, 45, 0F, 50, 8D, 45, FC, ...]
.text ntoskrnl.exe!MmForceSectionClosed + 2C 804FE1BC 24 Bytes [5E, 5B, C9, C2, 08, 00, 39, ...]
.text ntoskrnl.exe!MmForceSectionClosed + 45 804FE1D5 33 Bytes [EB, 9E, 80, 4E, 22, 04, EB, ...]
.text ntoskrnl.exe!MmForceSectionClosed + 67 804FE1F7 5 Bytes [8B, 35, C8, 17, 55]
.text ntoskrnl.exe!MmForceSectionClosed + 6D 804FE1FD 12 Bytes [0F, 84, DA, 08, 02, 00, 49, ...]
.text ...
.text ntoskrnl.exe!wcsncmp + F 804FE9EF 56 Bytes [8B, 4D, 08, 8B, 55, 0C, FF, ...]
.text ntoskrnl.exe!wcsncmp + 48 804FEA28 53 Bytes [89, 55, FC, 0F, 85, 87, 99, ...]
.text ntoskrnl.exe!wcsncmp + 7E 804FEA5E 132 Bytes [4D, FC, 0F, C1, 01, C9, C3, ...]
.text ntoskrnl.exe!wcsncmp + 103 804FEAE3 63 Bytes [0E, 8B, 59, 20, 89, 55, F8, ...]
.text ntoskrnl.exe!wcsncmp + 143 804FEB23 113 Bytes [EB, D1, 83, E0, 1E, C1, E0, ...]
.text ...
.text ntoskrnl.exe!_vsnprintf + D 804FEF20 79 Bytes [75, 08, 57, FF, 75, 14, 89, ...]
.text ntoskrnl.exe!_vsnprintf + 5D 804FEF70 22 Bytes [45, 08, 8B, 4D, 0C, 8B, 55, ...]
.text ntoskrnl.exe!_vsnprintf + 74 804FEF87 68 Bytes [45, FC, 5F, 5B, C9, C2, 14, ...]
.text ntoskrnl.exe!vDbgPrintExWithPrefix + 38 804FEFCC 54 Bytes [89, 5D, FC, 8B, C7, 8D, 48, ...]
.text ntoskrnl.exe!vDbgPrintExWithPrefix + 6F 804FF003 55 Bytes [02, 00, 00, 2B, C6, 50, 8D, ...]
.text ntoskrnl.exe!vDbgPrintExWithPrefix + A8 804FF03C 71 Bytes [89, 85, D0, FD, FF, FF, 66, ...]
.text ntoskrnl.exe!vDbgPrintExWithPrefix + F0 804FF084 18 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!DbgPrint + E 804FF097 61 Bytes [6A, FF, 68, A6, F0, 4F, 80, ...]
.text ntoskrnl.exe!DbgPrint + 4C 804FF0D5 190 Bytes [FF, 04, 8B, 85, EC, FD, FF, ...]
.text ntoskrnl.exe!DbgPrint + 10B 804FF194 37 Bytes [85, D4, FD, FF, FF, 8A, 18, ...]
.text ntoskrnl.exe!DbgPrint + 131 804FF1BA 28 Bytes [00, C7, 85, B4, FD, FF, FF, ...]
.text ntoskrnl.exe!DbgPrint + 14E 804FF1D7 28 Bytes [8D, 85, F4, FD, FF, FF, 89, ...]
.text ...
.text ntoskrnl.exe!CcScheduleReadAhead + 2 804FF486 27 Bytes [55, 8B, EC, 83, EC, 24, 8B, ...]
.text ntoskrnl.exe!CcScheduleReadAhead + 20 804FF4A4 18 Bytes [85, C9, 0F, 84, D6, 00, 00, ...] {TEST ECX, ECX; JZ 0xde; TEST BYTE [ECX+0x6c], 0x1; JNZ 0xde}
.text ntoskrnl.exe!CcScheduleReadAhead + 33 804FF4B7 34 Bytes [55, 10, 53, 8B, 5D, 0C, 8B, ...]
.text ntoskrnl.exe!CcScheduleReadAhead + 56 804FF4DA 5 Bytes [55, 0C, 83, 65, E8]
.text ntoskrnl.exe!CcScheduleReadAhead + 5C 804FF4E0 43 Bytes [03, FA, 23, 7D, 0C, 8B, D7, ...]
.text ...
.text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + F 805000AA 95 Bytes [32, C0, 5D, C2, 04, 00, 8B, ...]
.text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + 6F 8050010A 40 Bytes [39, 5D, 08, 8D, 41, 08, 88, ...]
.text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + 99 80500134 18 Bytes CALL 804E2104 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + AC 80500147 61 Bytes JMP 804F9520 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlIsTotalDeviceFailure + EB 80500186 52 Bytes [A3, C4, 73, 55, 80, C6, 05, ...]
.text ...
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 10 80500285 75 Bytes [15, 94, 76, 4D, 80, 80, 7D, ...]
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 5C 805002D1 41 Bytes [15, 9C, 76, 4D, 80, 8B, 75, ...]
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 86 805002FB 11 Bytes [45, 0B, 00, 89, 5D, E8, 0F, ...]
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 92 80500307 17 Bytes JMP 8051B0C2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + A4 80500319 10 Bytes [87, 0A, 27, 01, 00, E9, 0B, ...] {XCHG [EDX], ECX; DAA ; ADD [EAX], EAX; JMP 0x12715}
.text ...
.text ntoskrnl.exe!KePulseEvent + 2D 8050039B 11 Bytes CALL 804DBD7B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KePulseEvent + 39 805003A7 61 Bytes [84, C9, 0F, 85, 7C, CC, 01, ...]
.text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 21 805003E5 20 Bytes [74, 34, 8B, 45, 1C, 53, 56, ...]
.text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 36 805003FA 75 Bytes [81, C2, 10, 02, 00, 00, 8B, ...]
.text ntoskrnl.exe!IoCancelIrp + 21 80500446 13 Bytes [8D, 46, 38, C6, 46, 24, 01, ...]
.text ntoskrnl.exe!IoCancelIrp + 30 80500455 12 Bytes [8B, 4D, F8, 87, 01, 85, C0, ...]
.text ntoskrnl.exe!IoCancelIrp + 3D 80500462 65 Bytes [8A, 4E, 22, FE, C1, 38, 4E, ...]
.text ntoskrnl.exe!IoCancelIrp + 7F 805004A4 82 Bytes [0F, 84, EB, BC, 01, 00, 0F, ...]
.text ntoskrnl.exe!IoCancelIrp + D3 805004F8 67 Bytes [0F, B6, 60, 80, 18, B6, 60, ...]
.text ...
.text ntoskrnl.exe!FsRtlGetNextFileLock + 17 80500670 19 Bytes [56, 57, 6A, 0A, 8D, 70, 10, ...]
.text ntoskrnl.exe!FsRtlGetNextFileLock + 2B 80500684 66 Bytes [89, 75, F4, FF, 15, 94, 76, ...]
.text ntoskrnl.exe!FsRtlGetNextFileLock + 6E 805006C7 82 Bytes [80, 7D, FF, 00, 0F, 85, AD, ...]
.text ntoskrnl.exe!FsRtlGetNextFileLock + C1 8050071A 33 Bytes [00, 8B, 4D, D0, 3B, 48, 14, ...]
.text ntoskrnl.exe!FsRtlGetNextFileLock + E3 8050073C 44 Bytes [8B, 4D, E0, 3B, 48, 24, 0F, ...]
.text ...
.text ntoskrnl.exe!KeInitializeQueue + E 80500C08 69 Bytes [04, C6, 40, 02, 0A, 8D, 48, ...]
.text ntoskrnl.exe!KeInitializeQueue + 54 80500C4E 32 Bytes [00, 00, 10, 55, 5E, 80, 1B, ...]
.text ntoskrnl.exe!KeInitializeQueue + 75 80500C6F 6 Bytes [80, 8B, 46, 1C, 3B, 05]
.text ntoskrnl.exe!KeInitializeQueue + 7C 80500C76 2 Bytes [81, 56]
.text ntoskrnl.exe!KeInitializeQueue + 7F 80500C79 105 Bytes [0F, 85, 0D, 99, FE, FF, 33, ...]
.text ...
.text ntoskrnl.exe!IoIsSystemThread + E 80500EB4 15 Bytes CALL DD5132BD
.text ntoskrnl.exe!IoIsSystemThread + 1E 80500EC4 1 Byte [45]
.text ntoskrnl.exe!IoIsSystemThread + 1E 80500EC4 5 Bytes [45, 0C, B8, 00, 00] {INC EBP; OR AL, 0xb8; ADD [EAX], AL}
.text ntoskrnl.exe!IoIsSystemThread + 24 80500ECA 25 Bytes [00, 8B, 4D, 0C, BA, 01, 00, ...]
.text ntoskrnl.exe!IoIsSystemThread + 40 80500EE6 52 Bytes CALL 804E4176 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!IoReleaseRemoveLockEx + 18 80500FB6 40 Bytes [89, 45, 10, B8, FF, FF, FF, ...]
.text ntoskrnl.exe!IoReleaseRemoveLockEx + 41 80500FDF 9 Bytes [75, 08, 57, 8B, 7D, 0C, 8B, ...]
.text ntoskrnl.exe!IoReleaseRemoveLockEx + 4C 80500FEA 27 Bytes [00, 83, C0, 1C, 89, 45, 10, ...]
.text ntoskrnl.exe!IoReleaseRemoveLockEx + 68 80501006 21 Bytes [8A, C2, 24, 80, 88, 45, 08, ...]
.text ntoskrnl.exe!IoReleaseRemoveLockEx + 7F 8050101D 11 Bytes [83, 60, 20, 00, F6, C2, 40, ...]
.text ...
.text ntoskrnl.exe!RtlFindLastBackwardRunClear + B 8050136C 46 Bytes [0F, 84, 80, 56, 02, 00, 8B, ...]
.text ntoskrnl.exe!RtlFindLastBackwardRunClear + 3A 8050139B 41 Bytes [53, 83, F8, FF, 74, 18, 8B, ...]
.text ntoskrnl.exe!RtlFindLastBackwardRunClear + 64 805013C5 54 Bytes [85, 1A, 8B, F8, 5B, 0F, 84, ...]
.text ntoskrnl.exe!RtlFindLastBackwardRunClear + 9C 805013FD 41 Bytes [03, 89, 46, 20, 8B, 43, 04, ...]
.text ntoskrnl.exe!RtlNumberOfClearBits + 1 80501427 108 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text ntoskrnl.exe!RtlNumberOfClearBits + 6E 80501494 24 Bytes [7D, 08, 8B, DF, 33, 5D, 0C, ...]
.text ntoskrnl.exe!RtlNumberOfClearBits + 87 805014AD 21 Bytes [00, 80, 8B, C3, 25, FF, 00, ...]
.text ntoskrnl.exe!RtlNumberOfClearBits + 9D 805014C3 37 Bytes [33, C0, 40, D3, E0, C1, E1, ...]
.text ntoskrnl.exe!RtlNumberOfClearBits + C3 805014E9 6 Bytes [72, 0C, FF, 52, 04, 85]
.text ...
.text ntoskrnl.exe!PoRegisterSystemState + 4E 80501584 90 Bytes [66, 83, C8, 20, 66, 89, 43, ...]
.text ntoskrnl.exe!PoRegisterSystemState + A9 805015DF 74 Bytes JMP 804E4FBD \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!PoRegisterSystemState + F4 8050162A 7 Bytes [83, F9, 02, 0F, 86, A5, 85]
.text ntoskrnl.exe!PoRegisterSystemState + FC 80501632 8 Bytes [00, 83, F9, 03, 0F, 85, A0, ...]
.text ntoskrnl.exe!PoRegisterSystemState + 106 8050163C 16 Bytes [8B, 4D, 18, 89, 4B, 3C, 8B, ...]
.text ...
.text ntoskrnl.exe!RtlEqualString + 61 805016C7 16 Bytes [3B, B0, 68, 01, 00, 00, 0F, ...]
.text ntoskrnl.exe!RtlEqualString + 72 805016D8 15 Bytes [00, 89, 45, C4, 80, B8, 65, ...]
.text ntoskrnl.exe!RtlEqualString + 82 805016E8 14 Bytes [00, FF, 15, 7C, 76, 4D, 80, ...]
.text ntoskrnl.exe!RtlEqualString + 91 805016F7 20 Bytes [8B, 47, 08, 89, 45, E0, 8B, ...]
.text ntoskrnl.exe!RtlEqualString + A6 8050170C 26 Bytes [86, 54, 20, 00, 00, 8B, CF, ...]
.text ...
.text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + C 805019A1 16 Bytes [51, 74, 5D, C2, 04, 00, FF, ...]
.text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + 1D 805019B2 74 Bytes JMP 804F4E4B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + 68 805019FD 15 Bytes [8B, 4D, 08, 8B, D6, E8, C6, ...] {MOV ECX, [EBP+0x8]; MOV EDX, ESI; CALL 0x10d0; JMP 0xffffffffffffb464}
.text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + 78 80501A0D 46 Bytes JMP 804FCD44 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!PsGetProcessCreateTimeQuadPart + A8 80501A3D 43 Bytes JMP 804FCDA1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!IoInitializeIrp + C 80501A88 108 Bytes [53, 8B, 5D, 10, 56, 8B, 75, ...]
.text ntoskrnl.exe!_stricmp + 1 80501AF5 194 Bytes [FF, 55, 8B, EC, 5D, EB, 00, ...]
.text ntoskrnl.exe!PsGetProcessImageFileName + 1C 80501BB8 4 Bytes [85, 5E, 24, 02]
.text ntoskrnl.exe!PsGetProcessImageFileName + 21 80501BBD 13 Bytes [83, 65, DC, 00, FF, D7, 8B, ...]
.text ntoskrnl.exe!PsGetProcessImageFileName + 2F 80501BCB 76 Bytes [01, 74, 22, F6, 45, 08, 01, ...]
.text ntoskrnl.exe!IoMakeAssociatedIrp + 2 80501C18 20 Bytes [55, 8B, EC, 83, EC, 10, 53, ...]
.text ntoskrnl.exe!IoMakeAssociatedIrp + 17 80501C2D 10 Bytes [89, 45, F0, 89, 45, F8, A0, ...]
.text ntoskrnl.exe!IoMakeAssociatedIrp + 22 80501C38 86 Bytes [33, D2, 38, 45, 0C, 56, 57, ...]
.text ntoskrnl.exe!IoMakeAssociatedIrp + 79 80501C8F 204 Bytes [01, 74, 1D, 85, D2, 0F, 84, ...]
.text ntoskrnl.exe!IoMakeAssociatedIrp + 146 80501D5C 55 Bytes [90, 90, 90, 90, FF, FF, FF, ...]
.text ...
.text ntoskrnl.exe!wcsncpy + 2 80501E45 1 Byte [55]
.text ntoskrnl.exe!wcsncpy + 2 80501E45 10 Bytes [55, 8B, EC, 8B, 4D, 10, 85, ...] {PUSH EBP; MOV EBP, ESP; MOV ECX, [EBP+0x10]; TEST ECX, ECX; PUSH ESI; PUSH EDI}
.text ntoskrnl.exe!wcsncpy + D 80501E50 57 Bytes [7D, 08, 8B, F7, 74, 27, 8B, ...]
.text ntoskrnl.exe!wcsncpy + 47 80501E8A 21 Bytes [55, 8B, EC, 51, 56, 8B, 75, ...]
.text ntoskrnl.exe!wcsncpy + 5D 80501EA0 69 Bytes [33, D2, 39, 55, 0C, 75, 75, ...]
.text ...
.text ntoskrnl.exe!PsChargePoolQuota + 1 80501F64 43 Bytes [FF, 55, 8B, EC, FF, 75, 10, ...]
.text ntoskrnl.exe!PsChargePoolQuota + 2D 80501F90 23 Bytes [06, 3B, 5E, 80, 90, 90, 90, ...]
.text ntoskrnl.exe!PsChargePoolQuota + 45 80501FA8 3 Bytes [F5, FB, 60] {CMC ; STI ; PUSHA }
.text ntoskrnl.exe!PsChargePoolQuota + 49 80501FAC 34 Bytes [08, FC, 60, 80, FF, FF, FF, ...]
.text ntoskrnl.exe!PsChargePoolQuota + 6D 80501FD0 8 Bytes [37, B0, 60, 80, 40, B0, 60, ...]
.text ...
.text ntoskrnl.exe!RtlNumberOfSetBits + 10 80502047 43 Bytes JMP 8837A34F
.text ntoskrnl.exe!RtlNumberOfSetBits + 3E 80502075 6 Bytes [0F, BE, 92, 90, 20, 50]
.text ntoskrnl.exe!RtlNumberOfSetBits + 45 8050207C 26 Bytes [03, F2, 49, 75, E7, 5F, 8B, ...]
.text ntoskrnl.exe!RtlNumberOfSetBits + 60 80502097 32 Bytes [05, 07, 06, 06, 05, 06, 05, ...]
.text ntoskrnl.exe!RtlNumberOfSetBits + 81 805020B8 38 Bytes [06, 05, 05, 04, 05, 04, 04, ...]
.text ...
.text ntoskrnl.exe!RtlClearAllBits + 45 805022B6 1 Byte [01]
.text ntoskrnl.exe!RtlClearAllBits + 45 805022B6 5 Bytes [01, 00, 03, 00, 01]
.text ntoskrnl.exe!RtlClearAllBits + 4B 805022BC 1 Byte [02]
.text ntoskrnl.exe!RtlClearAllBits + 4B 805022BC 27 Bytes [02, 00, 01, 00, 05, 00, 01, ...]
.text ntoskrnl.exe!RtlClearAllBits + 67 805022D8 59 Bytes [03, 00, 01, 00, 02, 00, 01, ...]
.text ...
.text ntoskrnl.exe!RtlSubtreePredecessor + 1E 80502618 227 Bytes [57, 8B, 39, 3B, F9, 8D, 72, ...]
.text ntoskrnl.exe!KeSetBasePriorityThread + E 805026FC 15 Bytes [8B, 4D, 08, 0F, BE, 79, 6C, ...]
.text ntoskrnl.exe!KeSetBasePriorityThread + 1E 8050270C 19 Bytes [8B, 70, 10, 0F, BE, 46, 62, ...]
.text ntoskrnl.exe!KeSetBasePriorityThread + 32 80502720 115 Bytes [8B, 45, 0C, 99, 33, C2, 2B, ...]
.text ntoskrnl.exe!KeSetBasePriorityThread + A6 80502794 3 Bytes [C6, 41, 6E]
.text ntoskrnl.exe!KeSetBasePriorityThread + AA 80502798 39 Bytes [5B, 75, 10, 8A, 4D, FF, E8, ...]
.text ...
.text ntoskrnl.exe!_snwprintf + 2B 80502854 19 Bytes CALL 804F9BC3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!_snwprintf + 3F 80502868 23 Bytes [8B, 45, E0, C6, 00, 00, FF, ...]
.text ntoskrnl.exe!_snwprintf + 57 80502880 14 Bytes [8B, C6, 5E, C9, C3, 90, 90, ...]
.text ntoskrnl.exe!_snwprintf + 67 80502890 3 Bytes [A9, F1, 5E]
.text ntoskrnl.exe!_snwprintf + 6B 80502894 7 Bytes [FF, FF, FF, FF, FD, F1, 5E]
.text ...
.text ntoskrnl.exe!PsGetProcessDebugPort + 62 80502C8F 103 Bytes [D8, C1, EB, 0C, 8D, 0C, 5B, ...]
.text ntoskrnl.exe!PsGetProcessDebugPort + CA 80502CF7 22 Bytes [80, 7D, 14, 01, 0F, 84, 83, ...]
.text ntoskrnl.exe!PsGetProcessDebugPort + E1 80502D0E 25 Bytes [8D, 85, 18, FD, FF, FF, 50, ...]
.text ntoskrnl.exe!PsGetProcessDebugPort + FC 80502D29 46 Bytes [FF, 8D, D0, FD, FF, FF, 33, ...]
.text ntoskrnl.exe!PsGetProcessDebugPort + 12B 80502D58 8 Bytes [FF, FF, 51, 56, FF, B5, 10, ...]
.text ...
.text ntoskrnl.exe!_strnicmp + F1 80502F6A 105 Bytes [8B, 15, 68, FB, 55, 80, 81, ...]
.text ntoskrnl.exe!_strnicmp + 15B 80502FD4 37 Bytes JMP 804EB3DC \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!_strnicmp + 182 80502FFB 45 Bytes [8D, B7, 8C, 00, 00, 00, 0F, ...]
.text ntoskrnl.exe!_strnicmp + 1B0 80503029 5 Bytes [43, 20, 8B, 46, 08]
.text ntoskrnl.exe!_strnicmp + 1B6 8050302F 5 Bytes [43, 24, 8B, 46, 0C]
.text ...
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 41 80503472 80 Bytes [55, 1C, 89, 50, 04, 8B, 75, ...]
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 92 805034C3 24 Bytes [FF, C7, 43, 08, 30, 00, 00, ...]
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + AB 805034DC 43 Bytes [8B, 45, 28, 89, 43, 28, 8B, ...]
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + D7 80503508 77 Bytes [3E, 89, 56, 04, 89, 77, 04, ...]
.text ntoskrnl.exe!IoQueueThreadIrp + 1D 80503556 26 Bytes [00, 8B, 3A, 89, 3E, 89, 56, ...]
.text ntoskrnl.exe!IoQueueThreadIrp + 38 80503571 18 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!IoAllocateWorkItem + E 80503584 24 Bytes CALL 8054B6C4 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoAllocateWorkItem + 27 8050359D 46 Bytes [89, 40, 0C, 5D, C2, 04, 00, ...]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + B 805035CC 33 Bytes [FD, F6, 7F, 83, F9, 24, 0F, ...]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + 2D 805035EE 21 Bytes JMP 804E9776 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + 43 80503604 34 Bytes [36, 6A, 5F, 80, 49, 6A, 5F, ...]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + 66 80503627 45 Bytes [FF, B9, 82, 00, 00, 00, 8B, ...]
.text ntoskrnl.exe!ExNotifyCallback 80503656 71 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...]
.text ntoskrnl.exe!ExNotifyCallback + 48 8050369E 6 Bytes [FF, 75, 10, FF, 75, 0C] {PUSH DWORD [EBP+0x10]; PUSH DWORD [EBP+0xc]}
.text ntoskrnl.exe!ExNotifyCallback + 4F 805036A5 100 Bytes [76, 10, FF, 56, 0C, 8B, 36, ...]
.text ntoskrnl.exe!ExNotifyCallback + B4 8050370A 33 Bytes [75, D8, EB, A0, 83, 4D, FC, ...]
.text ntoskrnl.exe!RtlWalkFrameChain + 13 8050372C 15 Bytes [75, E0, 33, DB, 88, 5D, E7, ...]
.text ntoskrnl.exe!RtlWalkFrameChain + 23 8050373C 14 Bytes [89, 5D, FC, 83, 7D, 10, 01, ...]
.text ntoskrnl.exe!RtlWalkFrameChain + 32 8050374B 25 Bytes [89, 45, D0, 8B, B0, 34, 01, ...]
.text ntoskrnl.exe!RtlWalkFrameChain + 4C 80503765 13 Bytes [83, 4D, FC, FF, 33, C0, E8, ...]
.text ntoskrnl.exe!RtlWalkFrameChain + 5A 80503773 21 Bytes [90, 90, 90, 90, 90, FF, FF, ...]
.text ...
.text ntoskrnl.exe!ExGetPreviousMode 80503790 17 Bytes [64, A1, 24, 01, 00, 00, 8A, ...] {MOV EAX, FS:[0x124]; MOV AL, [EAX+0x140]; RET ; NOP ; NOP ; NOP ; NOP }
.text ntoskrnl.exe!ExGetPreviousMode + 12 805037A2 5 Bytes [8B, FF, 55, 8B, EC] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text ntoskrnl.exe!ExGetPreviousMode + 18 805037A8 23 Bytes [15, 7C, 76, 4D, 80, 3C, 02, ...]
.text ntoskrnl.exe!ExGetPreviousMode + 30 805037C0 9 Bytes [4D, 0C, 89, 01, 64, A1, 24, ...] {DEC EBP; OR AL, 0x89; ADD [ECX+0x24], ESP; ADD [EAX], EAX}
.text ntoskrnl.exe!ExGetPreviousMode + 3A 805037CA 74 Bytes [8B, 80, 68, 01, 00, 00, 8B, ...]
.text ntoskrnl.exe!IoGetAttachedDeviceReference + 4 80503815 9 Bytes [EC, 53, 56, FF, 15, 94, 76, ...] {IN AL, DX ; PUSH EBX; PUSH ESI; CALL [0x804d7694]}
.text ntoskrnl.exe!IoGetAttachedDeviceReference + E 8050381F 45 Bytes CALL 804E8459 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoGetAttachedDeviceReference + 3C 8050384D 4 Bytes [FF, 75, 08, 6A]
.text ntoskrnl.exe!IoGetAttachedDeviceReference + 41 80503852 6 Bytes [6A, 00, 68, 80, 1C, 56]
.text ntoskrnl.exe!IoGetAttachedDeviceReference + 48 80503859 9 Bytes CALL 804DC1A0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!KeRemoveQueueDpc + 23 805038DC 153 Bytes [47, 04, 85, C0, 0F, 8E, 75, ...]
.text ntoskrnl.exe!KeRundownQueue + 48 80503976 24 Bytes [B7, 89, D8, 3E, 51, 80, C1, ...]
.text ntoskrnl.exe!KeRundownQueue + 61 8050398F 3 Bytes [80, FA, 02] {CMP DL, 0x2}
.text ntoskrnl.exe!KeRundownQueue + 65 80503993 80 Bytes CALL C9503997
.text ntoskrnl.exe!KeRundownQueue + B6 805039E4 11 Bytes [3B, F0, 0F, 84, EE, 00, FE, ...]
.text ntoskrnl.exe!KeRundownQueue + C2 805039F0 36 Bytes [FF, 90, 90, 90, 90, 90, 8B, ...]
.text ntoskrnl.exe!IoGetRequestorSessionId + 1F 80503A15 100 Bytes [4D, 0C, 89, 01, 33, C0, 5D, ...]
.text ntoskrnl.exe!IoGetRequestorSessionId + 84 80503A7A 75 Bytes CALL 8054B583 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeQueryRuntimeThread + 3A 80503AC6 72 Bytes [0F, 84, 49, 01, 00, 00, E9, ...]
.text ntoskrnl.exe!KeQueryRuntimeThread + 83 80503B0F 37 Bytes [0F, 83, FC, 36, 00, 00, 66, ...]
.text ntoskrnl.exe!MmUnlockPagableImageSection + 12 80503B35 4 Bytes [00, 00, 8B, 89]
.text ntoskrnl.exe!MmUnlockPagableImageSection + 17 80503B3A 16 Bytes [00, 30, C0, 66, 81, E1, 81, ...] {ADD [EAX], DH; SHL BYTE [ESI-0x7f], 0xe1; ADD DWORD [EAX], 0xf81f980; TEST CH, CL; ADD [EAX], AL}
.text ntoskrnl.exe!MmUnlockPagableImageSection + 28 80503B4B 37 Bytes [8B, 50, 18, 57, 8B, 78, 10, ...]
.text ntoskrnl.exe!MmUnlockPagableImageSection + 4E 80503B71 26 Bytes [3F, 00, C1, EF, 0A, B8, 00, ...]
.text ntoskrnl.exe!MmUnlockPagableImageSection + 6A 80503B8D 16 Bytes [D4, 00, 00, 00, B8, FF, FF, ...] {AAM 0x0; ADD [EAX], AL; MOV EAX, 0xffffffff; MOV ECX, [EBP-0x4]; XADD [ECX], EAX; DEC EAX}
.text ...
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 1 80503DC5 56 Bytes [FF, 55, 8B, EC, 8D, 45, 0C, ...]
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 3A 80503DFE 31 Bytes JMP 804F2D4D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 5C 80503E20 7 Bytes [1B, 66, 5F, 80, 2E, 66, 5F] {SBB ESP, [ESI+0x5f]; SUB BYTE [ESI], 0x66; POP EDI}
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 64 80503E28 11 Bytes [FF, FF, FF, FF, 05, 66, 5F, ...]
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 70 80503E34 57 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 35 80503E6E 21 Bytes [02, 75, 45, 83, 7F, 18, 01, ...]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 4B 80503E84 14 Bytes [8F, 4A, 96, 00, 00, 74, 18, ...]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 5A 80503E93 4 Bytes [00, 83, E9, 03]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 5F 80503E98 3 Bytes [85, FF, 77]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 64 80503E9D 31 Bytes [F6, 47, 18, 08, 75, 12, 83, ...]
.text ...
.text ntoskrnl.exe!PoCallDriver + 17 80504BA4 83 Bytes [5D, 0C, 8B, 73, 60, 8B, 4D, ...]
.text ntoskrnl.exe!PoCallDriver + 6B 80504BF8 3 Bytes [83, 7E, 08]
.text ntoskrnl.exe!PoCallDriver + 6F 80504BFC 38 Bytes [0F, 84, AD, B7, 00, 00, 83, ...]
.text ntoskrnl.exe!PoCallDriver + 96 80504C23 106 Bytes [15, C4, 75, 4D, 80, 53, 56, ...]
.text ntoskrnl.exe!KeSetSystemAffinityThread + 30 80504C8E 42 Bytes [8B, F8, 8B, 47, 14, 85, 01, ...]
.text ntoskrnl.exe!KeRevertToUserAffinityThread + B 80504CB9 30 Bytes [8B, F0, FF, 15, 94, 76, 4D, ...]
.text ntoskrnl.exe!KeRevertToUserAffinityThread + 2A 80504CD8 97 Bytes [3E, A1, 20, F0, DF, FF, 8B, ...]
.text ntoskrnl.exe!PoRequestPowerIrp + 40 80504D3A 7 Bytes [8D, 57, 04, B9, E0, 0D, 56]
.text ntoskrnl.exe!PoRequestPowerIrp + 48 80504D42 161 Bytes CALL 804E2E44 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!PoRequestPowerIrp + EA 80504DE4 3 Bytes [52, 50, 80]
.text ntoskrnl.exe!PoRequestPowerIrp + EE 80504DE8 46 Bytes [48, 20, C6, 40, 03, E0, 8B, ...]
.text ntoskrnl.exe!PoRequestPowerIrp + 11D 80504E17 24 Bytes [45, 08, 83, F8, 07, 0F, 84, ...]
.text ...
.text ntoskrnl.exe!PoStartNextPowerIrp + 57 805051F5 98 Bytes [00, 85, C0, 75, 0C, 38, 05, ...]
.text ntoskrnl.exe!PoStartNextPowerIrp + BA 80505258 27 Bytes [FF, 55, 8B, EC, 51, 51, A1, ...]
.text ntoskrnl.exe!PoStartNextPowerIrp + D7 80505275 4 Bytes [8B, 46, 60, 8B]
.text ntoskrnl.exe!PoStartNextPowerIrp + DC 8050527A 40 Bytes [0C, 74, 14, 8D, 56, 18, 52, ...]
.text ntoskrnl.exe!PoStartNextPowerIrp + 105 805052A3 52 Bytes [15, C8, 75, 4D, 80, 8B, 4F, ...]
.text ...
.text ntoskrnl.exe!IoDeleteDevice + E 8050549E 17 Bytes [75, 08, 0F, 85, 11, 6D, 01, ...]
.text ntoskrnl.exe!IoDeleteDevice + 20 805054B0 30 Bytes [57, 8B, 7E, 18, 85, FF, 0F, ...]
.text ntoskrnl.exe!IoDeleteDevice + 3F 805054CF 21 Bytes [FF, 15, 94, 76, 4D, 80, 8A, ...]
.text ntoskrnl.exe!IoDeleteDevice + 56 805054E6 12 Bytes [4D, 08, 0F, 85, 8E, 02, 00, ...]
.text ntoskrnl.exe!IoDeleteDevice + 63 805054F3 5 Bytes [56, E8, CE, FE, FF]
.text ...
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 30 8050558C 47 Bytes [3B, D8, 57, 0F, 84, E6, 00, ...]
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 61 805055BD 127 Bytes CALL 804DAB87 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + E1 8050563D 22 Bytes [B7, 4E, 02, 8B, C1, C1, E9, ...]
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + F8 80505654 30 Bytes [89, 43, 14, 8B, 45, 14, 6A, ...]
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 118 80505674 6 Bytes [5F, 5E, 5B, 5D, C2, 10]
.text ...
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 22 80505737 14 Bytes [8B, CB, FF, 15, C8, 75, 4D, ...] {MOV ECX, EBX; CALL [0x804d75c8]; MOV [EBP+0xf], AL; MOV EAX, [EBP+0x8]}
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 31 80505746 35 Bytes [80, B0, 00, 00, 00, 8B, 70, ...]
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 55 8050576A 13 Bytes [90, 90, 90, 90, 90, 90, FF, ...]
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 63 80505778 50 Bytes [CD, C4, 5F, 80, FF, 15, 9C, ...]
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 96 805057AB 62 Bytes [80, 79, 21, 00, 0F, 85, BA, ...]
.text ...
.text ntoskrnl.exe!toupper + 66 80505D5C 15 Bytes [7A, 41, 60, 80, 8D, 41, 60, ...]
.text ntoskrnl.exe!toupper + 76 80505D6C 3 Bytes [64, 40, 60]
.text ntoskrnl.exe!toupper + 7A 80505D70 7 Bytes [FF, FF, FF, FF, D4, 3E, 60]
.text ntoskrnl.exe!toupper + 82 80505D78 3 Bytes [E7, 3E, 60] {OUT 0x3e, EAX; PUSHA }
.text ntoskrnl.exe!toupper + 86 80505D7C 7 Bytes [FF, FF, FF, FF, 2A, 3D, 60]
.text ...
.text ntoskrnl.exe!IoInvalidateDeviceRelations + 10 805065B1 83 Bytes [40, 14, 33, C9, 3B, C1, 0F, ...]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + 64 80506605 54 Bytes [55, 0C, 53, 8B, 5D, 14, 56, ...]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + 9B 8050663C 9 Bytes [85, FF, 75, 11, 57, 68, 0D, ...]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + A5 80506646 2 Bytes [56, 89]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + A8 80506649 29 Bytes CALL 80506530 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + 88 805069D9 2 Bytes [0D, 5F]
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + 8B 805069DC 70 Bytes [90, 90, 90, 90, FF, FF, FF, ...]
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + D2 80506A23 19 Bytes [3B, 75, 0C, 88, 45, 0B, 0F, ...] {CMP ESI, [EBP+0xc]; MOV [EBP+0xb], AL; JA 0xaf; PUSH EBX; PUSH EDI; MOV EDI, 0xfffffc7f}
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + E6 80506A37 8 Bytes [1E, 85, DB, 0F, 84, 2C, 26, ...]
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + EF 80506A40 11 Bytes [80, 3D, 88, 39, 55, 80, 00, ...]
.text ...
.text ntoskrnl.exe!sprintf + 44 80506B29 18 Bytes [45, E0, C6, 00, 00, 8B, C7, ...]
.text ntoskrnl.exe!sprintf + 57 80506B3C 198 Bytes [00, 80, FB, 68, 0F, 84, 92, ...]
.text ntoskrnl.exe!wctomb + 79 80506C03 12 Bytes [83, F8, 65, 0F, 8D, BC, 85, ...] {CMP EAX, 0x65; JGE 0xffffffffffff85c5; CMP EAX, 0x58}
.text ntoskrnl.exe!wctomb + 86 80506C10 3 Bytes [8F, 9A, 00]
.text ntoskrnl.exe!wctomb + 8B 80506C15 35 Bytes [0F, 85, 99, 50, 00, 00, 89, ...]
.text ntoskrnl.exe!wctomb + AF 80506C39 34 Bytes [9D, F0, FD, FF, FF, BE, 00, ...]
.text ntoskrnl.exe!wctomb + D3 80506C5D 3 Bytes [23, 63, 00] {AND ESP, [EBX+0x0]}
.text ...
.text ntoskrnl.exe!DbgLoadImageSymbols + 13 80506D6B 34 Bytes CALL 804F8E53 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!DbgLoadImageSymbols + 36 80506D8E 16 Bytes [FF, FF, C9, C2, 0C, 00, 83, ...]
.text ntoskrnl.exe!DbgLoadImageSymbols + 48 80506DA0 63 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...]
.text ntoskrnl.exe!wcsrchr + 3D 80506DE0 2 Bytes [B7, 0F] {MOV BH, 0xf}
.text ntoskrnl.exe!wcsrchr + 41 80506DE4 6 Bytes [90, 90, 90, 90, 90, 8B]
.text ntoskrnl.exe!wcsrchr + 48 80506DEB 11 Bytes [55, 8B, EC, 56, 57, 6A, 01, ...]
.text ntoskrnl.exe!wcsrchr + 54 80506DF7 11 Bytes CALL 804E35E3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!wcsrchr + 60 80506E03 8 Bytes [83, 7D, 0C, 01, 0F, 85, 29, ...]
.text ...
.text ntoskrnl.exe!KeInitializeDeviceQueue + 1 80506E42 61 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 3F 80506E80 28 Bytes [8B, 0D, 7C, FB, 55, 80, 2B, ...]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 5C 80506E9D 2 Bytes [55, 80]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 5F 80506EA0 31 Bytes [45, 0C, 8D, 04, 85, 00, FA, ...]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 7F 80506EC0 36 Bytes [8B, C6, 5E, 5D, C2, 08, 00, ...]
.text ...
.text ntoskrnl.exe!RtlNumberGenericTableElementsAvl + 7F 80507001 95 Bytes [8D, 85, F4, FD, FF, FF, 6A, ...]
.text ntoskrnl.exe!RtlNumberGenericTableElementsAvl + DF 80507061 1 Byte [FF]
.text ntoskrnl.exe!RtlNumberGenericTableElementsAvl + E2 80507064 3 Bytes [D1, 91, 60]
.text ntoskrnl.exe!RtlNumberGenericTableElementsAvl + E6 80507068 49 Bytes [E6, 91, 60, 80, 33, C0, E9, ...]
.text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 22 8050709A 33 Bytes [00, 24, FE, FF, 68, 80, F9, ...]
.text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 44 805070BC 52 Bytes [8B, 4D, 08, 0F, C1, 01, 83, ...]
.text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 79 805070F1 148 Bytes JMP 80503CD5 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 10F 80507187 102 Bytes [00, 1B, 35, 5E, 80, 90, 90, ...]
.text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 176 805071EE 40 Bytes [8B, 35, 9C, 76, 4D, 80, B1, ...]
.text ...
.text ntoskrnl.exe!MmIsThisAnNtAsSystem + 6 805072CD 54 Bytes [90, 90, 90, 90, 90, A1, A0, ...]
.text ntoskrnl.exe!MmQuerySystemSize + 32 80507304 15 Bytes [90, 90, 90, 90, FF, FF, FF, ...]
.text ntoskrnl.exe!MmQuerySystemSize + 42 80507314 34 Bytes CALL 805ABD71 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!MmQuerySystemSize + 65 80507337 26 Bytes CALL 0E48FE48
.text ntoskrnl.exe!MmQuerySystemSize + 82 80507354 35 Bytes [03, 8D, 04, 49, 8D, 14, C2, ...]
.text ntoskrnl.exe!MmQuerySystemSize + A6 80507378 26 Bytes [00, 48, 89, 42, 08, 66, 83, ...]
.text ...
.text ntoskrnl.exe!IoStartTimer + 25 805073FD 9 Bytes [FF, 05, 74, 8A, 55, 80, FB, ...]
.text ntoskrnl.exe!IoStartTimer + 2F 80507407 62 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text ntoskrnl.exe!RtlInitializeGenericTable + 39 80507446 68 Bytes [8D, 46, 08, 8B, 30, 3B, F0, ...]
.text ntoskrnl.exe!RtlInitializeGenericTable + 7E 8050748B 31 Bytes [8B, 36, 3B, 75, F8, 75, C4, ...]
.text ntoskrnl.exe!IoAllocateController + F 805074AB 23 Bytes [7D, 10, 8D, 46, 34, 50, 8B, ...]
.text ntoskrnl.exe!IoAllocateController + 27 805074C3 35 Bytes [84, C0, 75, 12, 53, 6A, 00, ...]
.text ntoskrnl.exe!IoFreeController + 2 805074E7 30 Bytes [55, 8B, EC, 56, 8B, 75, 08, ...]
.text ntoskrnl.exe!IoFreeController + 21 80507506 25 Bytes CALL 10E169F6
.text ntoskrnl.exe!VerSetConditionMask + E 80507520 49 Bytes [0F, 84, B5, F5, 01, 00, D1, ...]
.text ntoskrnl.exe!VerSetConditionMask + 40 80507552 84 Bytes [55, 8B, EC, 33, C0, 39, 45, ...]
.text ntoskrnl.exe!RtlVerifyVersionInfo + 26 805075A7 18 Bytes [FF, 00, 0F, 84, 33, F5, 01, ...]
.text ntoskrnl.exe!RtlVerifyVersionInfo + 39 805075BA 36 Bytes [FF, F3, AB, 8D, 85, E0, FE, ...]
.text ntoskrnl.exe!RtlVerifyVersionInfo + 5E 805075DF 13 Bytes [00, 80, 0F, 84, E5, 43, 00, ...]
.text ntoskrnl.exe!RtlVerifyVersionInfo + 6C 805075ED 70 Bytes [00, 66, 85, C0, 0F, 84, D5, ...]
.text ntoskrnl.exe!RtlVerifyVersionInfo + B3 80507634 13 Bytes [00, 80, BD, DF, FE, FF, FF, ...]
.text ...
.text ntoskrnl.exe!IoWMIWriteEvent + 30 80507725 83 Bytes [46, 2C, 53, 8B, D8, 81, E3, ...]
.text ntoskrnl.exe!IoWMIWriteEvent + 84 80507779 9 Bytes [FF, 76, 04, 88, 45, 0B, E8, ...]
.text ntoskrnl.exe!IoWMIWriteEvent + 8E 80507783 10 Bytes [00, 85, C0, 89, 45, F8, 74, ...]
.text ntoskrnl.exe!IoWMIWriteEvent + 99 8050778E 45 Bytes [89, 45, FC, B8, 01, 00, 00, ...]
.text ntoskrnl.exe!IoWMIWriteEvent + C7 805077BC 10 Bytes [89, 47, 08, 89, 77, 0C, E8, ...]
.text ...
.text ntoskrnl.exe!wcsncat + 4 80507965 80 Bytes [EC, 8B, 4D, 08, 8B, C1, 66, ...]
.text ntoskrnl.exe!wcsncat + 55 805079B6 7 Bytes [FF, 50, 56, E8, 27, F1, FE]
.text ntoskrnl.exe!wcsncat + 5D 805079BE 4 Bytes JMP 8051D7B2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!wcsncat + 62 805079C3 59 Bytes [84, C0, 0F, 85, 2E, B7, FF, ...]
.text ntoskrnl.exe!KeIsAttachedProcess + 2A 805079FF 20 Bytes [8D, 45, F8, 50, FF, 15, 10, ...]
.text ntoskrnl.exe!KeIsAttachedProcess + 3F 80507A14 188 Bytes [40, 2C, A1, 08, F6, 55, 80, ...]
.text ntoskrnl.exe!ExInitializeZone + 8D 80507AD2 3 Bytes [FD, 29, 00] {STD ; SUB [EAX], EAX}
.text ntoskrnl.exe!ExInitializeZone + 91 80507AD6 31 Bytes [8B, 70, 04, 85, F6, 0F, 84, ...]
.text ntoskrnl.exe!ExInitializeZone + B1 80507AF6 50 Bytes [00, 8B, 7D, 08, 8B, 1D, 9C, ...]
.text ntoskrnl.exe!ExInitializeZone + E4 80507B29 56 Bytes [33, C0, 50, 50, 50, 8B, 45, ...]
.text ntoskrnl.exe!ExInitializeZone + 11D 80507B62 46 Bytes [D7, 66, 81, 4E, 6C, 02, 20, ...]
.text ...
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 72 80507F4E 27 Bytes [00, 85, C3, 0F, 85, D4, A6, ...]
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 8E 80507F6A 12 Bytes [F6, 07, 40, 0F, 84, C6, A6, ...]
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 9B 80507F77 161 Bytes [00, FF, 70, 18, 50, E8, CD, ...]
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 13D 80508019 79 Bytes JMP 80524F9E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 18D 80508069 17 Bytes [82, C9, 00, 00, 00, 33, C0, ...]
.text ...
.text ntoskrnl.exe!PoSetPowerState + 36 805081D9 19 Bytes [0F, 84, D6, 82, 00, 00, 48, ...] {JZ 0x82dc; DEC EAX; JNZ 0x2bfb; MOV ECX, [ESI+0x8]; MOV EAX, [EBP+0x10]}
.text ntoskrnl.exe!PoSetPowerState + 4A 805081ED 43 Bytes [F9, C1, EF, 04, 83, E7, 0F, ...]
.text ntoskrnl.exe!PoSetPowerState + 76 80508219 32 Bytes [4A, 75, 0F, C1, E0, 04, 33, ...]
.text ntoskrnl.exe!PoSetPowerState + 97 8050823A 35 Bytes [74, 0A, 83, 7D, F4, 00, 0F, ...]
.text ntoskrnl.exe!vsprintf + A 8050825E 43 Bytes [75, 08, 57, FF, 75, 10, 8D, ...]
.text ntoskrnl.exe!vsprintf + 36 8050828A 12 Bytes [F8, 74, 0F, FF, 4D, E4, 0F, ...] {CLC ; JZ 0x12; DEC DWORD [EBP-0x1c]; JS 0x1fdc4}
.text ntoskrnl.exe!vsprintf + 43 80508297 47 Bytes [45, E0, C6, 00, 00, 8B, C7, ...]
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 2 805082C7 11 Bytes [55, 8B, EC, 8B, 4D, 08, 81, ...]
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + E 805082D3 24 Bytes [80, 7D, 0C, 00, 74, 0A, 6A, ...]
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 27 805082EC 14 Bytes [CB, FF, 15, C4, 75, 4D, 80, ...] {RETF ; CALL [0x804d75c4]; JMP 0xffffffffffffff5a; TEST EAX, EAX}
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 37 805082FC 55 Bytes [38, D0, FF, FF, 39, 5E, 0C, ...]
.text ntoskrnl.exe!MmGetPhysicalAddress + 13 80508334 18 Bytes [8B, 88, 00, 00, 30, C0, 8B, ...]
.text ntoskrnl.exe!MmGetPhysicalAddress + 27 80508348 8 Bytes CALL 844FA859
.text ntoskrnl.exe!MmGetPhysicalAddress + 31 80508352 153 Bytes JMP B4118663
.text ntoskrnl.exe!MmGetPhysicalAddress + CB 805083EC 66 Bytes [45, 14, 50, 57, 53, 8B, C6, ...]
.text ntoskrnl.exe!qsort + 8 8050842F 4 Bytes [01, 00, 00, 56]
.text ntoskrnl.exe!qsort + D 80508434 34 Bytes [75, 0C, 83, FE, 02, 0F, 82, ...]
.text ntoskrnl.exe!qsort + 30 80508457 11 Bytes [F0, 00, 00, 00, 00, 89, 5D, ...] {LOCK ADD [EAX], AL; ADD [EAX], AL; MOV [EBP-0x8], EBX; MOV [EBP-0xc], ESI}
.text ntoskrnl.exe!qsort + 3C 80508463 233 Bytes [C6, 2B, C3, 33, D2, F7, F7, ...]
.text ntoskrnl.exe!qsort + 126 8050854D 16 Bytes [8D, 24, 24, 2B, 75, 10, 3B, ...] {LEA ESP, [ESP]; SUB ESI, [EBP+0x10]; CMP ESI, EDI; JBE 0xcf; PUSH EDI; PUSH ESI}
.text ...
.text ntoskrnl.exe!IoAllocateErrorLogEntry + 10 80508686 27 Bytes [66, 8B, 08, 66, 83, F9, 03, ...]
.text ntoskrnl.exe!IoAllocateErrorLogEntry + 2C 805086A2 54 Bytes [5D, C2, 08, 00, 90, 90, 90, ...]
.text ntoskrnl.exe!IoAllocateErrorLogEntry + 63 805086D9 2 Bytes [45, 10]
.text ntoskrnl.exe!IoAllocateErrorLogEntry + 66 805086DC 2 Bytes [38, 8B]
.text ntoskrnl.exe!IoAllocateErrorLogEntry + 6A 805086E0 156 Bytes [0F, C1, 01, 3D, 00, 10, 00, ...]
.text ...
.text ntoskrnl.exe!IoWriteErrorLogEntry 80508811 7 Bytes [8B, FF, 55, 8B, EC, 53, 56] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; PUSH ESI}
.text ntoskrnl.exe!IoWriteErrorLogEntry + 8 80508819 72 Bytes [75, 08, 33, DB, 83, C6, E0, ...]
.text ntoskrnl.exe!IoWriteErrorLogEntry + 51 80508862 49 Bytes [00, 8A, 4D, 0B, FF, 15, 9C, ...]
.text ntoskrnl.exe!RtlIpv4StringToAddressW + 1D 80508894 19 Bytes [C7, 45, FC, 0A, 00, 00, 00, ...]
.text ntoskrnl.exe!RtlIpv4StringToAddressW + 31 805088A8 124 Bytes [73, 12, 6A, 04, 50, E8, 5C, ...]
.text ntoskrnl.exe!RtlIpv4StringToAddressW + AE 80508925 34 Bytes [8B, 45, F8, 89, 03, 83, C3, ...]
.text ntoskrnl.exe!RtlIpv4StringToAddressW + D1 80508948 19 Bytes [8B, 45, F8, 89, 03, 8D, 45, ...]
.text ntoskrnl.exe!RtlIpv4StringToAddressW + E5 8050895C 22 Bytes [74, 09, 83, FB, 04, 0F, 85, ...]
.text ...
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 8 80508A37 27 Bytes [02, 0F, 95, C0, C3, 90, 90, ...]
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 24 80508A53 20 Bytes [8D, 45, F8, 50, 6A, 00, 6A, ...]
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 39 80508A68 14 Bytes [FF, FF, 85, C0, 75, 0D, A1, ...]
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 48 80508A77 12 Bytes CALL 80508A95 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 55 80508A84 11 Bytes [FF, 84, C0, 75, CA, 6A, 00, ...]
.text ...
.text ntoskrnl.exe!MmMapIoSpace + 11 80508DA7 9 Bytes [00, 83, FE, 06, 0F, 8D, 68, ...]
.text ntoskrnl.exe!MmMapIoSpace + 1B 80508DB1 14 Bytes [8B, 45, 08, 8B, 55, 0C, 53, ...]
.text ntoskrnl.exe!MmMapIoSpace + 2A 80508DC0 23 Bytes [83, 65, F4, 00, 83, 65, E8, ...]
.text ntoskrnl.exe!MmMapIoSpace + 42 80508DD8 21 Bytes [3B, C7, 0F, 84, 5F, 0B, 00, ...]
.text ntoskrnl.exe!MmMapIoSpace + 58 80508DEE 1 Byte [C6]
.text ...
.text ntoskrnl.exe!MmUnmapIoSpace + 44 80508F78 8 Bytes [5F, 5E, 5D, C2, 08, 00, 90, ...] {POP EDI; POP ESI; POP EBP; RET 0x8; NOP ; NOP }
.text ntoskrnl.exe!MmUnmapIoSpace + 4D 80508F81 21 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...]
.text ntoskrnl.exe!IoInvalidateDeviceState + 14 80508F97 29 Bytes [C2, 0F, 84, 09, 38, 01, 00, ...]
.text ntoskrnl.exe!IoInvalidateDeviceState + 32 80508FB5 10 Bytes [52, 52, 52, 52, 6A, 0A, 51, ...]
.text ntoskrnl.exe!IoInvalidateDeviceState + 3D 80508FC0 22 Bytes [FF, EB, EE, 90, 90, 90, 90, ...]
.text ntoskrnl.exe!IoInvalidateDeviceState + 54 80508FD7 2 Bytes [8B, 17] {MOV EDX, [EDI]}
.text ntoskrnl.exe!IoInvalidateDeviceState + 57 80508FDA 26 Bytes [DA, 3B, DF, 0F, 84, B7, 69, ...]
.text ...
.text ntoskrnl.exe!_wcsupr + 82 80509082 14 Bytes [90, 90, 90, 90, 90, 8B, FF, ...] {NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; SUB ESP, 0xc; PUSH EBX}
.text ntoskrnl.exe!_wcsupr + 91 80509091 154 Bytes [5D, 0C, 85, DB, 0F, 84, 45, ...]
.text ntoskrnl.exe!_wcsupr + 12E 8050912E 1 Byte [C0]
.text ntoskrnl.exe!_wcsupr + 12E 8050912E 6 Bytes [C0, 0F, 8C, CC, A9, 01]
.text ntoskrnl.exe!_wcsupr + 135 80509135 5 Bytes [FF, 15, 94, 76, 4D]
.text ...
.text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 4B 80509B34 12 Bytes [18, 8B, F0, 8B, 45, 14, B1, ...]
.text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 58 80509B41 5 Bytes [8B, 0D, C0, FB, 55]
.text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 5E 80509B47 83 Bytes [3B, C1, 76, 02, 8B, C1, 3B, ...]
.text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + B2 80509B9B 1 Byte [15]
.text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + B2 80509B9B 11 Bytes [15, 00, 8B, D0, 85, D2, 0F, ...]
.text ...
.text ntoskrnl.exe!IoGetLowerDeviceObject + 8 80509C8B 34 Bytes [15, 94, 76, 4D, 80, 8A, D8, ...]
.text ntoskrnl.exe!IoGetLowerDeviceObject + 2B 80509CAE 7 Bytes [8A, CB, FF, 15, 9C, 76, 4D]
.text ntoskrnl.exe!IoGetLowerDeviceObject + 33 80509CB6 10 Bytes [8B, C6, 5E, 5B, 5D, C2, 04, ...]
.text ntoskrnl.exe!IoGetLowerDeviceObject + 3E 80509CC1 3 Bytes JMP 80504DD7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoGetLowerDeviceObject + 42 80509CC5 88 Bytes [FF, FF, 47, 10, 8B, 45, 10, ...]
.text ...
.text ntoskrnl.exe!IoCsqInsertIrp + 2B 80509DD4 36 Bytes [0C, 50, 56, FF, 56, 10, 57, ...]
.text ntoskrnl.exe!IoCsqInsertIrp + 50 80509DF9 40 Bytes [FF, 75, 0C, 56, FF, 56, 14, ...]
.text ntoskrnl.exe!IoCsqInsertIrp + 79 80509E22 19 Bytes [56, 08, 8B, 47, 4C, 83, 38, ...]
.text ntoskrnl.exe!IoCsqInsertIrp + 8D 80509E36 3 Bytes JMP 804E4D27 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoCsqInsertIrp + 91 80509E3A 72 Bytes CALL 805B44A0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!ExIsProcessorFeaturePresent + 28 80509E84 11 Bytes [81, 7D, 08, 9C, 00, 00, C0, ...]
.text ntoskrnl.exe!ExIsProcessorFeaturePresent + 34 80509E90 64 Bytes JMP 805000A9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!ExIsProcessorFeaturePresent + 75 80509ED1 18 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!ExIsProcessorFeaturePresent + 88 80509EE4 94 Bytes [56, 8B, 75, 0C, 8B, 06, C1, ...]
.text ntoskrnl.exe!ExIsProcessorFeaturePresent + E7 80509F43 3 Bytes [94, 00, 00] {XCHG ESP, EAX; ADD [EAX], AL}
.text ...
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + B 8050A2D8 10 Bytes [00, 0F, 84, 5A, 19, 01, 00, ...]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 17 8050A2E4 19 Bytes [83, 3D, 84, 31, 55, 80, 02, ...]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 2B 8050A2F8 43 Bytes [00, 00, A3, 88, 31, 55, 80, ...]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 57 8050A324 4 Bytes [00, 25, 00, F0]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 5D 8050A32A 45 Bytes [8D, 51, 01, 3B, D0, 89, 45, ...]
.text ...
.text ntoskrnl.exe!KeSetImportanceDpc + 25 8050AF0F 18 Bytes [04, 75, 18, 8B, 45, 10, 39, ...]
.text ntoskrnl.exe!KeSetImportanceDpc + 38 8050AF22 13 Bytes [84, C0, 0F, 84, 2B, 0A, 00, ...]
.text ntoskrnl.exe!KeSetImportanceDpc + 46 8050AF30 40 Bytes [5F, 8B, C6, 5E, 5D, C2, 0C, ...]
.text ntoskrnl.exe!IoAllocateDriverObjectExtension + 1C 8050AF59 8 Bytes [C6, 45, FF, 00, E8, 62, 07, ...]
.text ntoskrnl.exe!IoAllocateDriverObjectExtension + 25 8050AF62 98 Bytes [8B, F0, 85, F6, 0F, 84, 6D, ...]
.text ntoskrnl.exe!IoAllocateDriverObjectExtension + 88 8050AFC5 166 Bytes [14, 83, C6, 08, 89, 30, 33, ...]
.text ntoskrnl.exe!ExRegisterCallback + 94 8050B06C 54 Bytes [04, D5, 5E, 80, 0D, D5, 5E, ...]
.text ntoskrnl.exe!KeInitializeInterrupt 8050B0A6 74 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
.text ntoskrnl.exe!KeInitializeInterrupt + 4C 8050B0F2 70 Bytes [24, 89, 46, 30, 8A, 45, 28, ...]
.text ntoskrnl.exe!KeInitializeInterrupt + 93 8050B139 46 Bytes [90, 90, 90, 90, 90, FF, 25, ...]
.text ntoskrnl.exe!KeInitializeInterrupt + C2 8050B168 7 Bytes [5D, FC, 0F, 84, E9, 0E, 00]
.text ntoskrnl.exe!KeInitializeInterrupt + CA 8050B170 4 Bytes [83, 7D, 0C, 01] {CMP DWORD [EBP+0xc], 0x1}
.text ...
.text ntoskrnl.exe!KeConnectInterrupt + 19 8050B2D1 53 Bytes [7E, 24, 88, 5D, FF, 88, 45, ...]
.text ntoskrnl.exe!KeConnectInterrupt + 4F 8050B307 21 Bytes [0B, 75, 3F, 8D, 45, DC, 50, ...]
.text ntoskrnl.exe!KeConnectInterrupt + 65 8050B31D 55 Bytes [00, 8D, 46, 04, 6A, 01, C6, ...]
.text ntoskrnl.exe!KeConnectInterrupt + 9E 8050B356 30 Bytes [84, DB, 74, 0A, 80, 7D, FF, ...]
.text ntoskrnl.exe!KeConnectInterrupt + BD 8050B375 41 Bytes JMP 80524156 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!InbvEnableBootDriver + 20 8050B39F 5 Bytes [83, 3D, 84, 31, 55]
.text ntoskrnl.exe!InbvEnableBootDriver + 27 8050B3A6 113 Bytes CALL 80509937 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!InbvEnableBootDriver + 99 8050B418 29 Bytes [8E, B4, E6, FE, FF, 8A, 08, ...]
.text ntoskrnl.exe!InbvEnableBootDriver + B7 8050B436 115 Bytes JMP FF40FFFE
.text ntoskrnl.exe!InbvEnableBootDriver + 12B 8050B4AA 48 Bytes [7F, 04, 89, 0F, 8A, D0, 89, ...]
.text ntoskrnl.exe!HalExamineMBR + 16 8050B4DB 155 Bytes [3B, D0, 57, 89, 4D, FC, 8B, ...]
.text ntoskrnl.exe!HalExamineMBR + B2 8050B577 42 Bytes [00, 55, AA, 75, 12, 8A, 86, ...]
.text ntoskrnl.exe!InbvEnableDisplayString + 1 8050B5A2 7 Bytes [FF, 55, 8B, EC, 8A, 4D, 08] {CALL [EBP-0x75]; IN AL, DX ; MOV CL, [EBP+0x8]}
.text ntoskrnl.exe!InbvEnableDisplayString + 9 8050B5AA 3 Bytes [81, 31, 55]
.text ntoskrnl.exe!InbvEnableDisplayString + D 8050B5AE 38 Bytes [88, 0D, 81, 31, 55, 80, 5D, ...]
.text ntoskrnl.exe!InbvEnableDisplayString + 36 8050B5D7 32 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...]
.text ntoskrnl.exe!InbvEnableDisplayString + 57 8050B5F8 28 Bytes [55, 80, A3, D8, 85, 55, 80, ...]
.text ntoskrnl.exe!IoGetDeviceAttachmentBaseRef + E 8050B616 23 Bytes CALL 8050C9DA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoGetDeviceAttachmentBaseRef + 26 8050B62E 30 Bytes [4D, 80, 8B, C6, 5E, 5B, 5D, ...]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 2 8050B64D 80 Bytes [55, 8B, EC, FF, 75, 10, FF, ...]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 53 8050B69E 37 Bytes [57, 8D, 45, F0, 50, 57, 57, ...]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 79 8050B6C4 108 Bytes JMP 805063A7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeSetTargetProcessorDpc + 53 8050B731 161 Bytes [8B, 48, 04, 8A, 96, 44, 95, ...]
.text ntoskrnl.exe!HeadlessDispatch + 4C 8050B7D4 42 Bytes [33, C0, 5F, 5D, C2, 14, 00, ...]
.text ntoskrnl.exe!InbvDisplayString + 1F 8050B7FF 79 Bytes [00, 38, 1D, 81, 31, 55, 80, ...]
.text ntoskrnl.exe!InbvDisplayString + 70 8050B850 34 Bytes [FF, 0D, 75, 37, EB, 20, 8B, ...]
.text ntoskrnl.exe!InbvDisplayString + 93 8050B873 11 Bytes [09, 7F, D9, 8B, 7A, 04, 89, ...] {OR [EDI-0x27], EDI; MOV EDI, [EDX+0x4]; MOV [EDI], EAX; MOV [EAX+0x4], EDI}
.text ntoskrnl.exe!InbvDisplayString + 9F 8050B87F 57 Bytes [7E, 04, 89, 32, 89, 7A, 04, ...]
.text ntoskrnl.exe!InbvDisplayString + DA 8050B8BA 77 Bytes [FF, FF, 6B, 83, 60, 80, 7E, ...]
.text ...
.text ntoskrnl.exe!RtlCopyString + 64 8050B9DB 127 Bytes [FF, 01, 0F, 85, 22, B1, 01, ...]
.text ntoskrnl.exe!RtlCopyString + E4 8050BA5B 4 Bytes [84, D3, E3, FE] {TEST BL, DL; JECXZ 0x2}
.text ntoskrnl.exe!RtlCopyString + E9 8050BA60 37 Bytes [8B, 85, F0, FB, FF, FF, 0F, ...]
.text ntoskrnl.exe!RtlCopyString + 10F 8050BA86 38 Bytes [55, 8B, EC, 66, 9C, FA, 0F, ...]
.text ntoskrnl.exe!RtlCopyString + 136 8050BAAD 49 Bytes CALL 8050BABC \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + E 8050BB70 2 Bytes CALL 8050AE3F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 12 8050BB74 2 Bytes [5D, C2]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 15 8050BB77 7 Bytes [00, 90, 90, 90, 90, 90, 8B]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 1D 8050BB7F 14 Bytes [55, 8B, EC, 80, 3D, 52, 35, ...] {PUSH EBP; MOV EBP, ESP; CMP BYTE [0x80553552], 0x0; PUSH ESI; PUSH EDI; MOV ESI, EDX}
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 2C 8050BB8E 57 Bytes [F9, 0F, 85, 27, 10, 01, 00, ...]
.text ...
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + 10 8050BD06 60 Bytes [BF, 68, A2, 55, 80, 8B, CF, ...]
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + 4D 8050BD43 35 Bytes [89, 08, C7, 40, 04, 70, A2, ...]
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + 71 8050BD67 13 Bytes [5F, 8A, C3, 5B, C9, C2, 10, ...] {POP EDI; MOV AL, BL; POP EBX; LEAVE ; RET 0x10; NOP ; NOP ; NOP ; NOP ; NOP }
.text ntoskrnl.exe!MmIsDriverVerifying + 1 8050BD75 120 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text ntoskrnl.exe!MmIsDriverVerifying + 7A 8050BDEE 24 Bytes [0F, 85, 07, 26, 01, 00, 83, ...]
.text ntoskrnl.exe!ExVerifySuite + 6 8050BE07 1 Byte [4D]
.text ntoskrnl.exe!ExVerifySuite + 6 8050BE07 66 Bytes [4D, 08, 83, F9, 0B, 7F, 20, ...]
.text ntoskrnl.exe!IoSetCompletionRoutineEx + 1 8050BE4A 111 Bytes [FF, 55, 8B, EC, 53, 68, 49, ...]
.text ntoskrnl.exe!IoSetCompletionRoutineEx + 71 8050BEBA 2 Bytes [A0, 92]
.text ntoskrnl.exe!IoSetCompletionRoutineEx + 75 8050BEBE 45 Bytes [8B, B8, 88, 00, 00, 00, E9, ...]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 14 8050BEEC 16 Bytes [8B, CB, 88, 45, FE, E8, FE, ...]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 25 8050BEFD 14 Bytes [C6, 45, FF, 00, 75, 44, 8B, ...]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 34 8050BF0C 14 Bytes [56, 8B, 75, 14, 03, CA, 57, ...] {PUSH ESI; MOV ESI, [EBP+0x14]; ADD ECX, EDX; PUSH EDI; MOV EDI, [EBP+0x18]; ADD ECX, ESI; ADD ECX, EDI}
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 43 8050BF1B 1 Byte [70]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 43 8050BF1B 21 Bytes [70, 10, 89, 78, 14, 89, 50, ...]
.text ...
.text ntoskrnl.exe!IoCsqInitialize + 19 8050BFB8 10 Bytes [4D, 14, 89, 48, 0C, 8B, 4D, ...]
.text ntoskrnl.exe!IoCsqInitialize + 24 8050BFC3 57 Bytes [8B, 4D, 1C, 89, 48, 14, 8B, ...]
.text ntoskrnl.exe!IoCsqInitialize + 5E 8050BFFD 79 Bytes [41, 30, 3B, 46, 30, 0F, 85, ...]
.text ntoskrnl.exe!IoCsqInitialize + AE 8050C04D 4 Bytes [FF, C7, 06, 02]
.text ntoskrnl.exe!IoCsqInitialize + B3 8050C052 6 Bytes [00, 00, E9, 53, F2, FF]
.text ...
.text ntoskrnl.exe!KeDisconnectInterrupt + 47 8050C0B4 6 Bytes [FF, 75, FC, FF, 76, 24] {PUSH DWORD [EBP-0x4]; PUSH DWORD [ESI+0x24]}
.text ntoskrnl.exe!KeDisconnectInterrupt + 4E 8050C0BB 50 Bytes [15, 18, 76, 4D, 80, 6A, 00, ...]
.text ntoskrnl.exe!KeDisconnectInterrupt + 81 8050C0EE 14 Bytes [F9, FF, 15, 94, 76, 4D, 80, ...] {STC ; CALL [0x804d7694]; MOV EDX, [EDI+0x4]; MOV EBX, EDX; CMP EBX, EDI}
.text ntoskrnl.exe!KeDisconnectInterrupt + 90 8050C0FD 17 Bytes [84, 9F, 38, 00, 00, 89, 3E, ...] {TEST [EDI-0x76ffffc8], BL; MOV DS:[ESI+0x4], EDX; MOV [EDX], ESI; MOV CL, AL; MOV [EDI+0x4], ESI}
.text ntoskrnl.exe!KeDisconnectInterrupt + A2 8050C10F 77 Bytes [15, 9C, 76, 4D, 80, 5F, 5E, ...]
.text ...
.text ntoskrnl.exe!Ke386SetIoAccessMap + 29 8050C241 1 Byte [69]
.text ntoskrnl.exe!Ke386SetIoAccessMap + 29 8050C241 22 Bytes [69, FF, 24, 20, 00, 00, 8B, ...]
.text ntoskrnl.exe!Ke386SetIoAccessMap + 40 8050C258 35 Bytes [00, F3, A5, 8B, 42, 04, 8B, ...]
.text ntoskrnl.exe!Ke386SetIoAccessMap + 64 8050C27C 54 Bytes [5B, 5F, 5D, C2, 08, 00, 32, ...]
.text ntoskrnl.exe!Ke386QueryIoAccessMap + 28 8050C2B3 22 Bytes [69, F6, 24, 20, 00, 00, 8B, ...]
.text ntoskrnl.exe!Ke386QueryIoAccessMap + 40 8050C2CB 24 Bytes [F3, A5, 8A, CA, FF, 15, 9C, ...]
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 2 8050C2E4 15 Bytes [55, 8B, EC, 56, 8B, 75, 0C, ...]
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 12 8050C2F4 58 Bytes [85, F6, 0F, 84, A5, 0A, 01, ...]
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 4D 8050C32F 21 Bytes [B0, 01, 5E, 5D, C2, 08, 00, ...]
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 64 8050C346 33 Bytes [80, FA, 01, 0F, 85, 88, 3E, ...]
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 87 8050C369 10 Bytes CALL 804E39A4 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!_snprintf + 56 8050CA90 25 Bytes [00, 48, 0F, 85, A9, 8E, FF, ...]
.text ntoskrnl.exe!_snprintf + 70 8050CAAA 9 Bytes [85, D2, 0F, 8F, C6, A1, FF, ...]
.text ntoskrnl.exe!_snprintf + 7A 8050CAB4 2 Bytes [13, 29] {ADC EBP, [ECX]}
.text ntoskrnl.exe!_snprintf + 7D 8050CAB7 20 Bytes [FF, 85, C0, 0F, 83, B8, A1, ...]
.text ntoskrnl.exe!_snprintf + 92 8050CACC 60 Bytes JMP 80506CA7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!RtlTimeToTimeFields + 6 8050CC13 35 Bytes [53, 56, 57, 8D, 45, FC, 50, ...]
.text ntoskrnl.exe!RtlTimeToTimeFields + 2A 8050CC37 102 Bytes CALL 8050CB8F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!RtlTimeToTimeFields + 91 8050CC9E 99 Bytes [89, 45, 08, 0F, BF, 04, 45, ...]
.text ntoskrnl.exe!RtlTimeToTimeFields + F5 8050CD02 104 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ntoskrnl.exe!RtlTimeToTimeFields + 15E 8050CD6B 5 Bytes [03, 03, 03, 03, 03]
.text ...
.text ntoskrnl.exe!KeSetIdealProcessorThread + 16 8050CF3F 33 Bytes [00, 88, 45, FF, 8A, 45, 0C, ...]
.text ntoskrnl.exe!KeSetIdealProcessorThread + 38 8050CF61 19 Bytes [85, C0, A0, 55, 80, 8B, 80, ...]
.text ntoskrnl.exe!KeSetIdealProcessorThread + 4C 8050CF75 31 Bytes CALL 804DB77A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeSetIdealProcessorThread + 6C 8050CF95 1 Byte [FF]
.text ntoskrnl.exe!KeSetIdealProcessorThread + 71 8050CF9A 41 Bytes [90, 8B, FF, 55, 8B, EC, 8B, ...]
.text ...
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 13 8050D192 11 Bytes [53, 56, 57, 64, A1, 24, 01, ...] {PUSH EBX; PUSH ESI; PUSH EDI; MOV EAX, FS:[0x124]; MOV EBX, EAX}
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 22 8050D1A1 25 Bytes [40, 14, 8B, C8, 81, E1, FF, ...]
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 3D 8050D1BC 10 Bytes [8D, 85, D0, EF, FF, FF, C6, ...] {LEA EAX, [EBP-0x1030]; MOV BYTE [EBP-0x1], 0x1f}
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 48 8050D1C7 11 Bytes [4D, E0, 89, 45, F8, 0F, 87, ...] {DEC EBP; LOOPNZ 0xffffffffffffff8c; INC EBP; CLC ; JA 0x11df6}
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 54 8050D1D3 2 Bytes [4D, E0]
.text ...
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 69 8050F7FC 20 Bytes CALL 8054B6C0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 7F 8050F812 133 Bytes CALL 8054B6C0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 105 8050F898 44 Bytes [76, 4D, 80, 8D, 1C, B6, 8D, ...]
.text ntoskrnl.exe!IoReadDiskSignature + 2 8050F8C5 5 Bytes [55, 8B, EC, 53, 56] {PUSH EBP; MOV EBP, ESP; PUSH EBX; PUSH ESI}
.text ntoskrnl.exe!IoReadDiskSignature + 8 8050F8CB 113 Bytes [75, 0C, B8, 00, 02, 00, 00, ...]
.text ntoskrnl.exe!IoReadDiskSignature + 7A 8050F93D 9 Bytes [00, 8B, C6, 5F, 5E, 5B, 5D, ...]
.text ntoskrnl.exe!IoReadDiskSignature + 84 8050F947 53 Bytes [33, C0, 38, 45, 08, 0F, 94, ...]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 1F 8050F97D 1 Byte [55]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 1F 8050F97D 11 Bytes [55, 8B, EC, 8B, 45, 08, 3B, ...]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 2B 8050F989 31 Bytes [77, 0B, 8B, 04, 85, DC, 85, ...]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 4B 8050F9A9 70 Bytes [90, 90, 90, 90, 8B, FF, 53, ...]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 93 8050F9F1 119 Bytes CALL 805068C4 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!KdPollBreakIn 8050FD03 79 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...]
.text ntoskrnl.exe!KeSetTimeIncrement + 17 8050FD53 97 Bytes [89, 15, 60, A2, 55, 80, 77, ...]
.text ntoskrnl.exe!KeSetTimeIncrement + 79 8050FDB5 18 Bytes [0D, 14, 00, DF, FF, 89, 0E, ...]
.text ntoskrnl.exe!KeSetTimeIncrement + 8C 8050FDC8 15 Bytes [83, 7D, 14, 00, 8B, 7D, 08, ...] {CMP DWORD [EBP+0x14], 0x0; MOV EDI, [EBP+0x8]; MOV EAX, [EDI+0x4]; MOV [0xffdf001c], EAX}
.text ntoskrnl.exe!KeSetTimeIncrement + 9C 8050FDD8 20 Bytes [07, A3, 14, 00, DF, FF, 8B, ...]
.text ntoskrnl.exe!KeSetTimeIncrement + B1 8050FDED 11 Bytes [1F, 2B, 1E, 8B, 7F, 04, 1B, ...]
.text ...
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + 6C 8050FEEA 44 Bytes [45, 08, 66, 83, 60, 64, 00, ...]
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + 99 8050FF17 11 Bytes [44, 24, 04, 8B, 15, 20, F0, ...]
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + A5 8050FF23 40 Bytes [52, 8D, 0A, C7, 01, 17, 00, ...]
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + CF 8050FF4D 8 Bytes [0F, 20, D0, 89, 82, D0, 02, ...]
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + D8 8050FF56 116 Bytes [0F, 20, D8, 89, 82, D4, 02, ...]
.text ...
.text ntoskrnl.exe!MmFreeContiguousMemory + 18 80510206 5 Bytes [8B, 0D, E8, F9, 55]
.text ntoskrnl.exe!MmFreeContiguousMemory + 1E 8051020C 17 Bytes [03, C8, 3B, D9, 0F, 83, 52, ...]
.text ntoskrnl.exe!MmFreeContiguousMemory + 30 8051021E 107 Bytes [5B, C9, C2, 04, 00, 8B, C7, ...]
.text ntoskrnl.exe!MmAllocateContiguousMemory + 58 8051028A 5 Bytes [40, 1C, 3B, 45, 14]
.text ntoskrnl.exe!MmAllocateContiguousMemory + 5E 80510290 32 Bytes [EE, 85, F6, 75, 02, 8B, F7, ...]
.text ntoskrnl.exe!MmAllocateContiguousMemory + 7F 805102B1 23 Bytes JMP 804F607E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!MmAllocateContiguousMemory + 97 805102C9 25 Bytes JMP 804F6242 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!MmAllocateContiguousMemory + B1 805102E3 2 Bytes [45, 0C]
.text ...
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 6 80510502 58 Bytes [45, 08, 33, D2, 8B, C8, 53, ...]
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 41 8051053D 57 Bytes [0F, B6, C0, 8A, 80, 68, AC, ...]
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 7C 80510578 3 Bytes [5C, 6E, 01]
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 80 8051057C 39 Bytes [39, 3D, 48, F8, 68, 80, 0F, ...]
.text ntoskrnl.exe!RtlFindLeastSignificantBit + A8 805105A4 36 Bytes [D4, 50, 66, C7, 45, D4, B8, ...]
.text ...
.text ntoskrnl.exe!VfIsVerificationEnabled + 39 80510724 1 Byte [FF]
.text ntoskrnl.exe!VfIsVerificationEnabled + 39 80510724 71 Bytes [FF, 00, 00, 77, 44, 8B, C7, ...]
.text ntoskrnl.exe!VfIsVerificationEnabled + 81 8051076C 9 Bytes [FF, B8, 05, 00, 00, 80, E9, ...]
.text ntoskrnl.exe!VfIsVerificationEnabled + 8B 80510776 64 Bytes [FF, 8B, 7D, 14, 85, FF, 74, ...]
.text ntoskrnl.exe!_strupr + C 805107B7 30 Bytes [D0, 74, 11, 8A, 0A, 80, F9, ...]
.text ntoskrnl.exe!_strupr + 2B 805107D6 28 Bytes [5E, 5D, C3, 90, 90, 90, 90, ...]
.text ntoskrnl.exe!_strupr + 48 805107F3 130 Bytes [83, C4, 10, 5D, C3, 80, 8D, ...]
.text ntoskrnl.exe!_strupr + CB 80510876 11 Bytes [66, 8B, 01, 66, 83, F8, 36, ...]
.text ntoskrnl.exe!_strupr + D8 80510883 9 Bytes [66, 83, 79, 02, 34, 0F, 85, ...]
.text ...
.text ntoskrnl.exe!atol + 11 80510B5B 29 Bytes [83, 3D, F8, 20, 55, 80, 01, ...]
.text ntoskrnl.exe!atol + 2F 80510B79 61 Bytes [C0, 0F, 85, 58, 74, 01, 00, ...]
.text ntoskrnl.exe!atol + 6D 80510BB7 16 Bytes [EB, E6, 0F, B6, 0E, 46, EB, ...] {JMP 0xffffffffffffffe8; MOVZX ECX, BYTE [ESI]; INC ESI; JMP 0xffffffffffffffd9; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
.text ntoskrnl.exe!IoEnumerateDeviceObjectList + 4 80510BC8 89 Bytes [EC, 51, 51, 56, 57, 33, FF, ...]
.text ntoskrnl.exe!IoEnumerateDeviceObjectList + 5E 80510C22 12 Bytes [9C, 76, 4D, 80, 8B, 45, F8, ...]
.text ntoskrnl.exe!IoEnumerateDeviceObjectList + 6C 80510C30 9 Bytes [40, 0C, 47, EB, B2, 8D, 42, ...]
.text ntoskrnl.exe!IoEnumerateDeviceObjectList + 76 80510C3A 19 Bytes [60, 8B, 79, F0, 83, E9, 24, ...] {PUSHA ; MOV EDI, [ECX-0x10]; SUB ECX, 0x24; CMP EDI, [EBP+0x8]; JZ 0x13; MOV EDX, [EDX]; JMP 0xffffffffffff0662}
.text ntoskrnl.exe!IoEnumerateDeviceObjectList + 8A 80510C4E 50 Bytes [49, 08, 3B, 4D, 0C, 0F, 84, ...]
.text ...
.text ntoskrnl.exe!RtlTimeFieldsToTime + 2 8051149B 108 Bytes [55, 8B, EC, 83, EC, 14, 8B, ...]
.text ntoskrnl.exe!RtlTimeFieldsToTime + 6F 80511508 66 Bytes [FF, 83, FE, 0B, 0F, 87, 32, ...]
.text ntoskrnl.exe!RtlTimeFieldsToTime + B2 8051154B 43 Bytes [2B, C2, 0F, BF, D7, 3B, D0, ...]
.text ntoskrnl.exe!RtlTimeFieldsToTime + DF 80511578 11 Bytes [81, 7D, F0, E7, 03, 00, 00, ...]
.text ntoskrnl.exe!RtlTimeFieldsToTime + EB 80511584 8 Bytes [FF, 8B, 5D, 08, 81, C3, BF, ...]
.text ...
.text ntoskrnl.exe!PoSetSystemState + A 805116A8 7 Bytes [FF, FF, 0F, 85, B3, 43, 01]
.text ntoskrnl.exe!PoSetSystemState + 12 805116B0 2 Bytes [6A, 00] {PUSH 0x0}
.text ntoskrnl.exe!PoSetSystemState + 15 805116B3 13 Bytes CALL 8050148A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!PoSetSystemState + 23 805116C1 14 Bytes [5D, C2, 04, 00, 90, 90, 90, ...]
.text ntoskrnl.exe!PoSetSystemState + 32 805116D0 11 Bytes [00, 0F, 85, A0, 43, 01, 00, ...] {ADD [EDI], CL; TEST [EAX-0x5efffebd], ESP; ADC AL, 0xb; PUSH ESI}
.text ...
.text ntoskrnl.exe!KeSetAffinityThread + 10 80511FFF 45 Bytes [8B, 4D, 08, 8A, D8, E8, 61, ...]
.text ntoskrnl.exe!MmCommitSessionMappedView + E 8051202D 39 Bytes [53, 8B, 5D, 08, 3B, D9, 56, ...]
.text ntoskrnl.exe!MmCommitSessionMappedView + 36 80512055 3 Bytes [82, 6C, DA]
.text ntoskrnl.exe!MmCommitSessionMappedView + 3B 8051205A 16 Bytes [64, A1, 24, 01, 00, 00, 8B, ...] {MOV EAX, FS:[0x124]; MOV EAX, [EAX+0x44]; TEST BYTE [EAX+0x24a], 0x1}
.text ntoskrnl.exe!MmCommitSessionMappedView + 4C 8051206B 2 Bytes [84, 60]
.text ntoskrnl.exe!MmCommitSessionMappedView + 4F 8051206E 1 Byte [00]
.text ...
.text ntoskrnl.exe!KeInitializeMutex + 38 80512446 210 Bytes [5E, 80, 2D, D4, 5E, 80, 90, ...]
.text ntoskrnl.exe!IoGetDriverObjectExtension + C8 80512519 12 Bytes [D0, 3F, 57, 33, FF, C1, E8, ...]
.text ntoskrnl.exe!IoGetDriverObjectExtension + D5 80512526 48 Bytes [89, 4D, EC, 89, 7D, F8, 77, ...]
.text ntoskrnl.exe!IoGetDriverObjectExtension + 106 80512557 6 Bytes [7D, F8, 0F, 85, A6, 56]
.text ntoskrnl.exe!IoGetDriverObjectExtension + 10E 8051255F 45 Bytes [33, C0, 5F, 5E, 5B, C9, C2, ...]
.text ntoskrnl.exe!IoGetDriverObjectExtension + 13C 8051258D 62 Bytes CALL 41596B1D
.text ...
.text ntoskrnl.exe!FsRtlPrivateLock + 3 8051285B 37 Bytes CALL 804E2447 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlPrivateLock + 29 80512881 67 Bytes [10, 89, 55, A0, 8B, 70, 04, ...]
.text ntoskrnl.exe!FsRtlPrivateLock + 74 805128CC 56 Bytes [E4, C6, 45, E5, 01, 83, 65, ...]
.text ntoskrnl.exe!FsRtlPrivateLock + AD 80512905 2 Bytes [00, 00] {ADD [EAX], AL}
.text ntoskrnl.exe!FsRtlPrivateLock + B1 80512909 42 Bytes [28, 83, 20, 00, C6, 45, E7, ...]
.text ...
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 48 80512981 14 Bytes [8B, 45, 18, 85, C0, 0F, 85, ...]
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 57 80512990 1 Byte [57]
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 57 80512990 64 Bytes [57, 8B, 7D, 08, 85, FF, 0F, ...]
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess + 98 805129D1 12 Bytes [C7, 89, 4D, F4, 89, 4D, D4, ...]
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess + A5 805129DE 63 Bytes [89, 4D, E0, 89, 45, EC, 0F, ...]
.text ...
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 1D 80512BB8 1 Byte [1C]
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 1D 80512BB8 112 Bytes [1C, FF, 75, 18, FF, 75, 14, ...]
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 8E 80512C29 30 Bytes [BE, 7E, 00, 00, C0, 8A, 4D, ...]
.text ntoskrnl.exe!FsRtlFastUnlockSingle + AD 80512C48 88 Bytes [05, 59, 5E, 80, FF, FF, FF, ...]
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 106 80512CA1 77 Bytes [4E, 28, 77, 0C, 0F, 83, A3, ...]
.text ...
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + 2F 80513081 27 Bytes [0F, 85, B3, D2, FE, FF, 56, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + 4B 8051309D 114 Bytes [0F, 85, F6, D6, FE, FF, 56, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + BF 80513111 20 Bytes JMP 80513076 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + D5 80513127 50 Bytes [FF, 8B, 55, 0C, 53, 8B, 1A, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + 108 8051315A 138 Bytes [45, 0B, 33, C0, 3B, D0, 77, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 1B 805131E5 116 Bytes [75, 0A, 83, 7E, 14, 00, 0F, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 90 8051325A 119 Bytes [8D, 45, F8, 50, 8D, 45, F0, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 108 805132D2 19 Bytes [00, FF, 75, 0C, 8B, 70, 08, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 11C 805132E6 96 Bytes [F8, 50, 8D, 45, F0, 50, FF, ...]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 17D 80513347 49 Bytes JMP 80512D38 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!CcFastCopyWrite + 7 80513704 1 Byte [E8]
.text ntoskrnl.exe!CcFastCopyWrite + 7 80513704 11 Bytes CALL 804E244B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!CcFastCopyWrite + 13 80513710 1 Byte [70]
.text ntoskrnl.exe!CcFastCopyWrite + 13 80513710 45 Bytes [70, 04, 89, 75, DC, 8D, 45, ...]
.text ntoskrnl.exe!CcFastCopyWrite + 41 8051373E 11 Bytes [45, 0C, 89, 45, B4, 89, 7D, ...] {INC EBP; OR AL, 0x89; INC EBP; MOV AH, 0x89; JGE 0xffffffffffffffc0; MOV EAX, [EBX+0xc]}
.text ...
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 27 805138AF 2 Bytes [41, 04]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 2A 805138B2 37 Bytes [4A, 04, 89, 08, 8B, 4E, 28, ...]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 50 805138D8 64 Bytes [B1, 1D, 59, 80, FF, 45, D4, ...]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 91 80513919 40 Bytes [8A, C8, 8B, 45, 08, 8B, 00, ...]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + BA 80513942 88 Bytes [EC, 8B, 45, 08, 8B, 48, 24, ...]
.text ...
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 2B 80513AA4 6 Bytes [FF, FF, 64, A1, 24, 01]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 32 80513AAB 45 Bytes [00, 89, 46, 50, 8B, 5E, 60, ...]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 60 80513AD9 14 Bytes [90, 90, 90, 90, 90, 90, 90, ...]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 6F 80513AE8 31 Bytes [9D, C0, 51, 80, 83, F8, 16, ...]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 8F 80513B08 3 Bytes [46, 3C, 8B] {INC ESI; CMP AL, 0x8b}
.text ...
.text ntoskrnl.exe!RtlDeleteNoSplay + A4 80513CD7 8 Bytes [3B, 5D, 08, 0F, 83, 23, 2B, ...]
.text ntoskrnl.exe!RtlDeleteNoSplay + AD 80513CE0 100 Bytes [39, 78, 0C, 0F, 84, 1A, 2B, ...]
.text ntoskrnl.exe!RtlDeleteNoSplay + 113 80513D46 63 Bytes [8D, 45, DC, 50, 8D, 46, FF, ...]
.text ntoskrnl.exe!RtlDeleteNoSplay + 153 80513D86 72 Bytes [01, 3B, C6, 0F, 86, DE, 21, ...]
.text ntoskrnl.exe!RtlDeleteNoSplay + 19C 80513DCF 4 Bytes [83, C2, 67, 00]
.text ...
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 29 80514BC6 55 Bytes [8B, C8, 81, E1, 00, 00, 00, ...]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 61 80514BFE 64 Bytes [AF, D3, 03, F2, 41, 81, F9, ...]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + A2 80514C3F 24 Bytes [53, 8D, 04, 49, 8B, 0D, 68, ...]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + BB 80514C58 64 Bytes [84, B1, 1A, 00, 00, FF, 76, ...]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + FD 80514C9A 13 Bytes [09, FF, 49, 10, 51, E8, 71, ...]
.text ...
.text ntoskrnl.exe!wcscat + 16 80514F4C 50 Bytes [75, F8, 56, 8B, 75, 0C, 66, ...]
.text ntoskrnl.exe!wcscat + 49 80514F7F 150 Bytes [A0, C9, 06, 29, 10, 39, 7E, ...]
.text ntoskrnl.exe!wcscat + E0 80515016 122 Bytes [00, 8B, 16, 89, 15, 54, F8, ...]
.text ntoskrnl.exe!ExSystemTimeToLocalTime + 5A 80515091 103 Bytes [45, F4, BA, 01, F0, FF, FF, ...]
.text ntoskrnl.exe!RtlFindClearRuns + 34 805150F9 2 Bytes [45, 0C]
.text ntoskrnl.exe!RtlFindClearRuns + 37 805150FC 19 Bytes [75, FC, 76, 0B, 8D, 48, 04, ...] {JNZ 0xfffffffffffffffe; JBE 0xf; LEA ECX, [EAX+0x4]; MOV [ECX], EDI; ADD ECX, 0x8; DEC EDX; JNZ 0x7; XOR ECX, ECX; CMP EBX, ECX}
.text ntoskrnl.exe!RtlFindClearRuns + 4B 80515110 34 Bytes CALL CDDAC18B
.text ntoskrnl.exe!RtlFindClearRuns + 6E 80515133 5 Bytes [03, F9, 0F, 85, E6]
.text ntoskrnl.exe!RtlFindClearRuns + 74 80515139 16 Bytes [00, 00, 0F, BE, BE, 58, AE, ...]
.text ...
.text ntoskrnl.exe!PsGetThreadFreezeCount + 7 805155FD 15 Bytes [08, 8A, 80, B8, 01, 00, 00, ...]
.text ntoskrnl.exe!PsGetThreadFreezeCount + 18 8051560E 35 Bytes [81, E2, 00, F0, FF, FF, E9, ...]
.text ntoskrnl.exe!FsRtlResetLargeMcb + 4 80515632 11 Bytes [EC, 80, 7D, 0C, 00, 0F, 84, ...] {IN AL, DX ; CMP BYTE [EBP+0xc], 0x0; JZ 0x4e0c}
.text ntoskrnl.exe!FsRtlResetLargeMcb + 10 8051563E 115 Bytes [45, 08, 83, 60, 08, 00, 5D, ...]
.text ntoskrnl.exe!FsRtlResetLargeMcb + 84 805156B2 72 Bytes [4E, 28, 2B, 0B, 8B, 56, 2C, ...]
.text ntoskrnl.exe!FsRtlResetLargeMcb + CD 805156FB 12 Bytes [84, C0, 0F, 84, 72, FF, FF, ...] {TEST AL, AL; JZ 0xffffffffffffff7a; JMP 0xffffffffffffffd8; MOV EDX, EDI}
.text ntoskrnl.exe!FsRtlResetLargeMcb + DA 80515708 179 Bytes CALL 8053DCE6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!KeInsertHeadQueue + 3A 80515E7E 28 Bytes JMP 804F62F2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeInsertHeadQueue + 58 80515E9C 37 Bytes [04, 85, C0, 74, 0E, 8B, 88, ...]
.text ntoskrnl.exe!KeInsertHeadQueue + 7E 80515EC2 8 Bytes JMP 804F5400 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeInsertHeadQueue + 87 80515ECB 24 Bytes [00, C0, 0F, 85, F4, 9F, 00, ...]
.text ntoskrnl.exe!KeInsertHeadQueue + A0 80515EE4 22 Bytes [C0, 0F, 84, F3, 9F, 00, 00, ...]
.text ...
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 74 8051621C 8 Bytes CALL C195EF37
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 7D 80516225 4 Bytes [00, 3B, 75, F4] {ADD [EBX], BH; JNZ 0xfffffffffffffff8}
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 82 8051622A 4 Bytes [86, 8A, 5E, FD]
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 87 8051622F 46 Bytes JMP 804EC0B6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + B6 8051625E 36 Bytes [90, 90, 90, 90, 90, 64, A1, ...]
.text ntoskrnl.exe!KeAreApcsDisabled + 20 80516283 17 Bytes [00, 00, C0, 89, 45, F4, E9, ...]
.text ntoskrnl.exe!KeAreApcsDisabled + 32 80516295 45 Bytes [00, 00, 00, 20, 2B, 5E, 80, ...]
.text ntoskrnl.exe!KeAreApcsDisabled + 60 805162C3 19 Bytes [00, 00, FF, 4E, 04, 33, F6, ...]
.text ntoskrnl.exe!KeAreApcsDisabled + 74 805162D7 70 Bytes JMP 804F0F5F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeAreApcsDisabled + BB 8051631E 15 Bytes CALL 805928FB \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 3F 805170E3 10 Bytes [0B, 02, 83, F8, FF, 0F, 84, ...]
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 4A 805170EE 50 Bytes [3B, 3B, 73, 1A, 8B, 43, 04, ...]
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 7D 80517121 21 Bytes [F7, D1, 85, 0A, 75, 1A, 2B, ...]
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 93 80517137 57 Bytes [75, 08, 83, C2, 04, 83, C0, ...]
.text ntoskrnl.exe!RtlFindNextForwardRunClear + CD 80517171 26 Bytes [47, 3B, 3B, 0F, 82, 7B, FF, ...]
.text ...
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + B3 80517434 133 Bytes CALL 804DC19F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 139 805174BA 14 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 148 805174C9 12 Bytes [59, 8D, 04, 8D, 00, 89, 55, ...]
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 155 805174D6 12 Bytes [3B, D6, 7F, 1D, 41, 83, F9, ...]
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 162 805174E3 16 Bytes [01, 00, 00, 7C, 0C, 39, 3D, ...]
.text ...
.text ntoskrnl.exe!IoSetFileOrigin 80517FE4 13 Bytes [8B, FF, 55, 8B, EC, 80, 7D, ...]
.text ntoskrnl.exe!IoSetFileOrigin + E 80517FF2 5 Bytes [C0, 0F, 84, A4, 3F] {ROR BYTE [EDI], 0x84; MOVSB ; AAS }
.text ntoskrnl.exe!IoSetFileOrigin + 14 80517FF8 9 Bytes [00, 8B, 75, 08, 8B, 4E, 2C, ...]
.text ntoskrnl.exe!IoSetFileOrigin + 1E 80518002 17 Bytes [00, 01, 85, CA, 75, 07, 0B, ...]
.text ntoskrnl.exe!IoSetFileOrigin + 30 80518014 73 Bytes [8B, 08, 89, 0A, 89, 42, 04, ...]
.text ...
.text ntoskrnl.exe!CcDeferWrite + 4E 8052A98C 114 Bytes [58, 14, 8B, 49, 0C, 8A, 49, ...]
.text ntoskrnl.exe!CcDeferWrite + C2 8052AA00 220 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text ntoskrnl.exe!CcRepinBcb + AC 8052AADD 8 Bytes [89, 48, 28, 66, C7, 40, 04, ...]
.text ntoskrnl.exe!CcRepinBcb + B5 8052AAE6 5 Bytes [66, C7, 40, 06, 30]
.text ntoskrnl.exe!CcRepinBcb + BB 8052AAEC 58 Bytes [0F, B7, 0E, 8B, 76, 04, 83, ...]
.text ntoskrnl.exe!CcRepinBcb + F6 8052AB27 12 Bytes [03, DA, 8B, 55, 0C, 89, 0B, ...]
.text ntoskrnl.exe!CcRepinBcb + 103 8052AB34 189 Bytes [89, 4B, 04, 0F, B7, 32, 8B, ...]
.text ntoskrnl.exe!CcUnpinRepinnedBcb + 22 8052ABF2 15 Bytes [74, 0B, 6A, 01, 8D, 46, 38, ...]
.text ntoskrnl.exe!CcUnpinRepinnedBcb + 32 8052AC02 16 Bytes [74, 6C, FF, 76, 04, FF, 76, ...]
.text ntoskrnl.exe!CcUnpinRepinnedBcb + 43 8052AC13 83 Bytes CALL 804ED23C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!CcUnpinRepinnedBcb + 97 8052AC67 185 Bytes CALL 80516CA9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!CcIsThereDirtyData + 5E 8052AD21 80 Bytes [83, 65, FC, 00, FF, D7, 83, ...]
.text ntoskrnl.exe!CcGetLsnForFileObject + 12 8052AD72 23 Bytes [70, 04, 33, C0, 3B, F2, 89, ...]
.text ntoskrnl.exe!CcGetLsnForFileObject + 2A 8052AD8A 4 Bytes [57, 8D, 8E, B8]
.text ntoskrnl.exe!CcGetLsnForFileObject + 30 8052AD90 211 Bytes [00, 8D, 55, E4, FF, 15, 84, ...]
.text ntoskrnl.exe!CcGetLsnForFileObject + 104 8052AE64 62 Bytes [6A, 00, 83, C0, 04, 50, 89, ...]
.text ntoskrnl.exe!CcSetDirtyPageThreshold 8052AEA3 26 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
.text ntoskrnl.exe!CcSetDirtyPageThreshold + 1B 8052AEBE 15 Bytes [8B, 48, 0C, F6, 41, 04, 04, ...] {MOV ECX, [EAX+0xc]; TEST BYTE [ECX+0x4], 0x4; JNZ 0xf; MOV EAX, ECX; OR BYTE [EAX+0x4], 0x4}
.text ntoskrnl.exe!CcSetDirtyPageThreshold + 2B 8052AECE 34 Bytes [C2, 08, 00, 90, 90, 90, CC, ...]
.text ntoskrnl.exe!CcGetFileObjectFromSectionPtrs + 12 8052AEF1 40 Bytes [51, 04, 85, D2, 74, 03, 8B, ...]
.text ntoskrnl.exe!CcGetFileObjectFromBcb + 3 8052AF1A 69 Bytes [8B, EC, 8B, 45, 08, 8B, 40, ...]
.text ntoskrnl.exe!CcGetFileObjectFromBcb + 4C 8052AF63 142 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...]
.text ntoskrnl.exe!CcGetFileObjectFromBcb + DB 8052AFF2 1 Byte [FF]
.text ntoskrnl.exe!CcGetFileObjectFromBcb + DB 8052AFF2 4 Bytes [FF, 00, 74, 59] {INC DWORD [EAX]; JZ 0x5d}
.text ntoskrnl.exe!CcGetFileObjectFromBcb + E0 8052AFF7 42 Bytes [15, 94, 76, 4D, 80, FF, 4F, ...]
.text ...
.text ntoskrnl.exe!CcMdlWriteAbort + 5 8052B08F 23 Bytes [51, 8B, 45, 08, 8B, 40, 14, ...]
.text ntoskrnl.exe!CcMdlWriteAbort + 1D 8052B0A7 131 Bytes [74, 04, C6, 45, FF, 01, 80, ...]
.text ntoskrnl.exe!CcMdlWriteAbort + A1 8052B12B 7 Bytes [00, CC, CC, CC, CC, CC, CC] {ADD AH, CL; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ntoskrnl.exe!CcPrepareMdlWrite 8052B137 110 Bytes [6A, 64, 68, 18, B4, 52, 80, ...]
.text ntoskrnl.exe!CcPrepareMdlWrite + 6F 8052B1A6 22 Bytes [00, 8D, 4D, E0, 51, 8D, 4D, ...]
.text ntoskrnl.exe!CcPrepareMdlWrite + 87 8052B1BE 22 Bytes [10, 39, 45, E0, 76, 03, 89, ...]
.text ntoskrnl.exe!CcPrepareMdlWrite + 9E 8052B1D5 26 Bytes [55, AC, 13, C2, 89, 45, 9C, ...]
.text ntoskrnl.exe!CcPrepareMdlWrite + B9 8052B1F0 53 Bytes [10, 00, 00, 72, 07, C7, 45, ...]
.text ...
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 1A 8052B47D 22 Bytes CALL 804E20E2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 31 8052B494 30 Bytes [00, FF, 47, 0C, 8B, CF, E8, ...]
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 50 8052B4B3 59 Bytes [28, 8B, F0, 85, F6, 75, 07, ...]
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 8C 8052B4EF 7 Bytes [88, 73, 55, 80, 89, 46, 04]
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 94 8052B4F7 7 Bytes [30, 80, 3D, 30, 73, 55, 80]
.text ...
.text ntoskrnl.exe!FsRtlMdlReadComplete + 2E 8052B7DA 1 Byte [D0]
.text ntoskrnl.exe!FsRtlMdlReadComplete + 2E 8052B7DA 38 Bytes CALL 804ED6AE \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlMdlReadComplete + 57 8052B803 4 Bytes [0C, 57, E8, 4F]
.text ntoskrnl.exe!FsRtlMdlReadComplete + 5D 8052B809 2 Bytes [FF, 5F]
.text ntoskrnl.exe!FsRtlMdlReadComplete + 62 8052B80E 1 Byte [08]
.text ...
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 3D 8052B870 11 Bytes [85, FF, 74, 04, 8B, 54, C1, ...] {TEST EDI, EDI; JZ 0x8; MOV EDX, [ECX+EAX*8-0x10]; MOV EAX, [ESI+0x8]}
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 49 8052B87C 47 Bytes [4E, 10, 8D, 0C, C1, 8B, 41, ...]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 79 8052B8AC 49 Bytes CALL 8052B8DF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + AB 8052B8DE 5 Bytes [90, 90, 90, 90, 90] {NOP ; NOP ; NOP ; NOP ; NOP }
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + B1 8052B8E4 23 Bytes [45, E0, 8B, 08, FF, 15, 90, ...]
.text ...
.text ntoskrnl.exe!FsRtlGetNextMcbEntry + 1F 8052B99B 7 Bytes [84, C0, 74, 20, 8B, 4D, 10] {TEST AL, AL; JZ 0x24; MOV ECX, [EBP+0x10]}
.text ntoskrnl.exe!FsRtlGetNextMcbEntry + 27 8052B9A3 126 Bytes [55, F0, 89, 11, 8B, 4D, F8, ...]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 37 8052BA22 1 Byte [8B]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 37 8052BA22 166 Bytes [8B, 5D, E0, 8B, FB, C1, E7, ...]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + E0 8052BACB 88 Bytes [48, 04, 8B, 4E, 10, 8B, 45, ...]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 139 8052BB24 18 Bytes [8D, 04, D8, 8B, 4D, 14, 01, ...]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 14C 8052BB37 3 Bytes CALL 8052BB4C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!FsRtlTruncateMcb + 1 8052BB75 16 Bytes [FF, 55, 8B, EC, 6A, 00, FF, ...]
.text ntoskrnl.exe!FsRtlTruncateMcb + 12 8052BB86 29 Bytes [5D, C2, 08, 00, 90, 90, CC, ...]
.text ntoskrnl.exe!FsRtlAddMcbEntry + D 8052BBA4 47 Bytes [75, 10, 50, FF, 75, 0C, FF, ...]
.text ntoskrnl.exe!FsRtlRemoveMcbEntry + 14 8052BBD4 67 Bytes [FF, 15, 8C, 76, 4D, 80, 83, ...]
.text ntoskrnl.exe!FsRtlRemoveMcbEntry + 58 8052BC18 23 Bytes [00, BC, 52, 80, CC, CC, CC, ...]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + A 8052BC30 7 Bytes [75, 18, 8B, 75, 14, 6A, 00] {JNZ 0x1a; MOV ESI, [EBP+0x14]; PUSH 0x0}
.text ntoskrnl.exe!FsRtlLookupMcbEntry + 12 8052BC38 134 Bytes [C6, F7, D8, 6A, 00, 1B, C0, ...]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + 99 8052BCBF 52 Bytes [55, F8, 8B, 50, 2C, 3B, D7, ...]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + CE 8052BCF4 2 Bytes [48, 0C]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + D1 8052BCF7 3 Bytes [CF, 74, 1D] {IRET ; JZ 0x20}
.text ...
.text ntoskrnl.exe!FsRtlFastUnlockAllByKey + 6 8052C0C9 13 Bytes [75, 18, 6A, 01, FF, 75, 14, ...] {JNZ 0x1a; PUSH 0x1; PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0x10]; PUSH DWORD [EBP+0xc]}
.text ntoskrnl.exe!FsRtlFastUnlockAllByKey + 14 8052C0D7 56 Bytes CALL 804F393B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlIsNtstatusExpected + 1A 8052C110 42 Bytes [C0, 74, 0B, 3D, AA, 00, 00, ...]
.text ntoskrnl.exe!FsRtlAllocatePool + C 8052C13B 32 Bytes [75, 0C, FF, 75, 08, E8, 7F, ...]
.text ntoskrnl.exe!FsRtlAllocatePool + 2D 8052C15C 24 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntoskrnl.exe!FsRtlAllocatePoolWithQuota + F 8052C175 49 Bytes CALL 804E6BB2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlAllocatePoolWithTag + A 8052C1A7 32 Bytes [75, 0C, FF, 75, 08, E8, 13, ...]
.text ntoskrnl.exe!FsRtlAllocatePoolWithTag + 2B 8052C1C8 205 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + 8A 8052C296 81 Bytes [5F, 5E, 5B, 5D, C2, 04, 00, ...]
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + DC 8052C2E8 38 Bytes [83, 65, FC, 00, 8D, 5F, 08, ...]
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + 104 8052C310 59 Bytes [FF, C6, 45, E7, 01, 8B, 36, ...]
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + 140 8052C34C 19 Bytes [15, 90, 76, 4D, 80, C3, 90, ...]
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + 154 8052C360 3 Bytes [40, C3, 52] {INC EAX; RET ; PUSH EDX}
.text ...
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + 15 8052CAF6 59 Bytes [FF, 89, 7D, FC, 89, 7D, F8, ...]
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + 51 8052CB32 77 Bytes [FF, 88, D4, 00, 00, 00, 56, ...]
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + 9F 8052CB80 123 Bytes [D8, 3B, DF, 7C, 69, 8B, 45, ...]
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + 11B 8052CBFC 2 Bytes [FF, 80]
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + 11E 8052CBFF 136 Bytes [00, 00, 00, 75, 13, 8D, 48, ...]
.text ...
.text ntoskrnl.exe!FsRtlLookupPerFileObjectContext + 8 8052CCAF 173 Bytes [39, 7D, 08, 75, 04, 33, C0, ...]
.text ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 1D 8052CD5D 18 Bytes [8B, F0, 3B, F7, 75, 04, 33, ...]
.text ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 30 8052CD70 14 Bytes [8B, 55, 10, 3B, D7, 74, 22, ...] {MOV EDX, [EBP+0x10]; CMP EDX, EDI; JZ 0x29; LEA ECX, [ESI+0x20]; MOV EAX, [ECX]; JMP 0x1d}
.text ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 3F 8052CD7F 84 Bytes [58, 08, 3B, 5D, 0C, 75, 05, ...]
.text ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 94 8052CDD4 60 Bytes [76, 4D, 80, 8B, C7, 5B, 5E, ...]
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 7 8052CE11 12 Bytes [5D, 08, 57, 33, FF, 3B, DF, ...]
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 14 8052CE1E 4 Bytes JMP 8052CECA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 19 8052CE23 10 Bytes [00, F6, 43, 2E, 80, 75, 0A, ...] {ADD DH, DH; INC EBX; XOR BYTE CS:[EBP+0xa], 0xb8; ADC [EAX], AL}
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 24 8052CE2E 40 Bytes JMP 8052CECA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 4D 8052CE57 95 Bytes [00, C0, EB, 6F, 33, C9, 41, ...]
.text ...
.text ntoskrnl.exe!FsRtlPostStackOverflow + 8 8052CFD4 74 Bytes [75, 10, FF, 75, 0C, FF, 75, ...]
.text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + 30 8052D01F 16 Bytes [EC, 83, EC, 0C, 8B, 45, 08, ...] {IN AL, DX ; SUB ESP, 0xc; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; MOV ESI, 0x62747346; PUSH ESI}
.text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + 41 8052D030 45 Bytes [DB, 6A, 18, 89, 1A, 53, 89, ...]
.text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + 6F 8052D05E 23 Bytes [0F, 84, B1, 00, 00, 00, 56, ...]
.text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + 87 8052D076 48 Bytes [00, FF, 75, FC, 8D, 46, 08, ...]
.text ntoskrnl.exe!FsRtlPostPagingFileStackOverflow + B8 8052D0A7 55 Bytes CALL 804E37D4 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntoskrnl.exe!InbvResetDisplay + 55 8052D292 79 Bytes [FF, 55, 8B, EC, 80, 3D, 80, ...]
.text ntoskrnl.exe!InbvSolidColorFill + 21 8052D2E2 9 Bytes [75, 18, 56, FF, 75, 14, FF, ...] {JNZ 0x1a; PUSH ESI; PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0x10]}
.text ntoskrnl.exe!InbvSolidColorFill + 2B 8052D2EC 44 Bytes [75, 0C, FF, 75, 08, E8, EC, ...]
.text ntoskrnl.exe!InbvSolidColorFill + 58 8052D319 41 Bytes [45, FC, 6A, 08, 8D, 45, F8, ...]
.text ntoskrnl.exe!InbvSolidColorFill + 83 8052D344 11 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP }
.text ntoskrnl.exe!InbvSetTextColor + 1 8052D350 59 Bytes [FF, 55, 8B, EC, 51, 51, 56, ...]
.text ntoskrnl.exe!InbvSetTextColor + 3D 8052D38C 77 Bytes [F8, A1, DC, CB, 54, 80, 6A, ...]
.text ntoskrnl.exe!InbvSetTextColor + 8B 8052D3DA 53 Bytes [C6, 05, E4, CB, 54, 80, 01, ...]
.text ntoskrnl.exe!InbvAcquireDisplayOwnership + 5 8052D410 149 Bytes [85, C0, 74, 0F, 83, 3D, 84, ...]
.text ntoskrnl.exe!InbvSetScrollRegion + 3B 8052D4A6 9 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP }
.text ntoskrnl.exe!InbvSetScrollRegion + 45 8052D4B0 234 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
.text ntoskrnl.exe!IoCheckQuerySetFileInformation + 3C 8052D59B 104 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + A 8052D605 8 Bytes [08, 53, 33, DB, 3B, C3, 56, ...]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 13 8052D60E 35 Bytes [8B, 70, 04, EB, 03, 8B, 75, ...]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 37 8052D632 4 Bytes [35, 58, 8A, 55]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 3C 8052D637 6 Bytes [C7, 45, E4, 18, 00, 00]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 43 8052D63E 3 Bytes [53, 89, 5D]
.text ...
.text ntoskrnl.exe!IoGetDeviceToVerify + B 8052D7FA 19 Bytes [02, 00, 00, 5D, C2, 04, 00, ...] {ADD AL, [EAX]; ADD [EBP-0x3e], BL; ADD AL, 0x0; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ntoskrnl.exe!IoGetDeviceToVerify + 21 8052D810 6 Bytes [90, 90, 64, A1, 24, 01]
.text ntoskrnl.exe!IoGetInitialStack + 6 8052D818 106 Bytes [8B, 40, 18, C3, CC, CC, CC, ...]
.text ntoskrnl.exe!IoGetInitialStack + 71 8052D883 12 Bytes [00, 10, 74, 04, 32, C0, EB, ...]
.text ntoskrnl.exe!IoGetInitialStack + 7F 8052D891 111 Bytes [64, A1, 24, 01, 00, 00, 3B, ...]
.text ntoskrnl.exe!IoGetInitialStack + EF 8052D901 62 Bytes [C2, 04, 00, 90, 90, 90, 90, ...]
.text ntoskrnl.exe!IoRaiseHardError + 22 8052D940 1 Byte [B2]
.text ntoskrnl.exe!IoRaiseHardError + 22 8052D940 132 Bytes [B2, 01, 8B, CE, FF, 15, 84, ...]
.text ntoskrnl.exe!IoRaiseHardError + A7 8052D9C5 17 Bytes [FF, 68, 49, 6F, 45, 72, 6A, ...]
.text ntoskrnl.exe!IoRaiseHardError + B9 8052D9D7 10 Bytes [84, 64, FF, FF, FF, 8B, 4D, ...] {TEST [EDI+EDI*8-0x1], AH; DEC DWORD [EBX+0x20830c4d]}
.text ntoskrnl.exe!IoRaiseHardError + C4 8052D9E2 47 Bytes [89, 48, 14, 8B, 4D, 10, 6A, ...]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 1 8052DA12 21 Bytes [FF, 55, 8B, EC, 8B, 4D, 10, ...]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 17 8052DA28 40 Bytes [EB, 0C, 64, A1, 24, 01, 00, ...]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 40 8052DA51 12 Bytes [81, 7D, 08, 44, 01, 00, C0, ...]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 4D 8052DA5E 5 Bytes [81, 7D, 08, 18, 00]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 53 8052DA64 59 Bytes [40, 0F, 84, F0, 01, 00, 00, ...]
.text ...
.text ntoskrnl.exe!IoSetDeviceToVerify + 50 8052DCC5 137 Bytes [8B, 75, 08, FF, 75, 10, 8D, ...]
.text ntoskrnl.exe!IoStartNextPacketByKey + 16 8052DD4F 90 Bytes [0C, F6, D9, 1B, C9, 81, E1, ...]
.text ntoskrnl.exe!IoStopTimer + 18 8052DDAB 129 Bytes [FF, 0D, 74, 8A, 55, 80, FB, ...]
.text ntoskrnl.exe!IoCompleteRequest + 45 8052DE30 2 Bytes [90, 8B]
.text ntoskrnl.exe!IoCompleteRequest + 48 8052DE33 8 Bytes [55, 8B, EC, 51, 51, 83, 65, ...]
.text ntoskrnl.exe!IoCompleteRequest + 51 8052DE3C 154 Bytes [56, 57, 64, A1, 24, 01, 00, ...]
.text ntoskrnl.exe!IoGetDiskDeviceObject + 20 8052DED7 5 Bytes [86, B0, 00, 00, 00]
.text ntoskrnl.exe!IoGetDiskDeviceObject + 26 8052DEDD 81 Bytes [40, 28, 85, C0, 75, 07, BE, ...]
.text ntoskrnl.exe!IoSetSystemPartition + D 8052DF2F 51 Bytes [53, 56, 8B, 75, 08, 57, 89, ...]
.text ntoskrnl.exe!IoSetSystemPartition + 42 8052DF64 9 Bytes [53, 53, 8D, 45, DC, 89, 45, ...] {PUSH EBX; PUSH EBX; LEA EAX, [EBP-0x24]; MOV [EBP-0x28], EAX; PUSH EDI}
.text ntoskrnl.exe!IoSetSystemPartition + 4C 8052DF6E 55 Bytes [45, D4, 50, FF, 75, D0, 8D, ...]
.text ntoskrnl.exe!IoSetSystemPartition + 84 8052DFA6 4 Bytes CALL 805DBC3F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoSetSystemPartition + 89 8052DFAB 51 Bytes [FF, 75, D0, 8B, F8, E8, 18, ...]
.text ...
.text ntoskrnl.exe!IoValidateDeviceIoControlAccess + C 8052E10F 2 Bytes [55, 08]
.text ntoskrnl.exe!IoValidateDeviceIoControlAccess + F 8052E112 3 Bytes [42, 60, 8A]
.text ntoskrnl.exe!IoValidateDeviceIoControlAccess + 13 8052E116 56 Bytes [80, F9, 0E, 74, 05, 80, F9, ...]
.text ntoskrnl.exe!IoValidateDeviceIoControlAccess + 4C 8052E14F 4 Bytes [C0, 5D, C2, 08] {RCR BYTE [EBP-0x3e], 0x8}
.text ntoskrnl.exe!IoValidateDeviceIoControlAccess + 51 8052E154 24 Bytes [CC, CC, CC, CC, CC, 90, CC, ...]
.text ntoskrnl.exe!IoFreeErrorLogEntry + 2 8052E16D 34 Bytes [55, 8B, EC, 56, 8B, 75, 08, ...]
.text ntoskrnl.exe!IoFreeErrorLogEntry + 25 8052E190 130 Bytes [B7, 46, 02, F7, D8, 89, 45, ...]
.text ntoskrnl.exe!IoFreeErrorLogEntry + A8 8052E213 149 Bytes [DB, 3B, CE, C6, 45, E8, 00, ...]
.text ntoskrnl.exe!IoFreeErrorLogEntry + 13E 8052E2A9 25 Bytes [89, 70, 04, 83, 65, EC, 00, ...]
.text ntoskrnl.exe!IoFreeErrorLogEntry + 159 8052E2C4 70 Bytes [72, FF, FF, FF, 5F, 5E, 5B, ...]
.text ntoskrnl.exe!IoAttachDeviceByPointer 8052E30E 194 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
.text ntoskrnl.exe!IoCsqRemoveIrp + A 8052E3D1 3 Bytes [83, 66, 1C]
.text ntoskrnl.exe!IoCsqRemoveIrp + E 8052E3D5 54 Bytes [57, 8D, 45, 08, 50, 56, FF, ...]
.text ntoskrnl.exe!IoCsqRemoveIrp + 45 8052E40C 16 Bytes [56, 08, 83, 63, 04, 00, 83, ...]
.text ntoskrnl.exe!IoCsqRemoveIrp + 56 8052E41D 9 Bytes [56, 14, 33, C0, 5F, 5E, 5B, ...]
.text ntoskrnl.exe!IoCsqRemoveIrp + 60 8052E427 23 Bytes [00, CC, CC, CC, CC, CC, 90, ...]
.text ...
.text ntoskrnl.exe!KeCapturePersistentThreadState + 23 8052EE8A 251 Bytes [75, 09, 64, A1, 24, 01, 00, ...]
.text ntoskrnl.exe!KeCapturePersistentThreadState + 11F 8052EF86 3 Bytes [89, BB, B8]
.text ntoskrnl.exe!KeCapturePersistentThreadState + 123 8052EF8A 97 Bytes [00, 00, 8B, 3D, 0C, 00, DF, ...]
.text ntoskrnl.exe!KeCapturePersistentThreadState + 185 8052EFEC 33 Bytes [09, 8B, 8C, 0F, 00, 00, 8D, ...]
.text ntoskrnl.exe!KeCapturePersistentThreadState + 1A7 8052F00E 15 Bytes [F3, A5, 89, 45, 10, BF, 90, ...]
.text ...
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 10 805304EA 12 Bytes [53, 56, 89, 45, FC, 8B, 45, ...] {PUSH EBX; PUSH ESI; MOV [EBP-0x4], EAX; MOV EAX, [EBP+0xc]; PUSH EDI; MOV EDI, [EBP+0x8]}
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 1D 805304F7 12 Bytes [85, D4, FD, FF, FF, 8D, 85, ...]
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 2A 80530504 2 Bytes [F0, FD]
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 2E 80530508 4 Bytes [89, 85, EC, FD]
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 33 8053050D 19 Bytes [FF, 8D, 85, D8, FD, FF, FF, ...]
.text ...
.text ntoskrnl.exe!IoRequestDeviceEject + D 80531346 16 Bytes [00, 8B, 40, 14, 33, D2, 3B, ...] {ADD [EBX-0x2dccebc0], CL; CMP EAX, EDX; JZ 0x20; TEST BYTE [EAX+0x7e], 0x2; JNZ 0x20}
.text ntoskrnl.exe!IoRequestDeviceEject + 1E 80531357 4 Bytes [68, 71, A1, 61]
.text ntoskrnl.exe!IoRequestDeviceEject + 23 8053135C 3 Bytes CALL 805312D6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!IoRequestDeviceEject + 27 80531360 6 Bytes [FF, FF, 5D, C2, 04, 00]
.text ntoskrnl.exe!IoRequestDeviceEject + 2E 80531367 8 Bytes [52, 51, 6A, 02, 68, CA, 00, ...]
.text ...
.text ntoskrnl.exe!KdDisableDebugger + E 80531ED7 12 Bytes CALL 8053200D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KdDisableDebugger + 1C 80531EE5 75 Bytes [00, 75, 3A, A0, 41, 37, 55, ...]
.text ntoskrnl.exe!KdDisableDebugger + 68 80531F31 52 Bytes [15, 9C, 76, 4D, 80, C9, C3, ...]
.text ntoskrnl.exe!KdEnableDebugger + 24 80531F66 18 Bytes [00, 74, 1C, 6A, 00, 6A, 00, ...]
.text ntoskrnl.exe!KdEnableDebugger + 37 80531F79 11 Bytes CALL 8067F3EB \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KdEnableDebugger + 43 80531F85 29 Bytes CALL 80532027 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KdPowerTransition + 4 80531FA3 28 Bytes [EC, 56, 33, F6, 83, 7D, 08, ...]
.text ntoskrnl.exe!KdPowerTransition + 21 80531FC0 14 Bytes CALL 80548D38 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KdPowerTransition + 30 80531FCF 38 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntoskrnl.exe!KdPowerTransition + 57 80531FF6 192 Bytes CALL 80548D5F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KdPowerTransition + 118 805320B7 8 Bytes [B1, 1F, FF, D6, 8B, CF, 88, ...]
.text ...
.text ntoskrnl.exe!KeSetDmaIoCoherency + 8 8053245B 32 Bytes [A3, 88, A1, 55, 80, 5D, C2, ...]
.text ntoskrnl.exe!KeSetDmaIoCoherency + 29 8053247C 270 Bytes [75, 0C, FF, 75, 08, E8, AF, ...]
.text ntoskrnl.exe!KeAcquireInterruptSpinLock + 1D 8053258B 21 Bytes [5E, 8A, C3, 5B, 5D, C2, 04, ...]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 4 805325A1 78 Bytes [EC, 8B, 45, 08, 8B, 48, 1C, ...]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 53 805325F0 40 Bytes [37, 89, 45, 08, EB, 0F, 8D, ...]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 7C 80532619 4 Bytes [8B, 45, 08, 5F] {MOV EAX, [EBP+0x8]; POP EDI}
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 81 8053261E 97 Bytes [5B, C9, C2, 08, 00, 90, CC, ...]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + E3 80532680 94 Bytes [85, C0, 75, 4D, 8B, 7D, 08, ...]
.text ...
.text ntoskrnl.exe!KeEnterKernelDebugger + 19 80532A12 68 Bytes [0F, C1, 01, 48, 75, 19, 33, ...]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + 10 80532A57 40 Bytes [BE, 68, A2, 55, 80, 8B, CE, ...]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + 39 80532A80 55 Bytes CALL 804DA602 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + 71 80532AB8 51 Bytes [89, 45, DC, 8B, 1D, 78, A2, ...]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + A5 80532AEC 80 Bytes [84, C0, 74, 61, 46, 47, 83, ...]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + F6 80532B3D 6 Bytes CALL 473388CD
.text ...
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 30 80532B9F 1 Byte [40]
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 30 80532B9F 17 Bytes [40, 04, 89, 08, 89, 41, 04, ...]
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 42 80532BB1 36 Bytes [FF, FF, 15, 9C, 76, 4D, 80, ...]
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 67 80532BD6 111 Bytes CALL 804E244B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + D7 80532C46 12 Bytes [56, 08, 8B, 46, 0C, 03, C2, ...]
.text ...
.text ntoskrnl.exe!KeBugCheckEx + 4 8053380F 37 Bytes [EC, 6A, 00, FF, 75, 18, FF, ...]
.text ntoskrnl.exe!KeBugCheckEx + 2A 80533835 34 Bytes [FF, 55, 8B, EC, F6, 05, 00, ...]
.text ntoskrnl.exe!KeBugCheckEx + 4D 80533858 39 Bytes [88, 45, 0B, B8, A0, A2, 55, ...]
.text ntoskrnl.exe!KeBugCheckEx + 75 80533880 49 Bytes [76, 04, 3B, D3, 72, 35, 8B, ...]
.text ntoskrnl.exe!KeBugCheckEx + A7 805338B2 105 Bytes [08, 00, 53, 56, 52, 6A, 00, ...]
.text ...
.text ntoskrnl.exe!KeI386GetLid + 12 80533A85 14 Bytes [89, 45, F8, 75, 0A, B8, 0F, ...]
.text ntoskrnl.exe!KeI386GetLid + 22 80533A95 74 Bytes [7D, 10, 00, 74, 09, 83, 4D, ...]
.text ntoskrnl.exe!KeI386GetLid + 6D 80533AE0 65 Bytes [08, 00, 00, 33, C0, F3, AB, ...]
.text ntoskrnl.exe!KeI386GetLid + AF 80533B22 87 Bytes CALL 80533A32 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeI386GetLid + 107 80533B7A 63 Bytes [A0, 55, 80, 8D, 44, 08, 04, ...]
.text ...
.text ntoskrnl.exe!KeI386ReleaseLid + 27 80533C0C 59 Bytes [C1, E2, 03, 8D, 34, 0A, 8B, ...]
.text ntoskrnl.exe!KeI386ReleaseLid + 63 80533C48 45 Bytes [5F, 8B, C6, 5E, 5D, C2, 08, ...]
.text ntoskrnl.exe!KeI386AbiosCall + 1C 80533C76 8 Bytes [0D, D0, 12, 55, 80, 66, 3B, ...]
.text ntoskrnl.exe!KeI386AbiosCall + 25 80533C7F 147 Bytes [72, 07, B8, 14, 01, 00, C0, ...]
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 1B 80533D13 11 Bytes [3D, 80, 9F, 55, 80, 74, 22, ...]
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 27 80533D1F 24 Bytes [0F, B7, D9, 0F, B7, 16, 8B, ...]
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 40 80533D38 48 Bytes CALL 48DD989B
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 14 80533D69 94 Bytes [86, 00, 00, 00, 66, 81, 7D, ...]
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 73 80533DC8 17 Bytes [0C, BD, 80, 9F, 55, 80, 8B, ...]
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 85 80533DDA 58 Bytes [0F, BE, 0D, 60, 37, 55, 80, ...]
.text ntoskrnl.exe!KeI386FlatToGdtSelector + C0 80533E15 105 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntoskrnl.exe!KeRemoveByKeyDeviceQueueIfBusy + 34 80533E7F 70 Bytes [8B, C6, 5E, C9, C2, 08, 00, ...]
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 6 80533EC6 12 Bytes [EC, 0C, 8B, 4D, 08, 53, 83, ...]
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 13 80533ED3 4 Bytes [15, 84, 76, 4D]
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 19 80533ED9 1 Byte [45]
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 19 80533ED9 15 Bytes [45, 0C, 8A, 58, 0C, 80, FB, ...]
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 29 80533EE9 5 Bytes [8B, 40, 04, 89, 08] {MOV EAX, [EAX+0x4]; MOV [EAX], ECX}
.text ...
.text ntoskrnl.exe!KeQueryPriorityThread + A1 805340F9 23 Bytes [55, 8B, EC, 83, EC, 0C, 56, ...]
.text ntoskrnl.exe!KeQueryPriorityThread + B9 80534111 22 Bytes [15, 10, 76, 4D, 80, 8D, 7E, ...]
.text ntoskrnl.exe!KeQueryPriorityThread + D0 80534128 1 Byte [88]
.text ntoskrnl.exe!KeQueryPriorityThread + D0 80534128 10 Bytes [88, 46, 08, 75, 11, 84, C0, ...]
.text ntoskrnl.exe!KeQueryPriorityThread + DB 80534133 20 Bytes [F0, 8D, 4E, EC, 33, D2, E8, ...]
.text ...
.text ntoskrnl.exe!KeRaiseUserException + 83 80534313 24 Bytes CALL 804F909B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!KeRaiseUserException + 9C 8053432C 2 Bytes [09, 43]
.text ntoskrnl.exe!KeRaiseUserException + 9F 8053432F 78 Bytes [80, 12, 43, 53, 80, CC, CC, ...]
.text ntoskrnl.exe!KeSaveStateForHibernate + 26 80534387 35 Bytes [83, EC, 24, 53, 56, 57, 3E, ...]
.text ntoskrnl.exe!KeSaveStateForHibernate + 4A 805343AB 44 Bytes [74, 18, 08, 8D, 43, 48, 89, ...]
.text ntoskrnl.exe!KeSaveStateForHibernate + 77 805343D8 4 Bytes [84, 90, 01, 00]
.text ntoskrnl.exe!KeSaveStateForHibernate + 7C 805343DD 53 Bytes [48, 74, 26, 48, 74, 1A, 48, ...]
.text ntoskrnl.exe!KeSaveStateForHibernate + B2 80534413 36 Bytes [C6, 46, 01, FF, EB, 0B, 8B, ...]
.text ...
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + F 8053621A 55 Bytes [10, 8B, 4E, 14, 8D, 46, 1C, ...]
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 47 80536252 14 Bytes [00, 00, 40, 83, E3, FE, 3B, ...] {ADD [EAX], AL; INC EAX; AND EBX, -0x2; CMP ECX, EBX; LEA EDX, [EAX-0x8]; JZ 0x1c; PUSH ECX}
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 56 80536261 46 Bytes [75, 0C, 57, 68, 04, 01, 00, ...]
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 85 80536290 15 Bytes [00, 00, 8D, 4C, 88, F8, EB, ...]
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 95 805362A0 55 Bytes [00, 83, C0, 04, 3B, C1, 72, ...]
.text ...
.text ntoskrnl.exe!MmUnmapReservedMapping + 69 8053653B 41 Bytes [00, 00, 8D, B4, 3E, FF, 0F, ...]
.text ntoskrnl.exe!MmUnmapReservedMapping + 93 80536565 18 Bytes [D6, C1, E2, 02, 8D, 3C, 10, ...] {SALC ; SHL EDX, 0x2; LEA EDI, [EAX+EDX]; LEA ECX, [EAX+ECX*4-0x8]; JMP 0x15; TEST BYTE [EAX], 0x1; JZ 0x1d}
.text ntoskrnl.exe!MmUnmapReservedMapping + A6 80536578 20 Bytes [C0, 04, 3B, C7, 73, 1A, EB, ...]
.text ntoskrnl.exe!MmUnmapReservedMapping + BB 8053658D 20 Bytes [00, EB, 3C, 83, 38, 00, 75, ...]
.text ntoskrnl.exe!MmUnmapReservedMapping + D0 805365A2 142 Bytes [8D, 7B, 08, 52, 57, E8, CE, ...]
.text ntoskrnl.exe!MmAdvanceMdl + 2 80536631 30 Bytes [55, 8B, EC, 83, EC, 18, 8B, ...]
.text ntoskrnl.exe!MmAdvanceMdl + 22 80536651 179 Bytes [53, C7, 05, 14, 39, 55, 80, ...]
.text ntoskrnl.exe!MmAdvanceMdl + D6 80536705 15 Bytes [3D, EC, F9, 55, 80, 01, 75, ...] {CMP EAX, 0x8055f9ec; ADD [EBP+0x7], ESI; PUSH EDI; PUSH ESI; CALL 0xfffffffffffff7d6}
.text ntoskrnl.exe!MmAdvanceMdl + E6 80536715 1 Byte [46]
.text ntoskrnl.exe!MmAdvanceMdl + E6 80536715 38 Bytes [46, 08, 33, C9, 85, C0, 66, ...]
.text ...
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 28 80536896 9 Bytes CALL 804E443C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 32 805368A0 88 Bytes [89, 45, F8, 0F, 84, 61, 02, ...]
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 8B 805368F9 181 Bytes [40, C1, EB, 0C, 83, F8, 04, ...]
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 141 805369AF 81 Bytes CALL 804E6717 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
? sppy.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6AB08AC 5 Bytes JMP 859E31D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1944] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85B8A1F8
Device \Driver\usbuhci \Device\USBPDO-0 85A731F8
Device \Driver\usbuhci \Device\USBPDO-1 85A731F8
Device \Driver\usbuhci \Device\USBPDO-2 85A731F8
Device \Driver\usbehci \Device\USBPDO-3 859D41F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 85B8D1F8
Device \Driver\Cdrom \Device\CdRom0 85A5B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F74ABB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F74ABB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F74ABB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F74ABB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBT_Tcpip_{E903940B-9AF9-422A-9D8B-7918D1C714E4} 856081F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 856081F8
Device \Driver\NetBT \Device\NetbiosSmb 856081F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{0C7EE82C-BB91-4BAC-89A3-0045E2FB6B08} 856081F8
Device \Driver\usbuhci \Device\USBFDO-0 85A731F8
Device \Driver\usbuhci \Device\USBFDO-1 85A731F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 855EC1F8
Device \Driver\usbuhci \Device\USBFDO-2 85A731F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 855EC1F8
Device \Driver\usbehci \Device\USBFDO-3 859D41F8
Device \Driver\Ftdisk \Device\FtControl 85B8D1F8
Device \FileSystem\Cdfs \Cdfs 855D3500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:53 AM

Posted 30 May 2010 - 12:38 AM

Hello, newgma
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 31 May 2010 - 09:01 AM

Hi, Tom, Thanks so much for your help!

When I download ComboFix and rename and move to my desktop, it does not run - I am prompted to select a program to open it as if it is a document rather than an executable file.

I am using Firefox and it sends downloads to a download window, but does not automatically offer the opportunity to "save as" or "save to", nor the option to rename the download.

I have disabled TeaTimer and Windows Firewall.

Can I just run the ComboFix directly from the download window?

Mary


#6 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 June 2010 - 02:14 PM

Hi Tom - found out why I couldn't rename the file from "Terry's Computer Tips:

QUOTE
In order to make the changes, first, you need to start Firefox. Then, from the menu bar, pick Tools, then Options.

This should open the Options dialog box, with the Main tab selected.

Near the middle of the Main tab, you'll find the Downloads section. Click on the radio button "Always ask me where to save files" - then click the "OK" button.


Here is the ComboFix log:

ComboFix 10-06-01.01 - Mschmokel 06/01/2010 14:50:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.204 [GMT -4:00]
Running from: c:\documents and settings\Mschmokel\Desktop\schrauber.exe
.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-07-11 18:59 . 2008-11-10 18:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-07-11 18:59 . 2006-10-27 01:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-07-11 18:56 . 2010-02-16 15:21 -------- d-----w- c:\program files\Microsoft Works
2010-07-11 18:50 . 2010-07-11 18:51 -------- d-----w- c:\windows\SHELLNEW
2010-07-11 18:46 . 2010-07-11 18:46 -------- d-----r- C:\MSOCache
2010-07-11 17:45 . 2010-07-11 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-07-05 14:38 . 2008-03-21 19:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-07-05 14:35 . 2009-11-08 07:41 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-07-05 14:35 . 2010-07-05 14:35 -------- d-----w- c:\program files\PdaNet for Android
2010-07-05 14:35 . 2009-11-08 07:41 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-07-05 14:35 . 2006-09-28 20:32 9472 ----a-w- c:\windows\system32\drivers\pnetmdm.sys
2010-05-27 02:40 . 2010-05-27 02:40 -------- d-----w- c:\documents and settings\Mschmokel\Application Data\Windows Search
2010-05-26 14:34 . 2010-05-26 14:34 -------- d-----w- c:\program files\CCleaner
2010-05-25 14:40 . 2010-05-25 14:40 -------- d-----w- c:\documents and settings\Mschmokel\Application Data\Uniblue
2010-05-14 14:33 . 2010-05-14 14:33 -------- d-----w- c:\documents and settings\Mschmokel\Application Data\OpenDNS Updater
2010-05-14 14:33 . 2010-05-14 14:33 -------- d-----w- c:\program files\OpenDNS Updater
2010-05-10 12:00 . 2010-05-10 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-10 12:00 . 2010-05-10 12:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-05-03 21:26 . 2010-05-03 21:26 -------- d-----w- c:\documents and settings\Mschmokel\Local Settings\Application Data\yBook
2010-05-03 20:39 . 1998-05-12 00:01 240944 ----a-w- c:\windows\system32\RICHED.DLL
2010-05-03 14:31 . 2010-05-03 20:32 -------- d-----w- c:\documents and settings\Mschmokel\Calibre Library
2010-05-03 14:31 . 2010-05-03 15:58 -------- d-----w- c:\documents and settings\Mschmokel\Application Data\calibre
2010-05-03 14:18 . 2010-05-03 14:19 -------- d-----w- c:\program files\Calibre2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 14:08 . 2009-06-12 03:51 -------- d-----w- c:\program files\OpenOffice.org 3
2010-07-11 18:04 . 2009-12-10 17:57 -------- d-----w- c:\program files\Microsoft Small Business
2010-07-11 15:28 . 2009-06-12 13:49 1 ----a-w- c:\documents and settings\Mschmokel\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-09 20:30 . 2009-12-10 17:45 -------- d-----w- c:\program files\Microsoft SQL Server
2010-07-09 20:27 . 2009-12-10 16:47 -------- d-----w- c:\program files\Microsoft.NET
2010-07-05 14:38 . 2010-07-05 14:38 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-07-05 14:38 . 2010-07-05 14:38 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-05-31 15:33 . 2009-06-07 22:29 71008 ----a-w- c:\documents and settings\Mschmokel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-31 13:15 . 2009-10-22 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-28 12:45 . 2009-12-10 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-26 14:38 . 2010-04-11 21:17 -------- d-----w- c:\documents and settings\Mschmokel\Application Data\Media Player Classic
2010-05-03 20:35 . 2009-08-16 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 14:51 . 2010-04-30 19:49 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-30 20:14 . 2010-04-30 20:14 -------- d-----w- c:\documents and settings\Mschmokel\Application Data\Windows Desktop Search
2010-04-21 14:01 . 2009-06-21 16:47 -------- d-----w- c:\program files\Microsoft Games
2010-04-11 20:45 . 2010-04-11 20:45 -------- d-----w- c:\program files\Essentials Codec Pack
2010-04-06 16:34 . 2010-04-06 16:34 -------- d-----w- c:\documents and settings\Mschmokel\Application Data\Apple Computer
2010-04-06 16:18 . 2010-04-06 16:16 -------- d-----w- c:\program files\QuickTime
2010-04-06 16:16 . 2010-04-06 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-06 16:15 . 2010-04-06 16:15 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 16:14 . 2010-04-06 16:14 -------- d-----w- c:\program files\Apple Software Update
2010-04-06 16:14 . 2010-04-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-10 06:15 . 2004-08-04 20:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2009-11-16 839168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\Mschmokel\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2010-7-5 447952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-06-17 20:43 118784 ----a-r- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-06-17 20:48 155648 ----a-r- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 20:00 208952 -c--a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 20:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 20:00 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-06 16:03 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Stormreach\\dndclient.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [7/5/2010 10:35 AM 9472]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/16/2009 11:17 AM 717296]
S3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [2/14/2010 8:11 PM 251264]
.
Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-01 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {E903940B-9AF9-422A-9D8B-7918D1C714E4} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Mschmokel\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-Qwest Personal Digital Vault - c:\program files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-01 15:05:28
ComboFix-quarantined-files.txt 2010-06-01 19:05

Pre-Run: 19,558,764,544 bytes free
Post-Run: 19,545,427,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7DA06C4B3BD9E22B4A0CF4CF03FCDF60




#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:53 AM

Posted 03 June 2010 - 12:10 PM

Hi,

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Still problems with the system?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 03 June 2010 - 01:18 PM

Thanks again, Tom am anxious to know what I did....

here are logs:

OTL logfile created on: 6/3/2010 2:00:49 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Mschmokel\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

478.00 Mb Total Physical Memory | 166.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 18.20 Gb Free Space | 48.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARCUSLAPTOP
Current User Name: Mschmokel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/03 13:59:26 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mschmokel\Desktop\OTL.exe
PRC - [2010/02/20 11:26:21 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/08 01:27:22 | 000,447,952 | ---- | M] () -- C:\Program Files\PdaNet for Android\PdaNetPC.exe
PRC - [2009/11/24 14:32:22 | 000,234,792 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
PRC - [2009/11/16 15:58:38 | 000,839,168 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/03 13:59:26 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mschmokel\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========

DRV - [2010/03/01 22:37:32 | 001,961,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2010/02/14 20:09:50 | 000,251,264 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0500Vid.sys -- (V0500Dev)
DRV - [2009/08/16 11:17:11 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2006/11/02 09:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/09/28 16:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pnetmdm.sys -- (pnetmdm)
DRV - [2004/10/14 10:53:00 | 000,276,480 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camchal.sys -- (CAMCHALA)
DRV - [2004/10/14 10:52:02 | 000,292,864 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camcaud.sys -- (CAMCAUD)
DRV - [2004/08/04 14:05:20 | 000,341,760 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/03/10 07:40:28 | 000,199,552 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/03/10 07:37:26 | 000,682,624 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/03/10 07:35:48 | 001,041,536 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: optout@google.com:1.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: textlinks@playsushi.com:1.2.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/20 15:12:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/24 11:37:15 | 000,000,000 | ---D | M]

[2009/06/07 22:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Extensions
[2010/05/27 07:26:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions
[2009/09/03 15:31:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/12 11:41:54 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/02/15 18:38:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions\optout@google.com
[2010/05/27 07:26:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/15 11:22:24 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

O1 HOSTS File: ([2009/10/22 11:50:25 | 000,347,151 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11904 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No CLSID value found.
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
O2 - BHO: (no name) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No CLSID value found.
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - Startup: C:\Documents and Settings\Mschmokel\Start Menu\Programs\Startup\PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/01 20:04:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/05/01 20:03:58 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/11 14:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2010/07/11 14:50:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2010/07/11 14:46:09 | 000,000,000 | R--D | C] -- C:\MSOCache
[2010/07/11 13:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/07/05 10:35:17 | 000,009,472 | ---- | C] (June Fabrics Technology) -- C:\WINDOWS\System32\drivers\pnetmdm.sys
[2010/07/05 10:35:17 | 000,000,000 | ---D | C] -- C:\Program Files\PdaNet for Android
[2010/06/03 13:59:23 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mschmokel\Desktop\OTL.exe
[2010/06/02 15:04:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/01 14:48:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/01 14:42:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/01 14:42:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/01 14:42:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/01 14:42:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/01 14:41:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/31 09:40:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/28 08:42:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/05/28 08:37:38 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/05/26 22:40:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\Windows Search
[2010/05/26 10:37:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Mschmokel\Recent
[2010/05/26 10:34:24 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/25 10:40:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\Uniblue
[2010/05/14 10:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\OpenDNS Updater
[2010/05/14 10:33:18 | 000,000,000 | ---D | C] -- C:\Program Files\OpenDNS Updater
[2010/05/10 08:00:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2010/05/03 17:40:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\My Documents\marktwain
[2010/05/03 17:26:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\yBook
[2010/05/03 16:39:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\My Documents\yBook
[2010/05/03 10:31:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Calibre Library
[2010/05/03 10:31:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\calibre
[2010/05/03 10:18:06 | 000,000,000 | ---D | C] -- C:\Program Files\Calibre2
[2010/04/30 16:14:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\Identities
[2010/04/30 16:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\Windows Desktop Search
[2010/04/30 15:49:34 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2010/04/30 15:49:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/04/11 17:17:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\Media Player Classic
[2010/04/11 16:45:15 | 000,000,000 | ---D | C] -- C:\Program Files\Essentials Codec Pack
[2010/04/11 16:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\WMTools Downloaded Files
[2010/04/06 12:34:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\Apple Computer
[2010/04/06 12:16:57 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/06 12:16:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/04/06 12:15:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/04/06 12:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\Apple
[2010/04/06 12:14:42 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/04/06 12:14:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/04/06 12:13:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\Apple Computer
[2010/04/02 10:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\.gconfd
[2010/04/02 10:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\.gconf
[2010/04/02 10:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\.gnome2_private
[2010/04/02 10:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\.gnome2
[2010/04/02 10:51:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\.gnucash
[2010/03/27 15:51:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Desktop\Desktop pics

========== Files - Modified Within 90 Days ==========

[2010/07/11 13:52:22 | 000,000,491 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/08 10:23:33 | 000,021,748 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Alex budget.xlsx
[2010/07/05 10:38:54 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2010/07/05 10:38:17 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2010/07/05 10:35:19 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Start Menu\Programs\Startup\PdaNet Desktop.lnk
[2010/06/03 13:59:26 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mschmokel\Desktop\OTL.exe
[2010/06/02 23:06:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/02 23:06:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/02 23:00:34 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Mschmokel\NTUSER.DAT
[2010/06/02 23:00:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Mschmokel\ntuser.ini
[2010/06/02 23:00:18 | 006,416,444 | -H-- | M] () -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\IconCache.db
[2010/06/02 22:59:38 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\meschmokel resume 05012010.doc
[2010/06/02 22:59:30 | 000,058,880 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Resume of Mary E Schmokel - ATS.doc
[2010/06/02 22:54:00 | 000,000,268 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[2010/06/01 15:40:13 | 000,165,584 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\budget.xlsx
[2010/06/01 14:57:50 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/01 14:48:34 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/01 14:33:42 | 003,701,981 | R--- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\schrauber.exe
[2010/05/31 13:52:46 | 000,025,723 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary requ for DD214 053110.docx
[2010/05/31 13:40:30 | 000,379,295 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary app for VA Benefits 1010ez 053110.pdf
[2010/05/31 11:46:39 | 000,020,012 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\HCC.docx
[2010/05/31 11:33:03 | 000,071,008 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/31 08:00:13 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/29 08:48:07 | 000,010,789 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\DLL052910.docx
[2010/05/29 08:06:02 | 000,013,935 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\mary e schmokel resume 04012010.docx
[2010/05/28 09:08:24 | 000,284,520 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/28 07:18:40 | 000,579,072 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/28 07:18:40 | 000,127,290 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/28 07:18:40 | 000,005,502 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/27 13:28:44 | 000,000,465 | -H-- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\.picasa.ini
[2010/05/26 15:02:39 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\Shortcut to gmer.exe.lnk
[2010/05/26 10:40:27 | 000,077,736 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\cc_20100526_104009.reg
[2010/05/26 10:34:30 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\CCleaner.lnk
[2010/05/25 15:19:10 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\MarcusResume.doc
[2010/05/24 13:40:34 | 000,011,446 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\JPMOrgan Chase cover 052410.docx
[2010/05/24 13:18:52 | 000,011,353 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Macy's cover 052410.docx
[2010/05/21 09:44:14 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\Revo Uninstaller.lnk
[2010/05/21 07:58:51 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/06 17:49:27 | 000,010,538 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\mafiawarssecret code.docx
[2010/05/03 17:28:47 | 000,000,621 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\yBook.lnk
[2010/05/03 10:19:26 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\calibre - E-book management.lnk
[2010/04/30 14:06:02 | 000,009,959 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\University contacts.docx
[2010/04/27 15:57:10 | 000,097,370 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\GSU application submission.docx
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/24 11:37:19 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/23 10:37:28 | 005,312,777 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Hayden%27s%20Walking%21.mp4
[2010/04/23 09:45:05 | 000,013,418 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\mary e schmokel resume 04012010.docx
[2010/04/22 13:18:39 | 000,010,487 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Cover letter.docx
[2010/04/20 18:00:44 | 000,020,952 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\mary hcc transc - unofficial.docx
[2010/04/19 10:00:59 | 000,675,840 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\householdPearBudget template.03.xls
[2010/04/16 16:11:35 | 000,097,546 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\12 Month Overview for Marcus and Mary 041610.docx
[2010/04/14 16:48:45 | 000,271,233 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\questarjan2010.pdf
[2010/04/14 11:37:13 | 000,720,384 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\householdPearBudget 2009.03.xls
[2010/04/13 08:59:51 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/11 16:45:33 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\Media Player Classic.lnk
[2010/04/06 19:48:31 | 000,010,485 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Albany State University Admissions 504 College Drive Albany.docx
[2010/04/06 12:17:50 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/03 19:02:57 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\Mschmokel\.recently-used.xbel
[2010/04/03 17:00:35 | 000,006,999 | ---- | M] () -- C:\Documents and Settings\Mschmokel\New document 1.2010_04_03_17_00_35.0.svg
[2010/04/01 20:12:03 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\D02E5100
[2010/03/27 16:58:59 | 000,130,170 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\marcus snap of skyp mar '10.png
[2010/03/19 16:14:13 | 000,016,526 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\masresume.docx
[2010/03/16 21:02:33 | 000,013,431 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Zwieback Toas crumbless teething cookiet.docx
[2010/03/16 16:27:23 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

========== Files Created - No Company Name ==========

[2010/07/07 20:26:00 | 000,021,748 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Alex budget.xlsx
[2010/07/05 10:38:54 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2010/07/05 10:38:17 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2010/07/05 10:35:19 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Start Menu\Programs\Startup\PdaNet Desktop.lnk
[2010/06/02 19:04:50 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Resume of Mary E Schmokel - ATS.doc
[2010/06/01 14:48:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/01 14:48:24 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/01 14:42:10 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/01 14:42:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/01 14:42:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/01 14:42:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/01 14:42:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/01 14:33:41 | 003,701,981 | R--- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\schrauber.exe
[2010/05/31 13:52:40 | 000,025,723 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary requ for DD214 053110.docx
[2010/05/31 13:40:28 | 000,379,295 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary app for VA Benefits 1010ez 053110.pdf
[2010/05/31 11:46:38 | 000,020,012 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\HCC.docx
[2010/05/31 09:23:07 | 000,001,699 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\ResetTeaTimer.bat
[2010/05/29 11:32:14 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\meschmokel resume 05012010.doc
[2010/05/29 08:38:43 | 000,010,789 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\DLL052910.docx
[2010/05/26 15:02:39 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\Shortcut to gmer.exe.lnk
[2010/05/26 10:40:15 | 000,077,736 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\cc_20100526_104009.reg
[2010/05/26 10:34:29 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\CCleaner.lnk
[2010/05/24 13:40:34 | 000,011,446 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\JPMOrgan Chase cover 052410.docx
[2010/05/24 13:18:49 | 000,011,353 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Macy's cover 052410.docx
[2010/05/24 12:30:39 | 000,013,935 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\mary e schmokel resume 04012010.docx
[2010/05/06 17:49:25 | 000,010,538 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\mafiawarssecret code.docx
[2010/05/03 16:39:21 | 000,000,621 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\yBook.lnk
[2010/05/03 10:19:26 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\calibre - E-book management.lnk
[2010/04/30 14:06:00 | 000,009,959 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\University contacts.docx
[2010/04/27 15:57:09 | 000,097,370 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\GSU application submission.docx
[2010/04/24 11:37:19 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/23 10:37:17 | 005,312,777 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Hayden%27s%20Walking%21.mp4
[2010/04/23 09:45:04 | 000,013,418 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\mary e schmokel resume 04012010.docx
[2010/04/22 13:18:38 | 000,010,487 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Cover letter.docx
[2010/04/20 15:35:55 | 000,020,952 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\mary hcc transc - unofficial.docx
[2010/04/16 16:11:33 | 000,097,546 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\12 Month Overview for Marcus and Mary 041610.docx
[2010/04/14 16:48:45 | 000,271,233 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\questarjan2010.pdf
[2010/04/14 11:37:51 | 000,675,840 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\householdPearBudget template.03.xls
[2010/04/13 08:59:36 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/12 22:10:47 | 000,047,783 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\masresume.wps.rtf
[2010/04/11 16:45:33 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\Media Player Classic.lnk
[2010/04/06 19:47:44 | 000,010,485 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Albany State University Admissions 504 College Drive Albany.docx
[2010/04/06 12:17:49 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/06 12:15:02 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/03 19:02:57 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\Mschmokel\.recently-used.xbel
[2010/04/03 17:00:35 | 000,006,999 | ---- | C] () -- C:\Documents and Settings\Mschmokel\New document 1.2010_04_03_17_00_35.0.svg
[2010/04/01 20:12:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\D02E5100
[2010/03/27 16:58:47 | 000,130,170 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\marcus snap of skyp mar '10.png
[2010/03/19 16:14:11 | 000,016,526 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\masresume.docx
[2010/03/16 21:02:32 | 000,013,431 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Zwieback Toas crumbless teething cookiet.docx
[2010/02/14 21:27:03 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/10/11 22:58:27 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/08/16 11:17:11 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/08/16 10:20:31 | 000,000,607 | ---- | C] () -- C:\WINDOWS\tlknw4.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[1997/06/13 21:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== LOP Check ==========

[2009/10/11 23:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2010/07/11 13:45:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2009/08/16 11:19:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2009/10/22 10:30:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/10/22 00:16:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/10/22 10:32:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/03 11:58:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\calibre
[2009/08/16 11:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Canneverbe_Limited
[2009/06/16 10:23:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/12/02 11:37:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\com.focusboosterapp.focusbooster.8E5F79C899747AD22E21DB62AA496926DA6BBC64.1
[2009/10/22 00:17:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\DriverCure
[2009/12/10 12:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\GetRightToGo
[2010/02/07 15:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\inkscape
[2009/10/23 01:06:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Leadertech
[2010/05/14 10:33:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\OpenDNS Updater
[2009/06/12 09:47:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\OpenOffice.org
[2009/06/13 09:15:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Thunderbird
[2010/05/25 10:40:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Uniblue
[2010/02/16 14:25:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\VSRevoGroup
[2010/04/30 16:14:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Windows Desktop Search
[2010/05/26 22:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Windows Search
[2010/06/02 22:54:00 | 000,000,268 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 16:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/12/29 23:20:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/12/29 23:20:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 16:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/29 23:20:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/12/29 23:20:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 16:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 16:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 16:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 16:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 06:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 06:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2009/08/16 11:17:11 | 000,717,296 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2009/05/01 13:00:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/05/01 13:00:18 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/05/01 13:00:18 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemdrive%\*.sys /90 /md5 >
[2010/06/02 23:06:24 | 754,974,720 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Mschmokel\Desktop\X12-30107.exe:SummaryInformation
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >



And the extras.txt log:


OTL Extras logfile created on: 6/3/2010 2:00:49 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Mschmokel\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

478.00 Mb Total Physical Memory | 166.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 18.20 Gb Free Space | 48.86% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARCUSLAPTOP
Current User Name: Mschmokel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Turbine\Dungeons and Dragons Online - Stormreach\dndclient.exe" = C:\Program Files\Turbine\Dungeons and Dragons Online - Stormreach\dndclient.exe:*:Enabled:dndclient -- (Turbine, Inc.)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1AFC0626-6594-40C5-B2EF-B51DB9CA2C06}" = calibre
"{1DCCB2B0-A482-464F-94F6-1219693E34F0}_is1" = AeroSnap 0.61
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_3080103C" = SoftV92 Data Fax Modem with SmartCP
"Conexant PCI Audio" = Conexant AC-Link Audio
"Dynex VF0500" = Dynex 1.3MP Webcam Driver (1.00.03.0000)
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"Inkscape" = Inkscape 0.47
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"OpenDNS Updater" = OpenDNS Updater 2.2
"PdaNet_is1" = PdaNet for Android 2.41
"Picasa 3" = Picasa 3
"Punch! Home Design - Platinum" = Punch! Home Design - Platinum
"Revo Uninstaller" = Revo Uninstaller 1.88
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 2.3d
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"yBook_is1" = yBook

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/18/2010 1:29:18 PM | Computer Name = MARCUSLAPTOP | Source = LoadPerf | ID = 3012
Description = The performance strings in the Performance registry value is corrupted
when process Performance extension counter provider. BaseIndex value from Performance
registry
is the first DWORD in Data section, LastCounter value is the second DWORD in Data
section, and LastHelp value is the third DWORD in Data section.

Error - 3/18/2010 1:29:18 PM | Computer Name = MARCUSLAPTOP | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 3/19/2010 9:15:53 PM | Computer Name = MARCUSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6504.5000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/19/2010 9:16:19 PM | Computer Name = MARCUSLAPTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1303216512.

Error - 5/21/2010 3:28:57 PM | Computer Name = MARCUSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application EXCEL.EXE, version 12.0.6524.5003, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/26/2010 3:19:17 PM | Computer Name = MARCUSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2010 9:04:23 PM | Computer Name = MARCUSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2010 9:04:26 AM | Computer Name = MARCUSLAPTOP | Source = MsiInstaller | ID = 11719
Description = Product: Microsoft Office Home and Student 2007 -- Error 1719.The
Windows Installer Service could not be accessed. This can occur if you are running
Windows in safe mode, or if the Windows Installer is not correctly installed. Contact
your support personnel for assistance.

Error - 5/31/2010 11:33:16 AM | Computer Name = MARCUSLAPTOP | Source = Microsoft Office 12 | ID = 5000
Description = EventType officelifeboathang, P1 winword.exe, P2 12.0.6504.5000, P3
ntdll.dll, P4 5.1.2600.5755, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 5/31/2010 11:34:11 AM | Computer Name = MARCUSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6504.5000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 6/2/2010 11:29:40 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:29:45 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:29:50 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:29:55 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:30:00 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:30:08 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:30:13 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:30:18 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/2/2010 11:30:23 PM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/3/2010 7:22:53 AM | Computer Name = MARCUSLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:53 AM

Posted 05 June 2010 - 07:08 AM

Hi,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u20-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586.exe and select "Run as an Administrator.")




Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    FF - prefs.js..extensions.enabledItems: textlinks@playsushi.com:1.2.0
    FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No CLSID value found.
    O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
    O2 - BHO: (no name) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No CLSID value found.
    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.





Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt



How is the system running?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 05 June 2010 - 10:47 AM

Hi, Tom -- and YES, it IS already running quicker!

However, when I started MBAM, I got an error on downloading the updates.

When I clicked on your alternate link to manually download, I get :

QUOTE
404 Not Found
/mbam-rules.exe was not found on this server.

Resin/4.0.7


here are the logs as requested:

"Runfix log"---

All processes killed
Error: Unable to interpret <OTL> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledItems: textlinks@playsushi.com:1.2.0> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No CLSID value found.> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No CLSID value found.> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Mschmokel
->Temp folder emptied: 43443 bytes
->Temporary Internet Files folder emptied: 1581279 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 100959638 bytes
->Flash cache emptied: 48375 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 486 bytes

Total Files Cleaned = 98.00 mb


OTL by OldTimer - Version 3.2.5.3 log created on 06052010_101821

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



"OTLscan log" ----

OTL logfile created on: 6/5/2010 10:32:27 AM - Run 2
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Mschmokel\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

478.00 Mb Total Physical Memory | 281.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 18.25 Gb Free Space | 49.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MARCUSLAPTOP
Current User Name: Mschmokel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Mschmokel\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\PdaNet for Android\PdaNetPC.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Mschmokel\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========

DRV - (VX1000) -- C:\WINDOWS\system32\drivers\VX1000.sys (Microsoft Corporation)
DRV - (V0500Dev) -- C:\WINDOWS\system32\drivers\V0500Vid.sys (Creative Technology Ltd.)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (pnetmdm) -- C:\WINDOWS\system32\drivers\pnetmdm.sys (June Fabrics Technology)
DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camchal.sys (Conexant Systems Inc.)
DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camcaud.sys (Conexant Systems Inc.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: optout@google.com:1.2
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: textlinks@playsushi.com:1.2.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.8

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 10:41:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/06/05 10:15:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/20 15:12:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/05 10:15:50 | 000,000,000 | ---D | M]

[2009/06/07 22:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Extensions
[2010/06/05 10:24:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/06/05 10:24:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions
[2009/09/03 15:31:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/12 11:41:54 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/02/15 18:38:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Firefox\Profiles\nxyff3me.default\extensions\optout@google.com
[2010/06/05 10:22:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/20 11:26:32 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/02/15 11:22:24 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2009/06/09 22:21:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2010/06/05 10:15:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/02/20 11:26:20 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/02/20 11:26:20 | 000,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2010/06/05 10:15:24 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/02/20 11:26:23 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 22:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2010/04/03 19:43:36 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/04/06 12:18:33 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/04/06 12:18:33 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/04/06 12:18:33 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/04/06 12:18:33 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/04/06 12:18:34 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/04/06 12:18:34 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/04/06 12:18:34 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2010/07/12 19:29:44 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/07/12 19:29:44 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/07/12 19:29:44 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/07/12 19:29:44 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/07/12 19:29:44 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/07/12 19:29:44 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/07/12 19:29:44 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2009/10/22 11:50:25 | 000,347,151 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11904 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No CLSID value found.
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No CLSID value found.
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - Startup: C:\Documents and Settings\Mschmokel\Start Menu\Programs\Startup\PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com/betapit/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/01 20:04:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/11 14:59:12 | 000,032,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msonpmon.dll
[2010/07/11 14:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2010/07/11 14:50:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2010/07/11 14:46:09 | 000,000,000 | R--D | C] -- C:\MSOCache
[2010/07/11 14:15:50 | 312,820,720 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Mschmokel\Desktop\X12-30107.exe
[2010/07/11 13:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/07/05 10:38:11 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2010/07/05 10:35:18 | 000,581,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WinUSBCoInstaller.dll
[2010/07/05 10:35:17 | 001,112,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WdfCoInstaller01007.dll
[2010/07/05 10:35:17 | 000,009,472 | ---- | C] (June Fabrics Technology) -- C:\WINDOWS\System32\drivers\pnetmdm.sys
[2010/07/05 10:35:17 | 000,000,000 | ---D | C] -- C:\Program Files\PdaNet for Android
[2010/06/05 10:18:21 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/05 10:16:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/05 10:16:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/05 10:15:50 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/05 10:15:50 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/05 10:15:50 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/05 10:15:50 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/05 10:15:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/05 09:51:59 | 016,295,712 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mschmokel\Desktop\jre-6u20-windows-i586.exe
[2010/06/03 13:59:23 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mschmokel\Desktop\OTL.exe
[2010/06/02 15:04:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/01 14:48:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/01 14:42:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/01 14:42:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/01 14:42:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/01 14:42:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/01 14:41:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/31 09:40:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/28 08:42:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/05/26 22:40:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\Windows Search
[2010/05/26 10:37:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Mschmokel\Recent
[2010/05/26 10:34:24 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/25 10:40:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\Uniblue
[2010/05/14 10:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mschmokel\Application Data\OpenDNS Updater
[2010/05/14 10:33:18 | 000,000,000 | ---D | C] -- C:\Program Files\OpenDNS Updater
[2010/05/10 08:00:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

========== Files - Modified Within 30 Days ==========

[2010/07/11 13:52:22 | 000,000,491 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/08 10:23:33 | 000,021,748 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Alex budget.xlsx
[2010/07/05 10:38:54 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2010/07/05 10:38:17 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2010/07/05 10:35:19 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Start Menu\Programs\Startup\PdaNet Desktop.lnk
[2010/06/05 10:30:42 | 000,011,189 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\OTL runfixlog.docx
[2010/06/05 10:19:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/05 10:19:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/05 10:18:44 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Mschmokel\NTUSER.DAT
[2010/06/05 10:18:44 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Mschmokel\ntuser.ini
[2010/06/05 10:15:22 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/05 10:15:22 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/05 10:15:22 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/05 10:15:22 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/05 10:15:21 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/05 10:06:15 | 000,580,164 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/05 10:06:15 | 000,127,918 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/05 10:06:15 | 000,005,502 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/05 10:00:42 | 006,417,644 | -H-- | M] () -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\IconCache.db
[2010/06/05 09:53:54 | 016,295,712 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mschmokel\Desktop\jre-6u20-windows-i586.exe
[2010/06/05 09:45:17 | 000,042,010 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\fix instructions 0605.docx
[2010/06/04 22:54:00 | 000,000,268 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[2010/06/04 16:39:51 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\meschmokel resume 05012010.doc
[2010/06/04 16:02:47 | 000,058,880 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Resume of Mary E Schmokel 060110.doc
[2010/06/03 23:01:20 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Dear Hiring Managecover ltr r.doc
[2010/06/03 23:00:14 | 000,034,675 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\MarcusResume Works2003.xml
[2010/06/03 13:59:26 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mschmokel\Desktop\OTL.exe
[2010/06/02 22:59:30 | 000,058,880 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Resume of Mary E Schmokel - ATS.doc
[2010/06/01 15:40:13 | 000,165,584 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\budget.xlsx
[2010/06/01 14:57:50 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/01 14:48:34 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/01 14:33:42 | 003,701,981 | R--- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\schrauber.exe
[2010/05/31 13:52:46 | 000,025,723 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary requ for DD214 053110.docx
[2010/05/31 13:40:30 | 000,379,295 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary app for VA Benefits 1010ez 053110.pdf
[2010/05/31 11:46:39 | 000,020,012 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\HCC.docx
[2010/05/31 11:33:03 | 000,071,008 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/31 08:00:13 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/29 08:48:07 | 000,010,789 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\DLL052910.docx
[2010/05/29 08:06:02 | 000,013,935 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\mary e schmokel resume 04012010.docx
[2010/05/28 09:08:24 | 000,284,520 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/27 13:28:44 | 000,000,465 | -H-- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\.picasa.ini
[2010/05/26 15:02:39 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\Shortcut to gmer.exe.lnk
[2010/05/26 10:40:27 | 000,077,736 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\cc_20100526_104009.reg
[2010/05/26 10:34:30 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\CCleaner.lnk
[2010/05/25 15:19:10 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\MarcusResume.doc
[2010/05/24 13:40:34 | 000,011,446 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\JPMOrgan Chase cover 052410.docx
[2010/05/24 13:18:52 | 000,011,353 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\Macy's cover 052410.docx
[2010/05/21 09:44:14 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Mschmokel\Desktop\Revo Uninstaller.lnk
[2010/05/21 07:58:51 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/06 17:49:27 | 000,010,538 | ---- | M] () -- C:\Documents and Settings\Mschmokel\My Documents\mafiawarssecret code.docx

========== Files Created - No Company Name ==========

[2010/07/07 20:26:00 | 000,021,748 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Alex budget.xlsx
[2010/07/05 10:38:54 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2010/07/05 10:38:17 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2010/07/05 10:35:19 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Start Menu\Programs\Startup\PdaNet Desktop.lnk
[2010/06/05 10:30:41 | 000,011,189 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\OTL runfixlog.docx
[2010/06/05 09:45:16 | 000,042,010 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\fix instructions 0605.docx
[2010/06/04 13:02:08 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Resume of Mary E Schmokel 060110.doc
[2010/06/03 23:01:18 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Dear Hiring Managecover ltr r.doc
[2010/06/02 19:04:50 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Resume of Mary E Schmokel - ATS.doc
[2010/06/01 14:48:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/01 14:48:24 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/01 14:42:10 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/01 14:42:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/01 14:42:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/01 14:42:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/01 14:42:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/01 14:33:41 | 003,701,981 | R--- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\schrauber.exe
[2010/05/31 13:52:40 | 000,025,723 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary requ for DD214 053110.docx
[2010/05/31 13:40:28 | 000,379,295 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Mary app for VA Benefits 1010ez 053110.pdf
[2010/05/31 11:46:38 | 000,020,012 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\HCC.docx
[2010/05/31 09:23:07 | 000,001,699 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\ResetTeaTimer.bat
[2010/05/29 11:32:14 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\meschmokel resume 05012010.doc
[2010/05/29 08:38:43 | 000,010,789 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\DLL052910.docx
[2010/05/26 15:02:39 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\Shortcut to gmer.exe.lnk
[2010/05/26 10:40:15 | 000,077,736 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\cc_20100526_104009.reg
[2010/05/26 10:34:29 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\CCleaner.lnk
[2010/05/24 13:40:34 | 000,011,446 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\JPMOrgan Chase cover 052410.docx
[2010/05/24 13:18:49 | 000,011,353 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\Macy's cover 052410.docx
[2010/05/24 12:30:39 | 000,013,935 | ---- | C] () -- C:\Documents and Settings\Mschmokel\Desktop\mary e schmokel resume 04012010.docx
[2010/05/06 17:49:25 | 000,010,538 | ---- | C] () -- C:\Documents and Settings\Mschmokel\My Documents\mafiawarssecret code.docx
[2010/02/14 21:27:03 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/10/11 22:58:27 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/08/16 11:17:11 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/08/16 10:20:31 | 000,000,607 | ---- | C] () -- C:\WINDOWS\tlknw4.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[1997/06/13 21:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Mschmokel\Desktop\X12-30107.exe:SummaryInformation
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


#11 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 05 June 2010 - 07:11 PM

HI, Tom,

The mbam scan came up with nothing found,

and this is from the ETES:

C:\Documents and Settings\Mschmokel\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll probably a variant of Win32/Adware.Gamevance.AG application cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Mschmokel\Local Settings\temp\NOD355.tmp probably a variant of Win32/Adware.Gamevance.AG application cleaned by deleting (after the next restart) - quarantined

Currently, there are 5 add on updates waiting for me to update:

Advertising Cookie Opt-out 2.1
IE Tab 1.5.20090525
Java Quick Starter 1.0
microsoft .NET Framework Assistant 1.1
PlaySushi Textlinks 1.2.0
Skype Extension for Firefox 4.2.0.5198

The PlaySushi icon is still on my toolbar and it's still highlighting text on pages I browse.

I'm ready to pull my hair out....






#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:53 AM

Posted 07 June 2010 - 03:47 PM

Please re-run the OTL fix, you copied OTL instead of :OTL smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 07 June 2010 - 04:54 PM

hysterical.gif OOPS!

Should I also re-do the instructions after that, as well?

Here is the log:

All processes killed
========== OTL ==========
Prefs.js: textlinks@playsushi.com:1.2.0 removed from extensions.enabledItems
Prefs.js: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198 removed from extensions.enabledItems
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Mschmokel
->Temp folder emptied: 24017959 bytes
->Temporary Internet Files folder emptied: 413076 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 86322086 bytes
->Flash cache emptied: 1500 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 162 bytes

Total Files Cleaned = 106.00 mb


OTL by OldTimer - Version 3.2.5.3 log created on 06072010_174513

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:53 AM

Posted 08 June 2010 - 02:34 PM

Only the follow up scan, also please tell me how the system is running now smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 newgma

newgma
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 09 June 2010 - 07:02 PM

Here is the last mbaw scan, but the PlaySushi Icon is still on my Firefox tool bar!!!! (and it still highlights text in browser!)

things are faster, but it is an older system and I have a lot of space taken up with software - probably need some advice on what to toss, what may be slowing down browser loading, etc.

My big concern is that I saw somewhere (can't site) that PlaySushi can install and leave a back door open - aside from the obvious annoyances, that is.

I am, however, grateful for a faster running system. Vielen Dank! thumbup.gif

You're a gem!

Objects scanned: 110884
Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users