Obsah fóra
PravidláRegistrovaťPrihlásenie

Obsah fóra » Software » Antivíry, bezpečnosť a sieť » Antivíry a antispywary » Trojan.Generic & Malware.Neeris + blokovane aktualizacie





Odpovedať na tému Stránka: 1 z 1
 [ Príspevkov: 14 ] 
AutorSpráva
Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok NapísalOffline madxface: 24.11.2009 19:21

Prosim o radu.
Zachytil som infiltraciu.
System restore vypnuty
ATF cleanorom precisteny

spyware doctor nasiel
Trojan.Generic
Malware.Neeris
dokaze ich zmazat, no po restartovani pocitaca su spat.

symantec,ani nod 32 - nie je mozne aktualizovat virusove databazy,ani
pomocou offline databaz.

Malwarebytes' Anti-Malware software je zhodeny po par sekundach.

Cez prehliadac sa nie je mozne pripojit na hociaku stranku suvisiacu s

antivirmi,spyware, bla bla bla...ine internetove pripojenie funguje

subor hosts bez koncovky podla mna cisty.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

-=LOG=-
Logfile of HijackThis v1.99.1
Scan saved at 18:22:40, on 24. 11. 2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Program Files\Opera\opera.exe
C:\totalcmd\TOTALCMD.EXE
D:\software\Ochrana Antivirus Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} -

C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910}

- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825}

- C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32

Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program

Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263}

- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebTran - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: &Nastavi? prekladae -

{CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: Preloži? &oznaeený text -

{CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} -

C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra 'Tools' menuitem: Preloži? &stránku -

{CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\PROGRA~1\PCTRAN~1\webie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program

Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} -

C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file

missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll (file

missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. -

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program

Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32

Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -

C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -

C:\Program Files\Spyware Doctor\pctsSvc.exe

Som z toho jelen. a vy?


Offline raf

Užívateľ
Užívateľ
Trojan.Generic & Malware.Neeris + blokovane aktualizacie

Registrovaný: 14.04.08
Prihlásený: 04.06.16
Príspevky: 700
Témy: 42
Bydlisko: Bratislava
Príspevok NapísalOffline raf: 25.11.2009 11:12

skusal si windows aj v nudzovom rezime?







_________________
pc: MB: MSI K9N SLi (chipset nvidia nforce 570 SLi), CPU: amd athlon X2 5600+ 2.8 Ghz Windsor chladeny ac freezer 64 pro, ram:2 GB 800Mhz DDR2 A-DATA Vitesta Extreme Edition (2x1GB), grafika: Sapphire Radeon HD 3870 512MB, HDD:Hitachi deskstar SATA2 7200 rpm 500.1GB, PSU: 450W Eurocase
Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 25.11.2009 11:39

Samozrejme,ze skusal, problem pretrvava.


Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 25.11.2009 14:14

Prikladam log z combofixu

ComboFix 09-11-24.04 - MADxface . 11. 2009 13:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.615 [GMT 1:00]
Running from: c:\documents and settings\MADxface\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\Drivers\d344prt.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-24 15:15 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 15:15 . 2009-11-24 15:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 15:15 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 15:06 . 2009-11-24 15:06 -------- d-----w- c:\program files\ESET
2009-11-24 10:52 . 2009-11-24 10:52 -------- d-----w- C:\NOD_upd
2009-11-23 23:30 . 2009-11-23 23:31 -------- d-----w- C:\Soldat
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\MADxface\Application Data\Malwarebytes
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 13:48 . 2009-10-08 10:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-23 13:48 . 2009-10-08 10:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-23 13:48 . 2009-10-08 10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-23 13:48 . 2009-10-08 10:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-23 13:48 . 2009-10-02 13:19 1152470 ----a-w- c:\windows\UDB.zip
2009-11-23 13:48 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-11-23 13:40 . 2009-09-24 07:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-23 13:40 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-23 13:40 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-23 13:40 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-23 13:40 . 2009-11-23 13:48 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-23 13:40 . 2009-11-25 12:46 -------- d-----w- c:\program files\Spyware Doctor
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\MADxface\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-25 12:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-23 11:50 . 2009-11-23 11:50 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\ESET
2009-11-23 11:05 . 2009-11-23 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-22 20:55 . 2009-11-22 20:55 -------- d-----w- c:\documents and settings\MADxface\Application Data\DivX
2009-11-22 20:54 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-22 20:54 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-22 20:53 . 2009-11-22 20:54 -------- d-----w- c:\program files\DivX
2009-11-22 20:53 . 2009-11-22 20:53 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-22 20:47 . 2009-11-22 20:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\ACD Systems
2009-11-22 12:17 . 2009-11-22 12:17 -------- d-----w- c:\program files\Recuva
2009-11-22 10:06 . 2009-11-22 10:12 -------- d-----w- C:\music
2009-11-21 20:08 . 2009-11-23 23:19 -------- d-----w- C:\Share
2009-11-21 18:07 . 2008-04-14 03:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-21 17:38 . 2008-04-14 08:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-21 17:38 . 2008-04-14 03:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-21 17:38 . 2008-04-14 03:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-21 17:38 . 2001-08-18 01:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-21 12:41 . 2009-11-23 23:35 110592 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEClient.dll
2009-11-21 12:41 . 2009-03-28 15:22 94208 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEServer.dll
2009-11-21 12:41 . 2009-11-21 12:41 0 ----a-r- C:\logwmemory.bin
2009-11-21 10:22 . 2009-11-21 10:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\AdobeUM
2009-11-21 01:04 . 2009-11-21 01:04 5840 ----a-w- c:\windows\system32\07.scr
2009-11-21 00:43 . 2009-11-21 15:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\Winamp
2009-11-21 00:43 . 2009-11-21 00:44 -------- d-----w- c:\program files\Winamp
2009-11-21 00:37 . 2009-11-21 00:38 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Adobe
2009-11-21 00:28 . 2009-11-21 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-21 00:27 . 2009-11-21 00:27 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-21 00:23 . 2003-12-27 16:12 137216 ----a-w- c:\windows\system32\drivers\d344bus.sys
2009-11-21 00:23 . 2003-12-26 22:08 5248 ------w- c:\windows\system32\drivers\d344prt.sys
2009-11-21 00:23 . 2009-11-21 00:23 -------- d-----w- c:\program files\D-Tools
2009-11-21 00:21 . 2009-11-21 00:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-21 00:21 . 2009-11-24 20:09 -------- d-----w- c:\documents and settings\MADxface\Application Data\skypePM
2009-11-21 00:19 . 2009-11-24 20:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----r- c:\program files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-21 00:14 . 2009-11-21 00:15 -------- d-----w- c:\documents and settings\MADxface\Application Data\ICQ
2009-11-21 00:13 . 2009-11-21 00:15 -------- d-----w- c:\program files\ICQ6.5
2009-11-21 00:11 . 2009-11-21 00:11 -------- d-----w- c:\program files\PC Translator
2009-11-21 00:07 . 2009-11-21 00:08 -------- d-----w- c:\program files\Total Video Converter
2009-11-21 00:03 . 2009-11-21 17:42 -------- d-----w- c:\documents and settings\MADxface\Application Data\Apple Computer
2009-11-21 00:02 . 2009-05-18 09:47 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-21 00:02 . 2008-04-17 08:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iPod
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iTunes
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\Bonjour
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\QuickTime
2009-11-21 00:01 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Apple
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\Apple Software Update
2009-11-21 00:01 . 2009-11-21 00:02 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-21 00:01 . 2009-08-28 15:12 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-21 00:01 . 2009-08-28 15:12 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-21 00:00 . 2009-11-21 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-21 00:00 . 2009-11-21 00:00 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 10:17 . 2009-11-20 23:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-25 10:17 . 2009-11-20 23:02 2850 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-11-24 18:22 . 2009-11-20 23:56 -------- d-----w- c:\documents and settings\MADxface\Application Data\vlc
2009-11-23 12:30 . 2009-11-20 23:09 18248 ----a-w- c:\documents and settings\MADxface\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-22 22:35 . 2009-11-20 23:45 -------- d-----w- c:\program files\Opera
2009-11-22 20:29 . 2009-11-20 23:44 -------- d-----w- c:\program files\DC++
2009-11-22 16:06 . 2009-11-20 23:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-21 10:17 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer
2009-11-21 00:32 . 2009-11-20 23:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-20 23:52 . 2009-11-20 23:52 -------- d-----w- c:\program files\VideoLAN
2009-11-20 23:48 . 2009-11-20 23:48 -------- d-----w- c:\documents and settings\MADxface\Application Data\Soldat
2009-11-20 23:44 . 2009-11-20 23:44 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-11-20 23:44 . 2009-11-20 23:44 737280 ----a-w- c:\windows\iun6002.exe
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer Pro
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\program files\Webteh
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 9856 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Intel
2009-11-20 23:21 . 2009-11-20 23:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Realtek
2009-11-20 23:20 . 2009-11-20 23:20 -------- d-----w- c:\documents and settings\MADxface\Application Data\InstallShield
2009-11-20 23:17 . 2009-11-20 23:17 -------- d-----w- c:\program files\C-Media 3D Audio
2009-11-20 23:15 . 2009-11-20 23:15 8 ----a-w- c:\windows\system32\nvModes.dat
2009-11-20 23:14 . 2009-11-20 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-11-20 23:04 . 2009-11-20 23:04 -------- d-----w- c:\program files\microsoft frontpage
2009-11-20 23:02 . 2009-11-20 23:02 8738 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-11-20 23:00 . 2009-11-20 23:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-20 22:59 . 2009-11-20 22:59 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-12 12:37 . 2009-11-12 12:37 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-25 16:42 . 2009-11-21 00:44 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\MADxface\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Soldat\\Soldat.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [21. 11. 2009 1:23 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [21. 11. 2009 1:23 5248]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [23. 11. 2009 14:40 207280]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6. 2. 2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6. 2. 2009 14:24 93336]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [23. 11. 2009 14:48 112592]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6. 2. 2009 14:23 727720]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [23. 11. 2009 14:40 358600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24. 11. 2009 16:15 19160]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-HijackThis - d:\software\HijackThis.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 13:52
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x855A5330]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7872f28
\Driver\ACPI -> ACPI.sys @ 0xf77c3cb8
\Driver\atapi -> atapi.sys @ 0xf7735852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf75fabb0
PacketIndicateHandler -> NDIS.sys @ 0xf7607a21
SendHandler -> NDIS.sys @ 0xf75e587b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2009-11-25 13:57
ComboFix-quarantined-files.txt 2009-11-25 12:56

Pre-Run: 8 506 646 528 bytes free
Post-Run: 8 480 079 872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A587426ACCE57778E23D26B9D4F8FB52


Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 25.11.2009 14:15

Prikladam log z combofixu

ComboFix 09-11-24.04 - MADxface . 11. 2009 13:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.615 [GMT 1:00]
Running from: c:\documents and settings\MADxface\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\Drivers\d344prt.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))
.

2009-11-24 15:15 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-24 15:15 . 2009-11-24 15:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 15:15 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 15:06 . 2009-11-24 15:06 -------- d-----w- c:\program files\ESET
2009-11-24 10:52 . 2009-11-24 10:52 -------- d-----w- C:\NOD_upd
2009-11-23 23:30 . 2009-11-23 23:31 -------- d-----w- C:\Soldat
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\MADxface\Application Data\Malwarebytes
2009-11-23 19:57 . 2009-11-23 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 13:48 . 2009-10-08 10:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-23 13:48 . 2009-10-08 10:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-23 13:48 . 2009-10-08 10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-23 13:48 . 2009-10-08 10:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-23 13:48 . 2009-10-02 13:19 1152470 ----a-w- c:\windows\UDB.zip
2009-11-23 13:48 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-11-23 13:40 . 2009-09-24 07:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-23 13:40 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-23 13:40 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-23 13:40 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-23 13:40 . 2009-11-23 13:48 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-23 13:40 . 2009-11-25 12:46 -------- d-----w- c:\program files\Spyware Doctor
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\MADxface\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-23 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-23 13:40 . 2009-11-25 12:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-23 11:50 . 2009-11-23 11:50 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\ESET
2009-11-23 11:05 . 2009-11-23 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-11-22 20:55 . 2009-11-22 20:55 -------- d-----w- c:\documents and settings\MADxface\Application Data\DivX
2009-11-22 20:54 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-22 20:54 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-22 20:53 . 2009-11-22 20:54 -------- d-----w- c:\program files\DivX
2009-11-22 20:53 . 2009-11-22 20:53 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-22 20:47 . 2009-11-22 20:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\ACD Systems
2009-11-22 12:17 . 2009-11-22 12:17 -------- d-----w- c:\program files\Recuva
2009-11-22 10:06 . 2009-11-22 10:12 -------- d-----w- C:\music
2009-11-21 20:08 . 2009-11-23 23:19 -------- d-----w- C:\Share
2009-11-21 18:07 . 2008-04-14 03:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-21 17:38 . 2008-04-14 08:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-21 17:38 . 2008-04-14 03:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-21 17:38 . 2008-04-14 03:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-21 17:38 . 2001-08-18 01:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-21 12:41 . 2009-11-23 23:35 110592 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEClient.dll
2009-11-21 12:41 . 2009-03-28 15:22 94208 ----a-w- c:\documents and settings\MADxface\Application Data\Soldat\Battleye\BEServer.dll
2009-11-21 12:41 . 2009-11-21 12:41 0 ----a-r- C:\logwmemory.bin
2009-11-21 10:22 . 2009-11-21 10:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\AdobeUM
2009-11-21 01:04 . 2009-11-21 01:04 5840 ----a-w- c:\windows\system32\07.scr
2009-11-21 00:43 . 2009-11-21 15:47 -------- d-----w- c:\documents and settings\MADxface\Application Data\Winamp
2009-11-21 00:43 . 2009-11-21 00:44 -------- d-----w- c:\program files\Winamp
2009-11-21 00:37 . 2009-11-21 00:38 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Adobe
2009-11-21 00:28 . 2009-11-21 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-11-21 00:27 . 2009-11-21 00:27 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-21 00:23 . 2003-12-27 16:12 137216 ----a-w- c:\windows\system32\drivers\d344bus.sys
2009-11-21 00:23 . 2003-12-26 22:08 5248 ------w- c:\windows\system32\drivers\d344prt.sys
2009-11-21 00:23 . 2009-11-21 00:23 -------- d-----w- c:\program files\D-Tools
2009-11-21 00:21 . 2009-11-21 00:21 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-21 00:21 . 2009-11-24 20:09 -------- d-----w- c:\documents and settings\MADxface\Application Data\skypePM
2009-11-21 00:19 . 2009-11-24 20:22 -------- d-----w- c:\documents and settings\MADxface\Application Data\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----r- c:\program files\Skype
2009-11-21 00:19 . 2009-11-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-21 00:14 . 2009-11-21 00:15 -------- d-----w- c:\documents and settings\MADxface\Application Data\ICQ
2009-11-21 00:13 . 2009-11-21 00:15 -------- d-----w- c:\program files\ICQ6.5
2009-11-21 00:11 . 2009-11-21 00:11 -------- d-----w- c:\program files\PC Translator
2009-11-21 00:07 . 2009-11-21 00:08 -------- d-----w- c:\program files\Total Video Converter
2009-11-21 00:03 . 2009-11-21 17:42 -------- d-----w- c:\documents and settings\MADxface\Application Data\Apple Computer
2009-11-21 00:02 . 2009-05-18 09:47 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-21 00:02 . 2008-04-17 08:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iPod
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\iTunes
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\program files\Bonjour
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\QuickTime
2009-11-21 00:01 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\documents and settings\MADxface\Local Settings\Application Data\Apple
2009-11-21 00:01 . 2009-11-21 00:01 -------- d-----w- c:\program files\Apple Software Update
2009-11-21 00:01 . 2009-11-21 00:02 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-21 00:01 . 2009-08-28 15:12 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-21 00:01 . 2009-08-28 15:12 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-21 00:00 . 2009-11-21 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-21 00:00 . 2009-11-21 00:00 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 10:17 . 2009-11-20 23:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-25 10:17 . 2009-11-20 23:02 2850 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-11-24 18:22 . 2009-11-20 23:56 -------- d-----w- c:\documents and settings\MADxface\Application Data\vlc
2009-11-23 12:30 . 2009-11-20 23:09 18248 ----a-w- c:\documents and settings\MADxface\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-23 11:02 . 2009-11-20 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-22 22:35 . 2009-11-20 23:45 -------- d-----w- c:\program files\Opera
2009-11-22 20:29 . 2009-11-20 23:44 -------- d-----w- c:\program files\DC++
2009-11-22 16:06 . 2009-11-20 23:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-21 10:17 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer
2009-11-21 00:32 . 2009-11-20 23:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-20 23:52 . 2009-11-20 23:52 -------- d-----w- c:\program files\VideoLAN
2009-11-20 23:48 . 2009-11-20 23:48 -------- d-----w- c:\documents and settings\MADxface\Application Data\Soldat
2009-11-20 23:44 . 2009-11-20 23:44 -------- d-----w- c:\program files\Codec Pack - All In 1
2009-11-20 23:44 . 2009-11-20 23:44 737280 ----a-w- c:\windows\iun6002.exe
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\documents and settings\MADxface\Application Data\BSplayer Pro
2009-11-20 23:43 . 2009-11-20 23:43 -------- d-----w- c:\program files\Webteh
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\program files\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-11-20 23:30 . 2009-11-20 23:30 9856 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Intel
2009-11-20 23:21 . 2009-11-20 23:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-20 23:21 . 2009-11-20 23:21 -------- d-----w- c:\program files\Realtek
2009-11-20 23:20 . 2009-11-20 23:20 -------- d-----w- c:\documents and settings\MADxface\Application Data\InstallShield
2009-11-20 23:17 . 2009-11-20 23:17 -------- d-----w- c:\program files\C-Media 3D Audio
2009-11-20 23:15 . 2009-11-20 23:15 8 ----a-w- c:\windows\system32\nvModes.dat
2009-11-20 23:14 . 2009-11-20 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-11-20 23:04 . 2009-11-20 23:04 -------- d-----w- c:\program files\microsoft frontpage
2009-11-20 23:02 . 2009-11-20 23:02 8738 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-11-20 23:00 . 2009-11-20 23:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-20 22:59 . 2009-11-20 22:59 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-12 12:37 . 2009-11-12 12:37 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-25 16:42 . 2009-11-21 00:44 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\MADxface\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Soldat\\Soldat.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [21. 11. 2009 1:23 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [21. 11. 2009 1:23 5248]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [23. 11. 2009 14:40 207280]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6. 2. 2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6. 2. 2009 14:24 93336]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [23. 11. 2009 14:48 112592]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6. 2. 2009 14:23 727720]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [23. 11. 2009 14:40 358600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24. 11. 2009 16:15 19160]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-HijackThis - d:\software\HijackThis.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 13:52
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x855A5330]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7872f28
\Driver\ACPI -> ACPI.sys @ 0xf77c3cb8
\Driver\atapi -> atapi.sys @ 0xf7735852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf75fabb0
PacketIndicateHandler -> NDIS.sys @ 0xf7607a21
SendHandler -> NDIS.sys @ 0xf75e587b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2009-11-25 13:57
ComboFix-quarantined-files.txt 2009-11-25 12:56

Pre-Run: 8 506 646 528 bytes free
Post-Run: 8 480 079 872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A587426ACCE57778E23D26B9D4F8FB52


Offline raf

Užívateľ
Užívateľ
Trojan.Generic & Malware.Neeris + blokovane aktualizacie

Registrovaný: 14.04.08
Prihlásený: 04.06.16
Príspevky: 700
Témy: 42
Bydlisko: Bratislava
Príspevok NapísalOffline raf: 25.11.2009 14:17

mozno ti pomoze toto boot cd od aviry, ktorym to mozes preverit nezavisle od nainstalovaneho systemu: http://www.free-av.com/en/tools/12/avir ... ystem.html







_________________
pc: MB: MSI K9N SLi (chipset nvidia nforce 570 SLi), CPU: amd athlon X2 5600+ 2.8 Ghz Windsor chladeny ac freezer 64 pro, ram:2 GB 800Mhz DDR2 A-DATA Vitesta Extreme Edition (2x1GB), grafika: Sapphire Radeon HD 3870 512MB, HDD:Hitachi deskstar SATA2 7200 rpm 500.1GB, PSU: 450W Eurocase
Offline pitimir

Skúsený užívateľ
Skúsený užívateľ
Obrázok užívateľa

Registrovaný: 15.08.09
Prihlásený: 05.02.10
Príspevky: 355
Témy: 0
Príspevok NapísalOffline pitimir: 25.11.2009 20:47

Nazdar. Hned na uvod par veci - pokial nemas instalacne CD/DVD, tak sme skoncili...mas tam novy TDL3 rootkit, svinstvo najvacsieho kalibru a my sme bez SVI...ale co uz. Dalsie vec je robenie ukonov na vlastne triko, ktore ti viac uskodili, ako pomohli (vid zmazanie System Volume Info, pouzitie CF, atd.).

1) Odinstaluj Alcohol/Daemon (Start -> Ovl. Panel -> Pridat/Odstranit Programy).
Ak by to neslo, pouzi Revo Uninstaller.


2) Stiahni GMER, rozbal ho na plochu a spust. Program automaticky zacne scan (po jeho skonceni vloz log c. 1) - pokial pri scanovani nieco najde (=vyskoci nejake upozornenie), klik na "NO" a vpravo zafajknes vsetky polozky OKREM:
  • Sections
  • IAT/EAT
  • Registry
  • nesystemovych diskov a particii (system je zvycajne na "C:\" - takze nezaskrtnute nechas "D:\", "E:\"...atd.)
  • Show All

Klik na "Scan". Po scane klik na "Save" a log c. 2 vloz sem.

Ak nic nenajde (=nevyskoci nic), zaskrtaj vpravo vsetko a spusti scan. Po jeho ukonceni klik na "Copy" a vloz log c. 2.


A logy prosim nijak neupravovat (vid HJT).


Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 25.11.2009 23:54

Pokial si myslel instalacne dvd windowsu, mam.
deamon odinstalovany,bez problemov
cez gmer nic nevyskocilo.

----log c 1----

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-11-25 23:08:06
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MADxface\LOCALS~1\Temp\pfqyqfob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 850D1790

---- EOF - GMER 1.0.15 ----

----log c 2-----

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 23:42:21
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MADxface\LOCALS~1\Temp\pfqyqfob.sys


---- System - GMER 1.0.15 ----

SSDT 850D3630 ZwAssignProcessToJobObject
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7718E22]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF76F9CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF76F9ECE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7719610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF77198C4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7717B14]
SSDT 850D2A60 ZwOpenProcess
SSDT 850D2E80 ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7719D30]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF77190E2]
SSDT 850D3460 ZwSuspendProcess
SSDT 850D3280 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF76F9982]
SSDT 850D30B0 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6076360, 0x37388D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[132] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[452] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BC0001
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Bonjour\mDNSResponder.exe[488] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C70001
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[524] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015C0001
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01450001
.text C:\WINDOWS\system32\winlogon.exe[672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\winlogon.exe[672] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\winlogon.exe[672] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01120001
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\services.exe[724] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01310001
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[912] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01250001
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[988] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:


Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 25.11.2009 23:59

pokracovanie (nezobralo to na jeden krat cele)
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[1044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01390001
.text C:\WINDOWS\system32\nvsvc32.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\nvsvc32.exe[1044] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\nvsvc32.exe[1044] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00790001
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02DB0001
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\svchost.exe[1092] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D70001
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1368] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1400] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1412] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1556] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\Explorer.EXE[1556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DE0001
.text C:\WINDOWS\Explorer.EXE[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\Explorer.EXE[1556] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\Explorer.EXE[1556] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1680] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001
.text C:\WINDOWS\system32\spoolsv.exe[1680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\spoolsv.exe[1680] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\spoolsv.exe[1680] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FB0001
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\RUNDLL32.EXE[1864] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10183D80
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10183BF0
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10183DF0
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10183AA4
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10183218
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101827E8
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1018277C
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1892] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10183A50
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10183D80
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 023C0001
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10183BF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10183DF0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10183AA4
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10183218


Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 26.11.2009 0:02

pokracovanie dalsie

.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10183218
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101827E8
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1018277C
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1904] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10183A50
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F30001
.text C:\WINDOWS\system32\ctfmon.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\ctfmon.exe[1932] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[1932] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\ctfmon.exe[1932] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01400001
.text C:\WINDOWS\system32\rundll32.exe[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\rundll32.exe[1972] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\rundll32.exe[1972] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\rundll32.exe[1972] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\NOTEPAD.EXE[2196] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10183D80
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A20001
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10183BF0
.text C:\WINDOWS\system32\wscntfy.exe[2272] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10183DF0
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[2272] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10183AA4
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10183218
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101827E8
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1018277C
.text C:\WINDOWS\system32\wscntfy.exe[2272] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10183A50
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CE0001
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\NOTEPAD.EXE[2376] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00880001
.text C:\WINDOWS\System32\alg.exe[2508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\alg.exe[2508] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\alg.exe[2508] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\Program Files\Opera\opera.exe[3172] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BB0001
.text C:\Program Files\Opera\opera.exe[3172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Opera\opera.exe[3172] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Opera\opera.exe[3172] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Opera\opera.exe[3172] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Documents and Settings\MADxface\Desktop\gmer.exe[3316] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [39, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [30, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [18, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtOpenKey 7C90D5B0 5 Bytes JMP 10003D80
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [21, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [2D, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [1B, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [33, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [2A, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [36, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EE0001
.text C:\totalcmd\TOTALCMD.EXE[3916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\totalcmd\TOTALCMD.EXE[3916] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10003DF0
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\totalcmd\TOTALCMD.EXE[3916] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll


Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 26.11.2009 0:04

pokracovanie last

.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\totalcmd\TOTALCMD.EXE[3916] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 850D1790

---- EOF - GMER 1.0.15 ----


Offline dominique

Užívateľ
Užívateľ
Trojan.Generic & Malware.Neeris + blokovane aktualizacie

Registrovaný: 12.09.08
Prihlásený: 23.10.23
Príspevky: 379
Témy: 16
Bydlisko: Košice
Príspevok NapísalOffline dominique: 26.11.2009 10:48

takto. nechcem tu uz zasahovat do temy, len chcem upozornit, ze tu istu temu mas aj na viry.cz - a tam mozes mat poradeny iny postup od radcu (a aj ti radi), tak aby si si to zosuladil a aj pitimir vedel, ze robis aj iny postup. Aby sa dvoma postupmi nieco systemovo neposkodilo.







_________________
PC1= MB: Gigabyte M52L-S3P; CPU: AMD Athlon 64 X2 5200+ 2,7Ghz; RAM: 2x2GB 667Mhz Kingston HyperX CL5; VGA: Sapphire HD6670 1GB GDDR5; HDD: WD Caviar Blue 320GB; DVD RW: Sony Optiarc AD 7201S; LCD: HP Z24i "24"; PSU: Seasonic S12-II Bronze 430W; AUDIO: Creative T3100; KEY: Lenovo; MOUSE: Logitech RX100; OS: Win Vista Business 32bit,
USB: SanDisk Cruzer Extreme 32GB 3.0

PC2: DELL Optiplex 7010 /i5-3470, Q77 Cougar, Kingston 4GB RAM DDR4, intel HD2500, WD 500GB, Win 7 pro/
PC3: HP Elitedesk 705G4 /Ryzen 3Pro 2200G, HP 83E8 b350, Kingston 8GB DDR4 RAM, AMD Vega8, WD 500GB, Win 10pro /
WIFI: Tp-link Archer C-80
Ext.HDD: Toshiba 3,5" 2TB + Axagon EE25-XA6 USB3.0; Samsung 3,5" HD500GB, Maxtor DiamondMax 3,5" 160GB + Natec Kangaroo Dual; Maxtor M3 1TB 2,5"

Keyboards: Yamaha E433 + Superlux HD520, Sennheiser HD200Pro
Offline madxface

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 24.11.09
Prihlásený: 12.06.11
Príspevky: 14
Témy: 3
Bydlisko: Zilina
Príspevok Napísal autor témyOffline madxface: 26.11.2009 17:08

postupujem presne podla rad od pitimira
v dalsom kroku som len urobil dalsi scan z combofixu


Offline pitimir

Skúsený užívateľ
Skúsený užívateľ
Obrázok užívateľa

Registrovaný: 15.08.09
Prihlásený: 05.02.10
Príspevky: 355
Témy: 0
Príspevok NapísalOffline pitimir: 26.11.2009 18:07

Ach jaj...roboty je vela a takto zbytocne plytvat casom... :roll:
Tu koncim, domietam robit duplicitne kroky a kolegini tym ztazovat zivot.

http://viry.cz/forum/viewtopic.php?f=13 ... 27#p773027

Dobojuj to s motji, mas to tam viac rozbehnute.


Odpovedať na tému Stránka: 1 z 1
 [ Príspevkov: 14 ] 

Obsah fóra » Software » Antivíry, bezpečnosť a sieť » Antivíry a antispywary » Trojan.Generic & Malware.Neeris + blokovane aktualizacie


Podobné témy

 Témy  Odpovede  Zobrazenia  Posledný príspevok 
V tomto fóre nie sú ďalšie neprečítané témy. Trojan horse Downloader.Generic.HGT" prosim o pomoc

v Antivíry a antispywary

22

2533

30.09.2006 2:34

BEDUIN Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Chrome - casch & aktualizacie

v Sieťové a internetové programy

0

208

09.10.2013 10:46

Megi Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. I/P: ASUS TUF Gaming F15 FX506LH-HN004 (i5 10300H & GTX 1650 & 16GB RAM & 512 GB SSD)

v Informujem sa

4

984

27.09.2022 15:15

michalesku Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Trojan.Win32/ agent Trojan.Win32/Wundo

[ Choď na stránku:Choď na stránku: 1, 2 ]

v Antivíry a antispywary

47

1831

28.12.2012 21:55

personal compuper Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Symbian & android & iOS & WinMobile

[ Choď na stránku:Choď na stránku: 1, 2 ]

v Smartfóny a tablety

41

2854

15.12.2011 21:16

haffen Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Blokovane stranky

v Sieťové a internetové programy

10

2953

13.09.2007 13:13

maciakba Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Blokovane ICQ?!

v Sieťové a internetové programy

2

519

25.11.2006 17:48

Kamahl Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Blokovane Ctrl+O

v Operačné systémy Microsoft

0

315

18.03.2016 19:32

JozefGatial Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Blokovane stranky v praci

v Sieťové a internetové programy

2

583

15.03.2011 20:24

Iv0 Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Vista a blokovane DEP nastavenie v IE7

v Operačné systémy Microsoft

0

445

04.03.2007 19:18

tairikuokami Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Generic Host

v Operačné systémy Microsoft

7

572

09.10.2007 21:50

Rbot Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. Generic Host Process

v Operačné systémy Microsoft

1

420

09.02.2008 22:53

Romi Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. P: War 3 RoCH & TFT, Diablo 2 & LOD

v Predám

1

849

17.05.2011 20:25

KocuR Zobrazenie posledných príspevkov

Táto téma je zamknutá, nemôžete posielať nové príspevky alebo odpovedať na staršie. P: AMD Athlon II X3 455 AM3 & DDR3 8Gb & 4Gb

v Predám

6

793

14.12.2012 12:37

MilanYX Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. ovládač - Generic Digital camera

[ Choď na stránku:Choď na stránku: 1, 2 ]

v Ovládače

30

10205

19.07.2012 11:41

jch0211 Zobrazenie posledných príspevkov

V tomto fóre nie sú ďalšie neprečítané témy. DELL XPS L502X & Kingston HyperX FURY SSD 120GB & ICY BOX AC642

v SSD disky

11

892

24.12.2014 16:11

Miso122 Zobrazenie posledných príspevkov


Nemôžete zakladať nové témy v tomto fóre
Nemôžete odpovedať na témy v tomto fóre
Nemôžete upravovať svoje príspevky v tomto fóre
Nemôžete mazať svoje príspevky v tomto fóre

Skočiť na:  

Powered by phpBB Jarvis © 2005 - 2024 PCforum, webhosting by WebSupport, secured by GeoTrust, edited by JanoF
Ako väčšina webových stránok aj my používame cookies. Zotrvaním na webovej stránke súhlasíte, že ich môžeme používať.
Všeobecné podmienky, spracovanie osobných údajov a pravidlá fóra