[ Príspevkov: 14 ] 
AutorSpráva
Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

Prosim o radu.
Zachytil som infiltraciu.
System restore vypnuty
ATF cleanorom precisteny

spyware doctor nasiel
Trojan.Generic
Malware.Neeris
dokaze ich zmazat, no po restartovani pocitaca su spat.

symantec,ani nod 32 - nie je mozne aktualizovat virusove databazy,ani
pomocou offline databaz.

Malwarebytes' Anti-Malware software je zhodeny po par sekundach.

Cez prehliadac sa nie je mozne pripojit na hociaku stranku suvisiacu s

antivirmi,spyware, bla bla bla...ine internetove pripojenie funguje

subor hosts bez koncovky podla mna cisty.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


-=LOG=-
Logfile of HijackThis v1.99.1
Scan saved at 18:22:40, on 24. 11. 2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Program Files\Opera\opera.exe
C:\totalcmd\TOTALCMD.EXE
D:\software\Ochrana Antivirus Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} -

C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910}

- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825}

- C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32

Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program

Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263}

- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebTran - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: &Nastavi? prekladae -

{CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: Preloži? &oznaeený text -

{CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: Preloži? &stránku -

{CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program

Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} -

C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file

missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll (file

missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. -

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program

Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32

Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -

C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -

C:\Program Files\Spyware Doctor\pctsSvc.exe


Som z toho jelen. a vy?


Offline

Užívateľ
Užívateľ
Trojan.Generic & Malware.Neeris + blokovane aktualizacie

Registrovaný: 14.04.08
Prihlásený: 04.06.16
Príspevky: 704
Témy: 42 | 42
Bydlisko: Bratislava
Vek: 24

skusal si windows aj v nudzovom rezime?


_________________
pc: MB: MSI K9N SLi (chipset nvidia nforce 570 SLi), CPU: amd athlon X2 5600+ 2.8 Ghz Windsor chladeny ac freezer 64 pro, ram:2 GB 800Mhz DDR2 A-DATA Vitesta Extreme Edition (2x1GB), grafika: Sapphire Radeon HD 3870 512MB, HDD:Hitachi deskstar SATA2 7200 rpm 500.1GB, PSU: 450W Eurocase
Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

Samozrejme,ze skusal, problem pretrvava.


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

Prikladam log z combofixu

ComboFix 09-11-24.04 - MADxface . 11. 2009 13:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.615 [GMT 1:00]
Running from: c:\documents and settings\MADxface\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\Drivers\d344prt.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-24 15:15 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 15:15 . 2009-11-24 15:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 15:15 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 15:06 . 2009-11-24 15:06 -------- d-----w- c:\program files\ESET
2009-11-24 10:52 . 2009-11-24 10:52 -------- d-----w- C:\NOD_upd
2009-11-23 23:30 . 2009-11-23 23:31 -------- d-----w- C:\Soldat
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\MADxface\Application Data\Malwarebytes
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 13:48 . 2009-10-08 10:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-23 13:48 . 2009-10-08 10:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-23 13:48 . 2009-10-08 10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-23 13:48 . 2009-10-08 10:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-23 13:48 . 2009-10-02 13:19 1152470 ----a-w- c:\windows\UDB.zip
2009-11-23 13:48 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-11-23 13:40 . 2009-09-24 07:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-23 13:40 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-23 13:40 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-23 13:40 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-23 13:40 . 2009-11-23 13:48 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-23 13:40 . 2009-11-25 12:46 -------- d-----w- c:\program files\Spyware Doctor
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\MADxface\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-25 12:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-23 11:50 . 2009-11-23 11:50 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\ESET
2009-11-23 11:05 . 2009-11-23 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-22 20:55 . 2009-11-22 20:55 -------- d-----w- c:\documents and settings\MADxface\Application Data\DivX
2009-11-22 20:54 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-22 20:54 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-22 20:53 . 2009-11-22 20:54 -------- d-----w- c:\program files\DivX
2009-11-22 20:53 . 2009-11-22 20:53 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-22 20:47 . 2009-11-22 20:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\ACD Systems
2009-11-22 12:17 . 2009-11-22 12:17 -------- d-----w- c:\program files\Recuva
2009-11-22 10:06 . 2009-11-22 10:12 -------- d-----w- C:\music
2009-11-21 20:08 . 2009-11-23 23:19 -------- d-----w- C:\Share
2009-11-21 18:07 . 2008-04-14 03:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-21 17:38 . 2008-04-14 08:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-21 17:38 . 2008-04-14 03:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-21 17:38 . 2008-04-14 03:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-21 17:38 . 2001-08-18 01:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-21 12:41 . 2009-11-23 23:35 110592 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEClient.dll
2009-11-21 12:41 . 2009-03-28 15:22 94208 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEServer.dll
2009-11-21 12:41 . 2009-11-21 12:41 0 ----a-r- C:\logwmemory.bin
2009-11-21 10:22 . 2009-11-21 10:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\AdobeUM
2009-11-21 01:04 . 2009-11-21 01:04 5840 ----a-w- c:\windows\system32\07.scr
2009-11-21 00:43 . 2009-11-21 15:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\Winamp
2009-11-21 00:43 . 2009-11-21 00:44 -------- d-----w- c:\program files\Winamp
2009-11-21 00:37 . 2009-11-21 00:38 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Adobe
2009-11-21 00:28 . 2009-11-21 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-21 00:27 . 2009-11-21 00:27 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-21 00:23 . 2003-12-27 16:12 137216 ----a-w- c:\windows\system32\drivers\d344bus.sys
2009-11-21 00:23 . 2003-12-26 22:08 5248 ------w- c:\windows\system32\drivers\d344prt.sys
2009-11-21 00:23 . 2009-11-21 00:23 -------- d-----w- c:\program files\D-Tools
2009-11-21 00:21 . 2009-11-21 00:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-21 00:21 . 2009-11-24 20:09 -------- d-----w- c:\documents and settings\MADxface\Application Data\skypePM
2009-11-21 00:19 . 2009-11-24 20:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----r- c:\program files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-21 00:14 . 2009-11-21 00:15 -------- d-----w- c:\documents and settings\MADxface\Application Data\ICQ
2009-11-21 00:13 . 2009-11-21 00:15 -------- d-----w- c:\program files\ICQ6.5
2009-11-21 00:11 . 2009-11-21 00:11 -------- d-----w- c:\program files\PC Translator
2009-11-21 00:07 . 2009-11-21 00:08 -------- d-----w- c:\program files\Total Video Converter
2009-11-21 00:03 . 2009-11-21 17:42 -------- d-----w- c:\documents and settings\MADxface\Application Data\Apple Computer
2009-11-21 00:02 . 2009-05-18 09:47 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-21 00:02 . 2008-04-17 08:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iPod
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iTunes
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\Bonjour
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\QuickTime
2009-11-21 00:01 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Apple
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\Apple Software Update
2009-11-21 00:01 . 2009-11-21 00:02 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-21 00:01 . 2009-08-28 15:12 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-21 00:01 . 2009-08-28 15:12 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-21 00:00 . 2009-11-21 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-21 00:00 . 2009-11-21 00:00 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 10:17 . 2009-11-20 23:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-25 10:17 . 2009-11-20 23:02 2850 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-11-24 18:22 . 2009-11-20 23:56 -------- d-----w- c:\documents and settings\MADxface\Application Data\vlc
2009-11-23 12:30 . 2009-11-20 23:09 18248 ----a-w- c:\documents and settings\MADxface\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-22 22:35 . 2009-11-20 23:45 -------- d-----w- c:\program files\Opera
2009-11-22 20:29 . 2009-11-20 23:44 -------- d-----w- c:\program files\DC++
2009-11-22 16:06 . 2009-11-20 23:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-21 10:17 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer
2009-11-21 00:32 . 2009-11-20 23:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-20 23:52 . 2009-11-20 23:52 -------- d-----w- c:\program files\VideoLAN
2009-11-20 23:48 . 2009-11-20 23:48 -------- d-----w- c:\documents and settings\MADxface\Application Data\Soldat
2009-11-20 23:44 . 2009-11-20 23:44 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-11-20 23:44 . 2009-11-20 23:44 737280 ----a-w- c:\windows\iun6002.exe
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer Pro
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\program files\Webteh
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 9856 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Intel
2009-11-20 23:21 . 2009-11-20 23:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Realtek
2009-11-20 23:20 . 2009-11-20 23:20 -------- d-----w- c:\documents and settings\MADxface\Application Data\InstallShield
2009-11-20 23:17 . 2009-11-20 23:17 -------- d-----w- c:\program files\C-Media 3D Audio
2009-11-20 23:15 . 2009-11-20 23:15 8 ----a-w- c:\windows\system32\nvModes.dat
2009-11-20 23:14 . 2009-11-20 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-11-20 23:04 . 2009-11-20 23:04 -------- d-----w- c:\program files\microsoft frontpage
2009-11-20 23:02 . 2009-11-20 23:02 8738 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-11-20 23:00 . 2009-11-20 23:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-20 22:59 . 2009-11-20 22:59 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-12 12:37 . 2009-11-12 12:37 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-25 16:42 . 2009-11-21 00:44 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\MADxface\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Soldat\\Soldat.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [21. 11. 2009 1:23 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [21. 11. 2009 1:23 5248]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [23. 11. 2009 14:40 207280]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6. 2. 2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6. 2. 2009 14:24 93336]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [23. 11. 2009 14:48 112592]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6. 2. 2009 14:23 727720]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [23. 11. 2009 14:40 358600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24. 11. 2009 16:15 19160]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-HijackThis - d:\software\HijackThis.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 13:52
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x855A5330]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7872f28
\Driver\ACPI -> ACPI.sys @ 0xf77c3cb8
\Driver\atapi -> atapi.sys @ 0xf7735852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf75fabb0
PacketIndicateHandler -> NDIS.sys @ 0xf7607a21
SendHandler -> NDIS.sys @ 0xf75e587b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2009-11-25 13:57
ComboFix-quarantined-files.txt 2009-11-25 12:56

Pre-Run: 8 506 646 528 bytes free
Post-Run: 8 480 079 872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A587426ACCE57778E23D26B9D4F8FB52


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

Prikladam log z combofixu

ComboFix 09-11-24.04 - MADxface . 11. 2009 13:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.615 [GMT 1:00]
Running from: c:\documents and settings\MADxface\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\Drivers\d344prt.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-24 15:15 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 15:15 . 2009-11-24 15:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 15:15 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 15:06 . 2009-11-24 15:06 -------- d-----w- c:\program files\ESET
2009-11-24 10:52 . 2009-11-24 10:52 -------- d-----w- C:\NOD_upd
2009-11-23 23:30 . 2009-11-23 23:31 -------- d-----w- C:\Soldat
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\MADxface\Application Data\Malwarebytes
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 13:48 . 2009-10-08 10:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-23 13:48 . 2009-10-08 10:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-23 13:48 . 2009-10-08 10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-23 13:48 . 2009-10-08 10:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-23 13:48 . 2009-10-02 13:19 1152470 ----a-w- c:\windows\UDB.zip
2009-11-23 13:48 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-11-23 13:40 . 2009-09-24 07:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-23 13:40 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-23 13:40 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-23 13:40 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-23 13:40 . 2009-11-23 13:48 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-23 13:40 . 2009-11-25 12:46 -------- d-----w- c:\program files\Spyware Doctor
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\MADxface\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-25 12:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-23 11:50 . 2009-11-23 11:50 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\ESET
2009-11-23 11:05 . 2009-11-23 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-22 20:55 . 2009-11-22 20:55 -------- d-----w- c:\documents and settings\MADxface\Application Data\DivX
2009-11-22 20:54 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-22 20:54 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-22 20:53 . 2009-11-22 20:54 -------- d-----w- c:\program files\DivX
2009-11-22 20:53 . 2009-11-22 20:53 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-22 20:47 . 2009-11-22 20:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\ACD Systems
2009-11-22 12:17 . 2009-11-22 12:17 -------- d-----w- c:\program files\Recuva
2009-11-22 10:06 . 2009-11-22 10:12 -------- d-----w- C:\music
2009-11-21 20:08 . 2009-11-23 23:19 -------- d-----w- C:\Share
2009-11-21 18:07 . 2008-04-14 03:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-21 17:38 . 2008-04-14 08:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-21 17:38 . 2008-04-14 03:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-21 17:38 . 2008-04-14 03:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-21 17:38 . 2001-08-18 01:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-21 12:41 . 2009-11-23 23:35 110592 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEClient.dll
2009-11-21 12:41 . 2009-03-28 15:22 94208 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEServer.dll
2009-11-21 12:41 . 2009-11-21 12:41 0 ----a-r- C:\logwmemory.bin
2009-11-21 10:22 . 2009-11-21 10:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\AdobeUM
2009-11-21 01:04 . 2009-11-21 01:04 5840 ----a-w- c:\windows\system32\07.scr
2009-11-21 00:43 . 2009-11-21 15:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\Winamp
2009-11-21 00:43 . 2009-11-21 00:44 -------- d-----w- c:\program files\Winamp
2009-11-21 00:37 . 2009-11-21 00:38 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Adobe
2009-11-21 00:28 . 2009-11-21 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-21 00:27 . 2009-11-21 00:27 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-21 00:23 . 2003-12-27 16:12 137216 ----a-w- c:\windows\system32\drivers\d344bus.sys
2009-11-21 00:23 . 2003-12-26 22:08 5248 ------w- c:\windows\system32\drivers\d344prt.sys
2009-11-21 00:23 . 2009-11-21 00:23 -------- d-----w- c:\program files\D-Tools
2009-11-21 00:21 . 2009-11-21 00:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-21 00:21 . 2009-11-24 20:09 -------- d-----w- c:\documents and settings\MADxface\Application Data\skypePM
2009-11-21 00:19 . 2009-11-24 20:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----r- c:\program files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-21 00:14 . 2009-11-21 00:15 -------- d-----w- c:\documents and settings\MADxface\Application Data\ICQ
2009-11-21 00:13 . 2009-11-21 00:15 -------- d-----w- c:\program files\ICQ6.5
2009-11-21 00:11 . 2009-11-21 00:11 -------- d-----w- c:\program files\PC Translator
2009-11-21 00:07 . 2009-11-21 00:08 -------- d-----w- c:\program files\Total Video Converter
2009-11-21 00:03 . 2009-11-21 17:42 -------- d-----w- c:\documents and settings\MADxface\Application Data\Apple Computer
2009-11-21 00:02 . 2009-05-18 09:47 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-21 00:02 . 2008-04-17 08:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iPod
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iTunes
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\Bonjour
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\QuickTime
2009-11-21 00:01 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Apple
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\Apple Software Update
2009-11-21 00:01 . 2009-11-21 00:02 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-21 00:01 . 2009-08-28 15:12 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-21 00:01 . 2009-08-28 15:12 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-21 00:00 . 2009-11-21 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-21 00:00 . 2009-11-21 00:00 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 10:17 . 2009-11-20 23:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-25 10:17 . 2009-11-20 23:02 2850 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-11-24 18:22 . 2009-11-20 23:56 -------- d-----w- c:\documents and settings\MADxface\Application Data\vlc
2009-11-23 12:30 . 2009-11-20 23:09 18248 ----a-w- c:\documents and settings\MADxface\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-22 22:35 . 2009-11-20 23:45 -------- d-----w- c:\program files\Opera
2009-11-22 20:29 . 2009-11-20 23:44 -------- d-----w- c:\program files\DC++
2009-11-22 16:06 . 2009-11-20 23:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-21 10:17 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer
2009-11-21 00:32 . 2009-11-20 23:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-20 23:52 . 2009-11-20 23:52 -------- d-----w- c:\program files\VideoLAN
2009-11-20 23:48 . 2009-11-20 23:48 -------- d-----w- c:\documents and settings\MADxface\Application Data\Soldat
2009-11-20 23:44 . 2009-11-20 23:44 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-11-20 23:44 . 2009-11-20 23:44 737280 ----a-w- c:\windows\iun6002.exe
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer Pro
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\program files\Webteh
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 9856 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Intel
2009-11-20 23:21 . 2009-11-20 23:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Realtek
2009-11-20 23:20 . 2009-11-20 23:20 -------- d-----w- c:\documents and settings\MADxface\Application Data\InstallShield
2009-11-20 23:17 . 2009-11-20 23:17 -------- d-----w- c:\program files\C-Media 3D Audio
2009-11-20 23:15 . 2009-11-20 23:15 8 ----a-w- c:\windows\system32\nvModes.dat
2009-11-20 23:14 . 2009-11-20 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-11-20 23:04 . 2009-11-20 23:04 -------- d-----w- c:\program files\microsoft frontpage
2009-11-20 23:02 . 2009-11-20 23:02 8738 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-11-20 23:00 . 2009-11-20 23:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-20 22:59 . 2009-11-20 22:59 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-12 12:37 . 2009-11-12 12:37 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-25 16:42 . 2009-11-21 00:44 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\MADxface\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Soldat\\Soldat.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [21. 11. 2009 1:23 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [21. 11. 2009 1:23 5248]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [23. 11. 2009 14:40 207280]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6. 2. 2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6. 2. 2009 14:24 93336]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [23. 11. 2009 14:48 112592]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6. 2. 2009 14:23 727720]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [23. 11. 2009 14:40 358600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24. 11. 2009 16:15 19160]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-HijackThis - d:\software\HijackThis.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 13:52
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x855A5330]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7872f28
\Driver\ACPI -> ACPI.sys @ 0xf77c3cb8
\Driver\atapi -> atapi.sys @ 0xf7735852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf75fabb0
PacketIndicateHandler -> NDIS.sys @ 0xf7607a21
SendHandler -> NDIS.sys @ 0xf75e587b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2009-11-25 13:57
ComboFix-quarantined-files.txt 2009-11-25 12:56

Pre-Run: 8 506 646 528 bytes free
Post-Run: 8 480 079 872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A587426ACCE57778E23D26B9D4F8FB52


Offline

Užívateľ
Užívateľ
Trojan.Generic & Malware.Neeris + blokovane aktualizacie

Registrovaný: 14.04.08
Prihlásený: 04.06.16
Príspevky: 704
Témy: 42 | 42
Bydlisko: Bratislava
Vek: 24

mozno ti pomoze toto boot cd od aviry, ktorym to mozes preverit nezavisle od nainstalovaneho systemu: http://www.free-av.com/en/tools/12/avir ... ystem.html


_________________
pc: MB: MSI K9N SLi (chipset nvidia nforce 570 SLi), CPU: amd athlon X2 5600+ 2.8 Ghz Windsor chladeny ac freezer 64 pro, ram:2 GB 800Mhz DDR2 A-DATA Vitesta Extreme Edition (2x1GB), grafika: Sapphire Radeon HD 3870 512MB, HDD:Hitachi deskstar SATA2 7200 rpm 500.1GB, PSU: 450W Eurocase
Offline

Skúsený užívateľ
Skúsený užívateľ
Obrázok užívateľa

Registrovaný: 15.08.09
Prihlásený: 05.02.10
Príspevky: 355
Témy: 0 | 0

Nazdar. Hned na uvod par veci - pokial nemas instalacne CD/DVD, tak sme skoncili...mas tam novy TDL3 rootkit, svinstvo najvacsieho kalibru a my sme bez SVI...ale co uz. Dalsie vec je robenie ukonov na vlastne triko, ktore ti viac uskodili, ako pomohli (vid zmazanie System Volume Info, pouzitie CF, atd.).

1) Odinstaluj Alcohol/Daemon (Start -> Ovl. Panel -> Pridat/Odstranit Programy).
Ak by to neslo, pouzi Revo Uninstaller.


2) Stiahni GMER, rozbal ho na plochu a spust. Program automaticky zacne scan (po jeho skonceni vloz log c. 1) - pokial pri scanovani nieco najde (=vyskoci nejake upozornenie), klik na "NO" a vpravo zafajknes vsetky polozky OKREM:
  • Sections
  • IAT/EAT
  • Registry
  • nesystemovych diskov a particii (system je zvycajne na "C:\" - takze nezaskrtnute nechas "D:\", "E:\"...atd.)
  • Show All

Klik na "Scan". Po scane klik na "Save" a log c. 2 vloz sem.

Ak nic nenajde (=nevyskoci nic), zaskrtaj vpravo vsetko a spusti scan. Po jeho ukonceni klik na "Copy" a vloz log c. 2.


A logy prosim nijak neupravovat (vid HJT).


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

Pokial si myslel instalacne dvd windowsu, mam.
deamon odinstalovany,bez problemov
cez gmer nic nevyskocilo.

----log c 1----

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-11-25 23:08:06
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MADxface\LOCALS~1\Temp\pfqyqfob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 850D1790

---- EOF - GMER 1.0.15 ----

----log c 2-----

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 23:42:21
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MADxface\LOCALS~1\Temp\pfqyqfob.sys


---- System - GMER 1.0.15 ----

SSDT 850D3630 ZwAssignProcessToJobObject
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7718E22]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF76F9CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF76F9ECE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7719610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF77198C4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7717B14]
SSDT 850D2A60 ZwOpenProcess
SSDT 850D2E80 ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7719D30]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF77190E2]
SSDT 850D3460 ZwSuspendProcess
SSDT 850D3280 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF76F9982]
SSDT 850D30B0 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6076360, 0x37388D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BC0001
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C70001
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015C0001
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01450001
.text C:\WINDOWS\system32\winlogon.exe[672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\winlogon.exe[672] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01120001
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01310001
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01250001
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

pokracovanie (nezobralo to na jeden krat cele)
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01390001
.text C:\WINDOWS\system32\nvsvc32.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\nvsvc32.exe[1044] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00790001
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02DB0001
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D70001
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DE0001
.text C:\WINDOWS\Explorer.EXE[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\Explorer.EXE[1556] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001
.text C:\WINDOWS\system32\spoolsv.exe[1680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\spoolsv.exe[1680] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10183D80
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10183BF0
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10183DF0
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10183AA4
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10183218
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101827E8
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1018277C
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10183A50
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10183D80
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 023C0001
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10183BF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10183DF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10183AA4
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10183218


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

pokracovanie dalsie

.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10183218
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101827E8
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1018277C
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10183A50
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F30001
.text C:\WINDOWS\system32\ctfmon.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\ctfmon.exe[1932] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01400001
.text C:\WINDOWS\system32\rundll32.exe[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\rundll32.exe[1972] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10183D80
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A20001
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10183BF0
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10183DF0
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10183AA4
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10183218
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101827E8
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1018277C
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10183A50
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00880001
.text C:\WINDOWS\System32\alg.exe[2508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\alg.exe[2508] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\Program Files\Opera\opera.exe[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BB0001
.text C:\Program Files\Opera\opera.exe[3172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Opera\opera.exe[3172] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EE0001
.text C:\totalcmd\TOTALCMD.EXE[3916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\totalcmd\TOTALCMD.EXE[3916] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

pokracovanie last

.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 850D1790

---- EOF - GMER 1.0.15 ----


Offline

Užívateľ
Užívateľ
Trojan.Generic & Malware.Neeris + blokovane aktualizacie

Registrovaný: 12.09.08
Prihlásený: 27.10.17
Príspevky: 383
Témy: 16 | 16
Bydlisko: Košice

takto. nechcem tu uz zasahovat do temy, len chcem upozornit, ze tu istu temu mas aj na viry.cz - a tam mozes mat poradeny iny postup od radcu (a aj ti radi), tak aby si si to zosuladil a aj pitimir vedel, ze robis aj iny postup. Aby sa dvoma postupmi nieco systemovo neposkodilo.


_________________
PC2= MB: Gigabyte M52L-S3P; CPU: AMD Athlon 64 X2 5200+ 2,7Ghz; RAM: 2x2GB 667Mhz Kingston HyperX CL5; VGA: Sapphire HD6670 1GB GDDR5; HDD: WD Caviar Blue 320GB; DVD RW: Sony Optiarc AD 7201S; LCD: Acer V223W "22"; PSU: Seasonic S12-II 430W; AUDIO: Teac PowerMax 200; KEY: Genius; MOUSE: E-BLUE Silenz; OS: Win Vista Bussiness 32bit,
USB: SanDisk Cruzer Extreme 32GB 3.0
Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3 | 3
Bydlisko: Zilina

postupujem presne podla rad od pitimira
v dalsom kroku som len urobil dalsi scan z combofixu


Offline

Skúsený užívateľ
Skúsený užívateľ
Obrázok užívateľa

Registrovaný: 15.08.09
Prihlásený: 05.02.10
Príspevky: 355
Témy: 0 | 0

Ach jaj...roboty je vela a takto zbytocne plytvat casom... :roll:
Tu koncim, domietam robit duplicitne kroky a kolegini tym ztazovat zivot.

http://viry.cz/forum/viewtopic.php?f=13 ... 27#p773027

Dobojuj to s motji, mas to tam viac rozbehnute.


 [ Príspevkov: 14 ] 


Trojan.Generic & Malware.Neeris + blokovane aktualizacie



Podobné témy

 Témy  Odpovede  Zobrazenia  Posledný príspevok 
V tomto fóre nie sú ďalšie neprečítané témy.

Trojan horse Downloader.Generic.HGT" prosim o pomoc

v Antivíry a antispywary

22

2294

30.09.2006 2:34

BEDUIN

V tomto fóre nie sú ďalšie neprečítané témy.

Chrome - casch & aktualizacie

v Sieťové a internetové programy

0

64

09.10.2013 10:46

Megi

V tomto fóre nie sú ďalšie neprečítané témy.

Trojan.Win32/ agent Trojan.Win32/Wundo

[ Choď na stránku:Choď na stránku: 1, 2 ]

v Antivíry a antispywary

47

924

28.12.2012 21:55

personal compuper

V tomto fóre nie sú ďalšie neprečítané témy.

Symbian & android & iOS & WinMobile

[ Choď na stránku:Choď na stránku: 1, 2 ]

v Smartfóny a tablety

41

1772

15.12.2011 21:16

haffen

V tomto fóre nie sú ďalšie neprečítané témy.

Blokovane ICQ?!

v Sieťové a internetové programy

2

373

25.11.2006 17:48

Kamahl

V tomto fóre nie sú ďalšie neprečítané témy.

Blokovane stranky

v Sieťové a internetové programy

10

2737

13.09.2007 13:13

maciakba

V tomto fóre nie sú ďalšie neprečítané témy.

Blokovane Ctrl+O

v Operačné systémy Microsoft

0

77

18.03.2016 19:32

JozefGatial

V tomto fóre nie sú ďalšie neprečítané témy.

Blokovane stranky v praci

v Sieťové a internetové programy

2

364

15.03.2011 20:24

Gr4s5

V tomto fóre nie sú ďalšie neprečítané témy.

Vista a blokovane DEP nastavenie v IE7

v Operačné systémy Microsoft

0

295

04.03.2007 19:18

tairikuokami

V tomto fóre nie sú ďalšie neprečítané témy.

Generic Host

v Operačné systémy Microsoft

7

379

09.10.2007 21:50

Rbot

V tomto fóre nie sú ďalšie neprečítané témy.

P: War 3 RoCH & TFT, Diablo 2 & LOD

v Predám

1

348

17.05.2011 20:25

KocuR

V tomto fóre nie sú ďalšie neprečítané témy.

Generic Host Process

v Operačné systémy Microsoft

1

238

09.02.2008 22:53

Romi

Táto téma je zamknutá, nemôžete posielať nové príspevky alebo odpovedať na staršie.

P: AMD Athlon II X3 455 AM3 & DDR3 8Gb & 4Gb

v Predám

6

233

14.12.2012 12:37

MilanYX

V tomto fóre nie sú ďalšie neprečítané témy.

DELL XPS L502X & Kingston HyperX FURY SSD 120GB & ICY BOX AC642

v SSD disky

11

254

24.12.2014 16:11

Miso122

V tomto fóre nie sú ďalšie neprečítané témy.

vyhladenie & zmensenie & spestrenie obrazka

v Grafické programy

5

781

12.06.2007 20:22

Devil_SK

V tomto fóre nie sú ďalšie neprečítané témy.

ovládač - Generic Digital camera

[ Choď na stránku:Choď na stránku: 1, 2 ]

v Ovládače

30

9692

19.07.2012 11:41

jch0211



© 2005 - 2017 PCforum, edited by JanoF