Unable to start COM+ Event, BITs and Windows Update on Win2000

Free Antivirus Forum - Learn about antivirus, firewalls and personal security

BullGuard Antivirus Forum > Virus Removal > Removal Help > Unable to start COM+ Event, BITs and Windows Update on Win2000

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-15-2009 10:36 (GMT +2)

Hi
Not sure what malware has caused this, but the windows update service, Bits and com+event service are refusing to start. I have scanned with MBAM and McAfee, and have tried some of the remedies suggested, but combofix gives an error about the date (although the date on the PC is correct) so I enclose the logs I have been able to obtain.

Thanks very much in advance.

File Attachment :
logs.gz 0KB (application/x-gzip)

This file has been downloaded 150 time(s).

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-15-2009 10:49 (GMT +2)

Sorry, have uploaded more logs now ...

File Attachment :
logs.zip 9KB (application/zip)

This file has been downloaded 160 time(s).

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-16-2009 4:58 (GMT +2)

Welcome to BG forums sjrsquared,

If you check some other threads in the forum you will see all logs do need to be posted here, directly in your request thread. Not sure what you have attached, but let's get some details posted here now and see what we need to address.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-16-2009 9:37 (GMT +2)

Hello, I have done the actions you suggested and here are the logs. Your help is much appreciated.

Thankyou

RSIT Log.txt
====================
Logfile of random's system information tool 1.06 (written by random/random)
Run by Simon at 2009-11-16 19:08:22
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 84 GB (91%) free of 92 GB
Total RAM: 511 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08:24, on 16/11/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Eraser\eraser.exe
C:\WINNT\system32\NOTEPAD.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\mmc.exe
C:\All_My_Data\Malware_logs\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Simon.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://powersoccer.mygames.co.uk/applet/PowerLoader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225234259484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225237361265
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 7043 bytes

======Scheduled tasks folder======

C:\WINNT\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mcapbho.dll [2007-09-19 329032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-11-05 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-07-24 66880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-11-05 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-11-05 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\System32\msdxm.ocx [2005-03-31 844560]
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"NvCplDaemon"=C:\WINNT\system32\NvCpl.dll [2003-10-06 5058560]
"NvMediaCenter"=C:\WINNT\system32\NvMcTray.dll [2003-10-06 49152]
"ThreatFire"=C:\Program Files\ThreatFire\TFTray.exe [2009-09-23 382224]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-06-01 341312]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-08-03 582992]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6261\SiteAdv.exe [2007-08-24 36640]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-11-05 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\Msmsgs.exe /background []
"Eraser"=C:\Program Files\Eraser\eraser.exe [2009-06-10 334224]

C:\Documents and Settings\Simon.HOME-PQTX7ZVV6M\Start Menu\Programs\Startup
Secunia PSI.lnk - C:\Program Files\Secunia\PSI\psi.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="NVDESK32.DLL"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-11-16 19:01:53 ----D---- C:\rsit
2009-11-15 23:19:43 ----A---- C:\WINNT\system32\javaws.exe
2009-11-15 23:19:42 ----A---- C:\WINNT\system32\javaw.exe
2009-11-15 23:19:42 ----A---- C:\WINNT\system32\java.exe
2009-11-15 23:17:39 ----D---- C:\Program Files\Windows Live Safety Center
2009-11-15 23:10:51 ----A---- C:\WINNT\SchedLgU.Txt
2009-11-14 15:43:15 ----D---- C:\VundoFix Backups
2009-11-14 14:54:02 ----SD---- C:\ComboFix
2009-11-14 13:40:14 ----A---- C:\WINNT\ntbtlog.txt
2009-11-14 12:49:18 ----A---- C:\Bug.txt
2009-11-14 12:42:09 ----D---- C:\WINNT\ERDNT
2009-11-14 12:41:27 ----D---- C:\Qoobox
2009-11-14 11:44:38 ----D---- C:\Tools
2009-11-13 23:33:14 ----A---- C:\WINNT\system32\vbajet32.dll
2009-11-13 23:33:11 ----A---- C:\WINNT\system32\expsrv.dll
2009-11-13 23:31:53 ----HDC---- C:\WINNT\$NtServicePackUninstall$
2009-11-13 21:36:28 ----D---- C:\Program Files\SiteAdvisor
2009-11-13 21:36:25 ----D---- C:\Documents and Settings\Simon.HOME-PQTX7ZVV6M\Application Data\SiteAdvisor
2009-11-13 21:36:25 ----D---- C:\Documents and Settings\All Users.WINNT\Application Data\SiteAdvisor
2009-11-13 21:35:41 ----A---- C:\WINNT\system32\dunzip32.dll
2009-11-13 21:31:54 ----D---- C:\Program Files\McAfee.com
2009-11-13 21:31:51 ----D---- C:\Program Files\Common Files\McAfee
2009-11-13 21:31:37 ----D---- C:\Program Files\McAfee
2009-11-12 20:25:09 ----D---- C:\WINNT\SoftwareDistribution
2009-11-10 18:58:42 ----D---- C:\Program Files\Common Files\SupportSoft
2009-11-05 21:34:15 ----A---- C:\WINNT\system32\Erasext.dll
2009-11-05 21:34:15 ----A---- C:\WINNT\system32\Eraser.dll
2009-11-05 21:34:14 ----A---- C:\WINNT\system32\Eraserl.exe
2009-11-05 21:34:10 ----D---- C:\Program Files\Eraser
2009-11-05 21:26:18 ----D---- C:\Documents and Settings\All Users.WINNT\Application Data\McAfee
2009-11-05 21:25:33 ----A---- C:\PE-Files.txt
2009-11-05 21:21:17 ----A---- C:\Win-Files.txt
2009-11-05 21:19:05 ----D---- C:\Program Files\Trend Micro
2009-11-05 21:13:34 ----D---- C:\Program Files\Secunia
2009-11-04 19:17:54 ----HDC---- C:\WINNT\$NtUninstallKB976749-IE6SP1-20091019.120000$

======List of files/folders modified in the last 1 months======

2009-11-16 19:02:33 ----SHD---- C:\WINNT\Installer
2009-11-16 19:02:33 ----RAD---- C:\Program Files
2009-11-16 19:02:33 ----AD---- C:\WINNT\system32
2009-11-16 18:57:27 ----AD---- C:\WINNT\Debug
2009-11-16 18:55:13 ----AD---- C:\WINNT\Temp
2009-11-16 18:43:59 ----AD---- C:\WINNT\security
2009-11-16 18:41:42 ----AD---- C:\WINNT
2009-11-15 23:26:53 ----HD---- C:\WINNT\inf
2009-11-15 23:21:54 ----D---- C:\Program Files\Java
2009-11-15 23:21:53 ----AD---- C:\Program Files\Common Files
2009-11-15 23:17:52 ----SD---- C:\WINNT\Downloaded Program Files
2009-11-14 15:46:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-14 14:56:44 ----AD---- C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2009-11-14 13:42:13 ----AD---- C:\Program Files\Mozilla Firefox
2009-11-14 13:36:55 ----SHD---- C:\WINNT\CSC
2009-11-14 12:48:14 ----D---- C:\All_My_Data
2009-11-14 11:45:03 ----D---- C:\Program Files\UltimateZip
2009-11-14 00:26:13 ----RASHDC---- C:\WINNT\system32\dllcache
2009-11-13 23:33:23 ----AD---- C:\WINNT\Help
2009-11-13 21:34:55 ----AD---- C:\WINNT\system32\drivers
2009-11-13 21:32:10 ----ASD---- C:\WINNT\Tasks
2009-11-13 21:20:39 ----D---- C:\Program Files\PC Tools Firewall Plus
2009-11-13 21:20:38 ----D---- C:\Program Files\Common Files\PC Tools
2009-11-13 21:17:54 ----AD---- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2009-11-12 20:18:31 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-11-10 18:58:02 ----D---- C:\temp
2009-11-05 22:11:59 ----D---- C:\WINNT\system32\NtmsData
2009-11-05 22:05:46 ----D---- C:\WINNT\winsxs
2009-11-05 21:47:13 ----D---- C:\WINNT\Minidump
2009-11-05 21:35:45 ----D---- C:\Program Files\Opera
2009-11-05 21:29:16 ----A---- C:\WINNT\system32\deploytk.dll
2009-11-05 20:47:50 ----SHD---- C:\RECYCLER
2009-11-05 20:16:18 ----AD---- C:\Documents and Settings
2009-11-05 09:36:22 ----A---- C:\WINNT\system32\MRT.exe
2009-11-04 19:39:04 ----A---- C:\WINNT\LEXSTAT.INI
2009-10-19 11:09:52 ----A---- C:\WINNT\system32\MSHTML.DLL

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BANTExt;Belarc SMBios Access; C:\WINNT\System32\Drivers\BANTExt.sys [2008-02-27 3840]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2008-04-07 9072]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2008-04-07 9200]
R1 mfehidk;McAfee Inc.; C:\WINNT\system32\drivers\mfehidk.sys [2007-07-21 201288]
R1 MPFP;MPFP; C:\WINNT\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R2 Aspi32;Aspi32; C:\WINNT\system32\drivers\Aspi32.sys [1999-09-10 25244]
R2 Nbf;NetBEUI Protocol; C:\WINNT\System32\DRIVERS\nbf.sys [1999-12-07 102160]
R3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2003-03-13 100224]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINNT\System32\DRIVERS\e100bnt5.sys [2007-11-16 154504]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINNT\system32\DRIVERS\mcdbus.sys [2008-07-28 116736]
R3 mfeavfk;McAfee Inc.; C:\WINNT\system32\drivers\mfeavfk.sys [2007-07-24 79304]
R3 mfebopk;McAfee Inc.; C:\WINNT\system32\drivers\mfebopk.sys [2007-07-21 35240]
R3 nv;nv; C:\WINNT\System32\DRIVERS\nv4_mini.sys [2003-10-06 1550043]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2003-05-27 578304]
R3 TfNetMon;TfNetMon; \??\C:\WINNT\system32\drivers\TfNetMon.sys []
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2003-06-19 21872]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 mferkdk;McAfee Inc.; C:\WINNT\system32\drivers\mferkdk.sys [2007-07-24 33800]
S3 mfesmfk;McAfee Inc.; C:\WINNT\system32\drivers\mfesmfk.sys [2007-07-21 40488]
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 PSI;PSI; C:\WINNT\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 TSP;TSP; \??\C:\WINNT\system32\drivers\klif.sys []
S3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINNT\system32\DRIVERS\vmnetadapter.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\System32\drivers\ws2ifsl.sys [1999-12-07 12016]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-11-05 153376]
R2 LexBceS;LexBce Server; C:\WINNT\system32\LEXBCES.EXE [2003-02-25 303104]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 NMSAccessU;NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-10-20 71096]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINNT\system32\nvsvc32.exe [2003-10-06 81920]
R2 ThreatFire;ThreatFire; C:\Program Files\ThreatFire\TFService.exe [2009-09-23 70928]
S2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2007-08-04 749904]
S2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2007-07-22 2376992]
S2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
S2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
S2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2007-08-24 23880]
S2 SiteAdvisor Service;SiteAdvisor Service; C:\Program Files\SiteAdvisor\6261\SAService.exe [2009-11-15 345376]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 136120]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-07-25 378184]
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\System32\svchost.exe [1999-12-07 7952]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-07-25 695624]

-----------------EOF-----------------

====================

RSIT info.txt
====================
info.txt logfile of random's system information tool 1.06 2009-11-16 19:02:14

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
ActivePerl 5.8.8 Build 824-->MsiExec.exe /I{737B67E6-05DE-4BAD-B359-C10A1954F0D3}
Adobe Flash Player 10 ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.4-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe Shockwave Player 11.5-->"C:\WINNT\system32\Adobe\Shockwave 11\uninstaller.exe"
Belarc Advisor 7.2-->C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP-->"C:\Program Files\CDBurnerXP\unins000.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dark Reign 2-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Dark Reign 2\DR2.isu"
Eraser 5.8.7-->"C:\Program Files\Eraser\unins000.exe"
Garmin Communicator Plugin-->MsiExec.exe /X{B57A7B53-0662-4AC0-9352-2AE2D8212A9F}
Garmin USB Drivers-->MsiExec.exe /X{B1102A25-3AA3-446B-AA0F-A699B07A02FD}
Garmin WebUpdater-->MsiExec.exe /X{E0783143-EAE2-4047-A8D6-E155523C594C}
Garmin WebUpdater-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FD94FBC-07AE-475C-B522-BFE899B9048E}\setup.exe" -l0x9
GIMP 2.6.5-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 2.0 Service Pack 1 (KB953300)-->C:\WINNT\system32\msiexec.exe /package {B508B3F1-A24A-32C0-B310-85786919EF28} /uninstall {033120BD-1F67-440F-B222-9EC384EACED8} /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 2.0 Service Pack 1 (KB971110)-->C:\WINNT\system32\msiexec.exe /package {B508B3F1-A24A-32C0-B310-85786919EF28} /uninstall {94A06FF1-C931-40AC-9493-55711CF2B0A0} /qb+ REBOOTPROMPT=""
Intel(R) Network Connections 13.2.8.0-->MsiExec.exe /i{AAA4850F-7E20-40D7-A4C3-3697E7FA4A54} ARPREMOVE=1
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Lexmark Z600 Series-->C:\WINNT\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
MagicDisc 2.7.105-->C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1 Security Update (KB971108)-->"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M971108\M971108Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.5.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.0-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
NVIDIA Display Driver-->C:\WINNT\system32\nvudisp.exe Uninstall C:\WINNT\system32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers-->C:\WINNT\system32\nvudisp.exe UninstallGUI
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
Opera 10.01-->MsiExec.exe /X{4B296228-DF7C-43EA-8DED-76027355B219}
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
Poly-->C:\Program Files\Pedagoguery Software\Poly\uninstall.exe
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Secunia PSI-->"C:\Program Files\Secunia\PSI\uninstall.exe"
Security Update for DirectX 9.0 (KB971633)-->"C:\WINNT\$NtUninstallKB971633_DX9$\spuninst\spuninst.exe"
Security Update for DirectX 9.0b (KB961373)-->"C:\WINNT\$NtUninstallKB961373_DX9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINNT\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINNT\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB974112)-->"C:\WINNT\$NtUninstallKB974112_WM41$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB973540)-->"C:\WINNT\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Sibelius Scorch (ActiveX Only)-->MsiExec.exe /I{15CCBC5D-66A7-4131-8D36-E05F27B0E68F}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TextPad 5-->MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
ThreatFire-->"C:\Program Files\ThreatFire\unins000.exe"
UltimateZip-->"C:\Program Files\UltimateZip\unins000.exe"
Windows 2000 Hotfix - KB923561-->"C:\WINNT\$NtUninstallKB923561$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB952004-->"C:\WINNT\$NtUninstallKB952004$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB956844-->"C:\WINNT\$NtUninstallKB956844$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB958470-->"C:\WINNT\$NtUninstallKB958470$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB958869-->"C:\WINNT\$NtUninstallKB958869-IE6SP1-20090818.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB959426-->"C:\WINNT\$NtUninstallKB959426$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB960803-->"C:\WINNT\$NtUninstallKB960803$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB960859-->"C:\WINNT\$NtUninstallKB960859$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB961371-->"C:\WINNT\$NtUninstallKB961371$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB961371-V2-->"C:\WINNT\$NtUninstallKB961371-V2$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB961501-->"C:\WINNT\$NtUninstallKB961501$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB963027-->"C:\WINNT\$NtUninstallKB963027-IE6SP1-20090303.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB968537-->"C:\WINNT\$NtUninstallKB968537$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB969059-->"C:\WINNT\$NtUninstallKB969059$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB969897-->"C:\WINNT\$NtUninstallKB969897-IE6SP1-20090501.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB969898-->"C:\WINNT\$NtUninstallKB969898$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB970238-->"C:\WINNT\$NtUninstallKB970238$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB971486-->"C:\WINNT\$NtUninstallKB971486$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB971557-->"C:\WINNT\$NtUninstallKB971557$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB971961-->"C:\WINNT\$NtUninstallKB971961$\spuninst\s
====================

GMER Initial Scan

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit quick scan 2009-11-16 19:10:24
Windows 5.0.2195 Service Pack 4
Running: no2joz85.exe; Driver: C:\DOCUME~1\SIMON~1.HOM\LOCALS~1\Temp\awriipoc.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBE9D8965]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xBE9D89F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBE9D8929]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBE9D8A0C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBE9D8A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xBE9D8A84]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xBE9D8A70]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBE9D89A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xBE9D8AAC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Z!!!enKey [0xBE9D89E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Z!!!enProcess [0xBE9D8901]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Z!!!enThread [0xBE9D8915]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBE9D8979]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xBE9D8AE9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xBE9D8A5C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xBE9D8A48]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xBE9D8AD5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xBE9D8AC1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xBE9D8951]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBE9D893D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xBE9D8A34]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBE9D89D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xBE9D8A98]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBE9D89B7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBE9D898D]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

GMER Full Scan
==================
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-16 19:29:20
Windows 5.0.2195 Service Pack 4
Running: no2joz85.exe; Driver: C:\DOCUME~1\SIMON~1.HOM\LOCALS~1\Temp\awriipoc.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBE9D8965]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xBE9D89F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBE9D8929]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xBE9D8A0C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xBE9D8A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xBE9D8A84]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xBE9D8A70]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBE9D89A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xBE9D8AAC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Z!!!enKey [0xBE9D89E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Z!!!enProcess [0xBE9D8901]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Z!!!enThread [0xBE9D8915]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBE9D8979]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xBE9D8AE9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xBE9D8A5C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xBE9D8A48]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xBE9D8AD5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xBE9D8AC1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xBE9D8951]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xBE9D893D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xBE9D8A34]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xBE9D89D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xBE9D8A98]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBE9D89B7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBE9D898D]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80432F24 7 Bytes JMP BE9D8991 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 804A7172 5 Bytes JMP BE9D8969 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 804D00AC 5 Bytes JMP BE9D89A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 804D0D08 5 Bytes JMP BE9D89BB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 804D2AE6 5 Bytes JMP BE9D897D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 804DEB24 5 Bytes JMP BE9D8905 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!Z!!!enThread 804DEDE4 5 Bytes JMP BE9D8919 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 804DF958 5 Bytes JMP BE9D8941 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 804E2264 5 Bytes JMP BE9D892D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 804E32CC 6 Bytes JMP BE9D89D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 804E7DDA 5 Bytes JMP BE9D8955 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80511E50 5 Bytes JMP BE9D89FC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80512214 5 Bytes JMP BE9D8A10 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80512430 5 Bytes JMP BE9D8A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8051263E 5 Bytes JMP BE9D8A88 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80512894 5 Bytes JMP BE9D8A74 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80512D3E 6 Bytes JMP BE9D8AB0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!Z!!!enKey 805133F2 5 Bytes JMP BE9D89E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80513672 5 Bytes JMP BE9D8AED \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 80513908 5 Bytes JMP BE9D8A4C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 80513BFC 5 Bytes JMP BE9D8AC5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80513F9A 5 Bytes JMP BE9D8A38 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80514268 5 Bytes JMP BE9D8A9C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8051470A 5 Bytes JMP BE9D8AD9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 805148DA 5 Bytes JMP BE9D8A60 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINNT\system32\csrss.exe[176] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\csrss.exe[176] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\WINNT\system32\csrss.exe[176] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\WINNT\system32\csrss.exe[176] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\WINNT\system32\csrss.exe[176] ADVAPI32.DLL!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\WINNT\system32\csrss.exe[176] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\WINNT\system32\csrss.exe[176] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\WINNT\system32\csrss.exe[176] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\WINNT\system32\csrss.exe[176] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\WINNT\system32\csrss.exe[176] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\WINNT\system32\csrss.exe[176] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 70C3000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 7144000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 7126000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 7123000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 70C6000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 715C000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7159000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!LookupPrivilegeValueW + 5 7C2ECE44 1 Byte [70]
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 70EA000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 70F0000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7162000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, F2, 70] {AND EAX, 0x70f2001e}
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7156000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 7147000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 7141000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 714A000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 7150000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 6 Bytes JMP 713E000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 715F000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 714D000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 713B000A
.text C:\WINNT\system32\winlogon.exe[196] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7153000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 7102000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, FE, 70] {AND EAX, 0x70fe001e}
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70FC000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70F9000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, CB, 70] {AND EAX, 0x70cb001e}
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 70C9000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [B6, 70] {MOV DH, 0x70}
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, B0, 70] {AND EAX, 0x70b0001e}
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [B3, 70] {MOV BL, 0x70}
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 7114000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 7111000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 710E000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 710B000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 7135000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 7138000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 712C000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 7129000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 716E000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 7117000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7168000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7165000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 70A4000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 70E7000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 70E4000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 70E1000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 70DE000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 712F000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, F5, 70] {AND EAX, 0x70f5001e}
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 7132000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 70DB000A
.text C:\WINNT\system32\winlogon.exe[196] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 70BA000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 7120000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 70C0000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 70D2000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [19, 71]
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 70D8000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 70D5000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 711D000A
.text C:\WINNT\system32\winlogon.exe[196] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 70BD000A
.text C:\WINNT\system32\winlogon.exe[196] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 7105000A
.text C:\WINNT\system32\winlogon.exe[196] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 7108000A
.text C:\WINNT\system32\services.exe[224] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\services.exe[224] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [1E, 71]
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 7058000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70E3000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70C2000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70BF000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 705B000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 5 Bytes JMP 01A60FB8
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegCreateKeyW 7C2E9954 5 Bytes JMP 01A6004D
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7082000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 707F000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7085000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 5 Bytes JMP 01A60068
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 87, 70] {AND EAX, 0x7087001e}
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 4 Bytes JMP 01A6000B
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70E6000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70E0000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70E9000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 5 Bytes JMP 01A6001C
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 6 Bytes JMP 70DD000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 5 Bytes JMP 01A60083
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 5 Bytes JMP 01A60FD3
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70DA000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 4 Bytes JMP 01A60FEF
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7167000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 711C000A
.text C:\WINNT\system32\services.exe[224] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7119000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 7097000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7132000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, 93, 70] {AND EAX, 0x7093001e}
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 7091000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 708E000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 60, 70] {AND EAX, 0x7060001e}
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 705E000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [4B, 70]
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 45, 70] {AND EAX, 0x7045001e}
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [48, 70]
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 42, 70] {AND EAX, 0x7042001e}
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70B0000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70A6000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70A3000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70A0000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateFileA 7C58C243 5 Bytes JMP 01A7000B
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateFileW 7C58C275 5 Bytes JMP 01A70FE4
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70C9000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!VirtualProtect 7C58E9EE 5 Bytes JMP 01A7004C
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!VirtualProtectEx 7C58EA08 5 Bytes JMP 01A70F57
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!LoadLibraryA 7C59026D 5 Bytes JMP 01A7001C
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!LoadLibraryW 7C59031E 5 Bytes JMP 01A70F90
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!LoadLibraryExA 7C59032E 5 Bytes JMP 01A7003B
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!LoadLibraryExW 7C590595 5 Bytes JMP 01A70F72
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!GetProcAddress 7C590CF7 5 Bytes JMP 01A700D0
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70B3000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateNamedPipeA 7C591C5F 5 Bytes JMP 01A70FD3
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateNamedPipeW 7C591CCF 5 Bytes JMP 01A70FB8
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 710F000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 710C000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreatePipe 7C5946A1 5 Bytes JMP 01A70F3B
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateProcessA 7C595040 5 Bytes JMP 01A700A9
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateProcessW 7C596981 5 Bytes JMP 01A70F07
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7040000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7164000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!GetStartupInfoW 7C596B15 5 Bytes JMP 01A70079
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!GetStartupInfoA 7C596BAA 5 Bytes JMP 01A70068
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!WinExec 7C59752A 5 Bytes JMP 01A70098
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7161000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 707C000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 7079000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7076000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7073000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 7135000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 8A, 70] {AND EAX, 0x708a001e}
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7070000A
.text C:\WINNT\system32\services.exe[224] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 704F000A
.text C:\WINNT\system32\services.exe[224] MSVCRT.dll!_wsystem 78018E1D 5 Bytes JMP 01A50FBC
.text C:\WINNT\system32\services.exe[224] MSVCRT.dll!system 78018EBF 5 Bytes JMP 01A50FCD
.text C:\WINNT\system32\services.exe[224] MSVCRT.dll!_creat 7801A00D 5 Bytes JMP 01A50014
.text C:\WINNT\system32\services.exe[224] MSVCRT.dll!_open 7801B65E 5 Bytes JMP 01A50FEF
.text C:\WINNT\system32\services.exe[224] MSVCRT.dll!_wcreat 7801C0F3 5 Bytes JMP 01A50033
.text C:\WINNT\system32\services.exe[224] MSVCRT.dll!_!!!en 7801C1B1 5 Bytes JMP 01A50FDE
.text C:\WINNT\system32\services.exe[224] WS2_32.DLL!socket 7503353D 5 Bytes JMP 01A40FEF
.text C:\WINNT\system32\services.exe[224] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 712F000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\services.exe[224] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [28, 71]
.text C:\WINNT\system32\services.exe[224] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70BC000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7055000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7156000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 712C000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 7067000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\services.exe[224] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [B5, 70] {MOV CH, 0x70}
.text C:\WINNT\system32\services.exe[224] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 706D000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7064000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 706A000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70B9000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7153000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7052000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 7126000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!EndTask 77E420FA 6 Bytes JMP 7138000A
.text C:\WINNT\system32\services.exe[224] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 7116000A
.text C:\WINNT\system32\services.exe[224] shell32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 713F000A
.text C:\WINNT\system32\services.exe[224] shell32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7142000A
.text C:\WINNT\system32\services.exe[224] shell32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 7145000A
.text C:\WINNT\system32\services.exe[224] shell32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 7148000A
.text C:\WINNT\system32\services.exe[224] shell32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 709A000A
.text C:\WINNT\system32\services.exe[224] shell32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 709D000A
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!CreateFileA 7C58C243 5 Bytes JMP 01200FEF
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!CreateFileW 7C58C275 5 Bytes JMP 01200FDE
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!VirtualProtect 7C58E9EE 5 Bytes JMP 01200077
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!VirtualProtectEx 7C58EA08 5 Bytes JMP 01200088
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!LoadLibraryA 7C59026D 5 Bytes JMP 0120003E
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!LoadLibraryW 7C59031E 5 Bytes JMP 0120004F
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!LoadLibraryExA 7C59032E 5 Bytes JMP 01200FA4
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!LoadLibraryExW 7C590595 5 Bytes JMP 01200F93
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!GetProcAddress 7C590CF7 5 Bytes JMP 01200113
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!CreateNamedPipeA 7C591C5F 5 Bytes JMP 01200016
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!CreateNamedPipeW 7C591CCF 5 Bytes JMP 01200FC3
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!CreatePipe 7C5946A1 5 Bytes JMP 012000A4
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!CreateProcessA 7C595040 5 Bytes JMP 01200F4B
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!CreateProcessW 7C596981 5 Bytes JMP 012000F8
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!GetStartupInfoW 7C596B15 5 Bytes JMP 01200F6D
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!GetStartupInfoA 7C596BAA 5 Bytes JMP 012000C3
.text C:\WINNT\system32\lsass.exe[236] KERNEL32.dll!WinExec 7C59752A 5 Bytes JMP 01200F5C
.text C:\WINNT\system32\lsass.exe[236] MSVCRT.dll!_wsystem 78018E1D 5 Bytes JMP 011E0FC5
.text C:\WINNT\system32\lsass.exe[236] MSVCRT.dll!system 78018EBF 5 Bytes JMP 011E0055
.text C:\WINNT\system32\lsass.exe[236] MSVCRT.dll!_creat 7801A00D 5 Bytes JMP 011E0FEF
.text C:\WINNT\system32\lsass.exe[236] MSVCRT.dll!_open 7801B65E 5 Bytes JMP 011E0000
.text C:\WINNT\system32\lsass.exe[236] MSVCRT.dll!_wcreat 7801C0F3 5 Bytes JMP 011E0044
.text C:\WINNT\system32\lsass.exe[236] MSVCRT.dll!_!!!en 7801C1B1 5 Bytes JMP 011E0025
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegCreateKeyA 7C2E96C8 5 Bytes JMP 011F0FB8
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegCreateKeyW 7C2E9954 5 Bytes JMP 011F0041
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegCreateKeyExA 7C2ED804 5 Bytes JMP 011F0F9B
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegOpenKeyA 7C2EDC59 5 Bytes JMP 011F0FEF
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegOpenKeyExA 7C2EF4C0 5 Bytes JMP 011F000B
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegCreateKeyExW 7C2EF8EA 5 Bytes JMP 011F0066
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegOpenKeyExW 7C2F49B1 5 Bytes JMP 011F0026
.text C:\WINNT\system32\lsass.exe[236] ADVAPI32.DLL!RegOpenKeyW 7C2F4C09 5 Bytes JMP 011F0FD3
.text C:\WINNT\system32\lsass.exe[236] WS2_32.DLL!socket 7503353D 5 Bytes JMP 011D0FEF
.text C:\WINNT\system32\svchost.exe[412] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\svchost.exe[412] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [1E, 71]
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 7058000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegQueryValueA 7C2E2C47 6 Bytes JMP 70E3000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70C2000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!OpenSCManagerW 7C2E4230 6 Bytes JMP 70BF000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegDeleteKeyA 7C2E7025 6 Bytes JMP 705B000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegCreateKeyA 7C2E96C8 5 Bytes JMP 00A50037
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegCreateKeyW 7C2E9954 5 Bytes JMP 00A50FAE
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7082000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 707F000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7085000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegCreateKeyExA 7C2ED804 5 Bytes JMP 00A50048
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 87, 70] {AND EAX, 0x7087001e}
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegOpenKeyA 7C2EDC59 5 Bytes JMP 00A50FE4
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70E6000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70E0000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegSetValueExA 7C2EE841 6 Bytes JMP 70E9000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegOpenKeyExA 7C2EF4C0 5 Bytes JMP 00A50015
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegQueryValueExA 7C2EF5E6 6 Bytes JMP 70DD000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegCreateKeyExW 7C2EF8EA 5 Bytes JMP 00A50063
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegOpenKeyExW 7C2F49B1 5 Bytes JMP 00A50026
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70DA000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!RegOpenKeyW 7C2F4C09 5 Bytes JMP 00A50FD3
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7167000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!CreateServiceA 7C314B39 6 Bytes JMP 711C000A
.text C:\WINNT\system32\svchost.exe[412] ADVAPI32.DLL!CreateServiceW 7C314CF9 6 Bytes JMP 7119000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 7097000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7132000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, 93, 70] {AND EAX, 0x7093001e}
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 7091000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 708E000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 60, 70] {AND EAX, 0x7060001e}
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 705E000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [4B, 70]
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 45, 70] {AND EAX, 0x7045001e}
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [48, 70]
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 42, 70] {AND EAX, 0x7042001e}
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70B0000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70A6000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70A3000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70A0000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateFileA 7C58C243 5 Bytes JMP 00A60FE4
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateFileW 7C58C275 5 Bytes JMP 00A60FD3
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70C9000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!VirtualProtect 7C58E9EE 5 Bytes JMP 00A60079
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!VirtualProtectEx 7C58EA08 5 Bytes JMP 00A6008A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!LoadLibraryA 7C59026D 5 Bytes JMP 00A6002D
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!LoadLibraryW 7C59031E 5 Bytes JMP 00A6003E
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!LoadLibraryExA 7C59032E 5 Bytes JMP 00A6005D
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!LoadLibraryExW 7C590595 5 Bytes JMP 00A60F8A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!GetProcAddress 7C590CF7 5 Bytes JMP 00A60F29
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70B3000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateNamedPipeA 7C591C5F 5 Bytes JMP 00A6000B
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateNamedPipeW 7C591CCF 5 Bytes JMP 00A6001C
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 710F000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 710C000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreatePipe 7C5946A1 5 Bytes JMP 00A60F6E
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateProcessA 7C595040 5 Bytes JMP 00A600E7
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateProcessW 7C596981 5 Bytes JMP 00A60F3A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7040000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7164000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!GetStartupInfoW 7C596B15 5 Bytes JMP 00A600BA
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!GetStartupInfoA 7C596BAA 5 Bytes JMP 00A600A9
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!WinExec 7C59752A 5 Bytes JMP 00A600CB
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7161000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 707C000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 7079000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7076000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7073000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 7135000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 8A, 70] {AND EAX, 0x708a001e}
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7070000A
.text C:\WINNT\system32\svchost.exe[412] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 704F000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 712F000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [28, 71]
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70BC000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7055000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7156000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 712C000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 7067000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [B5, 70] {MOV CH, 0x70}
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 706D000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7064000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 706A000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70B9000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7153000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7052000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 7126000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!EndTask 77E420FA 6 Bytes JMP 7138000A
.text C:\WINNT\system32\svchost.exe[412] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 7116000A
.text C:\WINNT\system32\svchost.exe[412] MSVCRT.dll!_wsystem 78018E1D 5 Bytes JMP 00A4003B
.text C:\WINNT\system32\svchost.exe[412] MSVCRT.dll!system 78018EBF 5 Bytes JMP 00A4002A
.text C:\WINNT\system32\svchost.exe[412] MSVCRT.dll!_creat 7801A00D 5 Bytes JMP 00A40FB9
.text C:\WINNT\system32\svchost.exe[412] MSVCRT.dll!_open 7801B65E 5 Bytes JMP 00A40FEF
.text C:\WINNT\system32\svchost.exe[412] MSVCRT.dll!_wcreat 7801C0F3 5 Bytes JMP 00A4000E
.text C:\WINNT\system32\svchost.exe[412] MSVCRT.dll!_!!!en 7801C1B1 5 Bytes JMP 00A40FCA
.text C:\WINNT\system32\svchost.exe[412] WS2_32.dll!socket 7503353D 5 Bytes JMP 00A30FEF
.text C:\WINNT\system32\svchost.exe[412] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 713F000A
.text C:\WINNT\system32\svchost.exe[412] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7142000A
.text C:\WINNT\system32\svchost.exe[412] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 7145000A
.text C:\WINNT\system32\svchost.exe[412] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 7148000A
.text C:\WINNT\system32\svchost.exe[412] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 709A000A
.text C:\WINNT\system32\svchost.exe[412] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 709D000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXBCES.EXE[440] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\WINNT\system32\LEXBCES.EXE[440] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\WINNT\system32\LEXBCES.EXE[440] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\WINNT\system32\LEXBCES.EXE[440] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\WINNT\system32\LEXBCES.EXE[440] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\WINNT\system32\LEXBCES.EXE[440] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\WINNT\system32\LEXBCES.EXE[440] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\WINNT\system32\LEXBCES.EXE[440] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\WINNT\system32\LEXBCES.EXE[440] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\WINNT\system32\LEXBCES.EXE[440] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\WINNT\system32\spoolsv.exe[468] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\spoolsv.exe[468] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\WINNT\system32\spoolsv.exe[468] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\WINNT\system32\spoolsv.exe[468] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\WINNT\system32\spoolsv.exe[468] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\system32\spoolsv.exe[468] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\WINNT\system32\spoolsv.exe[468] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\WINNT\system32\spoolsv.exe[468] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\WINNT\system32\spoolsv.exe[468] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\WINNT\system32\spoolsv.exe[468] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\WINNT\system32\spoolsv.exe[468] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXPPS.EXE[476] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\WINNT\system32\LEXPPS.EXE[476] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\WINNT\system32\LEXPPS.EXE[476] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\WINNT\system32\LEXPPS.EXE[476] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\WINNT\system32\LEXPPS.EXE[476] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\WINNT\system32\LEXPPS.EXE[476] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\WINNT\system32\LEXPPS.EXE[476] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\WINNT\system32\LEXPPS.EXE[476] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\WINNT\system32\LEXPPS.EXE[476] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\WINNT\system32\LEXPPS.EXE[476] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] ADVAPI32.DLL!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] SHELL32.DLL!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] SHELL32.DLL!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] SHELL32.DLL!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] SHELL32.DLL!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] SHELL32.DLL!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[568] SHELL32.DLL!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] ADVAPI32.DLL!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] shell32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] shell32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] shell32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] shell32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] shell32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[828] shell32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[992] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\nvsvc32.exe[1012] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\WINNT\system32\nvsvc32.exe[1012] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\WINNT\system32\nvsvc32.exe[1012] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\WINNT\system32\nvsvc32.exe[1012] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\WINNT\system32\nvsvc32.exe[1012] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\WINNT\system32\nvsvc32.exe[1012] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\WINNT\system32\nvsvc32.exe[1012] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\WINNT\system32\nvsvc32.exe[1012] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\WINNT\system32\nvsvc32.exe[1012] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\WINNT\system32\nvsvc32.exe[1012] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\WINNT\system32\regsvc.exe[1040] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\regsvc.exe[1040] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\WINNT\system32\regsvc.exe[1040] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\WINNT\system32\regsvc.exe[1040] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\WINNT\system32\regsvc.exe[1040] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\system32\regsvc.exe[1040] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\WINNT\system32\regsvc.exe[1040] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\WINNT\system32\regsvc.exe[1040] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\WINNT\system32\regsvc.exe[1040] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\WINNT\system32\regsvc.exe[1040] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\WINNT\system32\regsvc.exe[1040] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\WINNT\system32\MSTask.exe[1048] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\MSTask.exe[1048] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [1E, 71]
.text C:\WINNT\system32\MSTask.exe[1048] MSVCRT.dll!_wsystem 78018E1D 1 Byte [E9]
.text C:\WINNT\system32\MSTask.exe[1048] MSVCRT.dll!_wsystem 78018E1D 5 Bytes JMP 00CE0FAD
.text C:\WINNT\system32\MSTask.exe[1048] MSVCRT.dll!system 78018EBF 5 Bytes JMP 00CE003D
.text C:\WINNT\system32\MSTask.exe[1048] MSVCRT.dll!_creat 7801A00D 5 Bytes JMP 00CE0FD7
.text C:\WINNT\system32\MSTask.exe[1048] MSVCRT.dll!_open 7801B65E 5 Bytes JMP 00CE0000
.text C:\WINNT\system32\MSTask.exe[1048] MSVCRT.dll!_wcreat 7801C0F3 5 Bytes JMP 00CE002C
.text C:\WINNT\system32\MSTask.exe[1048] MSVCRT.dll!_!!!en 7801C1B1 5 Bytes JMP 00CE001B
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 7097000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7132000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, 93, 70] {AND EAX, 0x7093001e}
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 7091000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 708E000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 60, 70] {AND EAX, 0x7060001e}
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 705E000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [4B, 70]
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 45, 70] {AND EAX, 0x7045001e}
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [48, 70]
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 42, 70] {AND EAX, 0x7042001e}
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70B0000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70A6000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70A3000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70A0000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateFileA 7C58C243 5 Bytes JMP 00D00FEF
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateFileW 7C58C275 5 Bytes JMP 00D00FDE
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70C9000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!VirtualProtect 7C58E9EE 5 Bytes JMP 00D00F5C
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!VirtualProtectEx 7C58EA08 5 Bytes JMP 00D00F4B
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!LoadLibraryA 7C59026D 5 Bytes JMP 00D00021
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!LoadLibraryW 7C59031E 5 Bytes JMP 00D00032
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!LoadLibraryExA 7C59032E 5 Bytes JMP 00D00F88
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!LoadLibraryExW 7C590595 5 Bytes JMP 00D00F6D
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!GetProcAddress 7C590CF7 5 Bytes JMP 00D000A5
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70B3000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateNamedPipeA 7C591C5F 5 Bytes JMP 00D00FCD
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateNamedPipeW 7C591CCF 5 Bytes JMP 00D00FB2
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 710F000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 710C000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreatePipe 7C5946A1 5 Bytes JMP 00D00F21
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateProcessA 7C595040 5 Bytes JMP 00D00089
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateProcessW 7C596981 5 Bytes JMP 00D00EDC
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7040000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7164000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!GetStartupInfoW 7C596B15 5 Bytes JMP 00D00EF8
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!GetStartupInfoA 7C596BAA 5 Bytes JMP 00D0005C
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!WinExec 7C59752A 5 Bytes JMP 00D00078
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7161000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 707C000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 7079000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7076000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7073000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70CC000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 7135000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 8A, 70] {AND EAX, 0x708a001e}
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70CF000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7070000A
.text C:\WINNT\system32\MSTask.exe[1048] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 704F000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 7058000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70E3000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70C2000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70BF000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 705B000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 5 Bytes JMP 00CF0FCF
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegCreateKeyW 7C2E9954 5 Bytes JMP 00CF0FA8
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7082000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 707F000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7085000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 5 Bytes JMP 00CF0058
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 87, 70] {AND EAX, 0x7087001e}
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 5 Bytes JMP 00CF0000
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70E6000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70E0000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70E9000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 5 Bytes JMP 00CF002C
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 6 Bytes JMP 70DD000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 5 Bytes JMP 00CF0F97
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 5 Bytes JMP 00CF003D
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70DA000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 5 Bytes JMP 00CF0011
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7167000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 711C000A
.text C:\WINNT\system32\MSTask.exe[1048] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7119000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 712F000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [28, 71]
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70BC000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7055000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7156000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 712C000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 7067000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [B5, 70] {MOV CH, 0x70}
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 706D000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7064000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 706A000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70B9000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7153000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7052000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 7126000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!EndTask 77E420FA 6 Bytes JMP 7138000A
.text C:\WINNT\system32\MSTask.exe[1048] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 7116000A
.text C:\WINNT\system32\MSTask.exe[1048] WS2_32.DLL!socket 7503353D 5 Bytes JMP 00CD0000
.text C:\WINNT\system32\MSTask.exe[1048] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 713F000A
.text C:\WINNT\system32\MSTask.exe[1048] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7142000A
.text C:\WINNT\system32\MSTask.exe[1048] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 7145000A
.text C:\WINNT\system32\MSTask.exe[1048] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 7148000A
.text C:\WINNT\system32\MSTask.exe[1048] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 709A000A
.text C:\WINNT\system32\MSTask.exe[1048] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 709D000A
.text C:\Program Files\ThreatFire\TFService.exe[1184] KERNEL32.dll!CreateRemoteThread + E0 7C57B4F2 4 Bytes [00, 00, 6F, 71]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\WINNT\System32\WBEM\WinMgmt.exe[1232] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\WINNT\Explorer.EXE[1496] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\WINNT\Explorer.EXE[1496] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [0E, 71]
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 7040000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegQueryValueA 7C2E2C47 6 Bytes JMP 70D3000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70B2000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!OpenSCManagerW 7C2E4230 6 Bytes JMP 70AF000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegDeleteKeyA 7C2E7025 6 Bytes JMP 7043000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegCreateKeyA 7C2E96C8 5 Bytes JMP 0017004C
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegCreateKeyW 7C2E9954 5 Bytes JMP 0017005D
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 706A000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7067000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 706D000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegCreateKeyExA 7C2ED804 5 Bytes JMP 0017006E
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 6F, 70] {AND EAX, 0x706f001e}
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegOpenKeyA 7C2EDC59 5 Bytes JMP 00170FEF
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70D6000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70D0000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegSetValueExA 7C2EE841 6 Bytes JMP 70D9000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegOpenKeyExA 7C2EF4C0 5 Bytes JMP 00170027
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegQueryValueExA 7C2EF5E6 6 Bytes JMP 70CD000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegCreateKeyExW 7C2EF8EA 5 Bytes JMP 00170FB7
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegOpenKeyExW 7C2F49B1 5 Bytes JMP 00170FD4
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70CA000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!RegOpenKeyW 7C2F4C09 5 Bytes JMP 00170016
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7167000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!CreateServiceA 7C314B39 6 Bytes JMP 710C000A
.text C:\WINNT\Explorer.EXE[1496] ADVAPI32.DLL!CreateServiceW 7C314CF9 6 Bytes JMP 7109000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 7087000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7122000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, 7B, 70] {AND EAX, 0x707b001e}
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 7079000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 7076000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 48, 70] {AND EAX, 0x7048001e}
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7046000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [2E, 70]
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 28, 70] {AND EAX, 0x7028001e}
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [2B, 70]
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 25, 70] {AND EAX, 0x7025001e}
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 7099000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 7096000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 7093000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 7090000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateFileA 7C58C243 5 Bytes JMP 00180FE4
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateFileW 7C58C275 5 Bytes JMP 0018000B
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70B9000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!VirtualProtect 7C58E9EE 5 Bytes JMP 00180F77
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!VirtualProtectEx 7C58EA08 5 Bytes JMP 0018006C
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!LoadLibraryA 7C59026D 5 Bytes JMP 00180FB8
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!LoadLibraryW 7C59031E 5 Bytes JMP 00180FA7
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!LoadLibraryExA 7C59032E 5 Bytes JMP 00180F88
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!LoadLibraryExW 7C590595 5 Bytes JMP 0018005B
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!GetProcAddress 7C590CF7 5 Bytes JMP 001800DB
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 709C000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateNamedPipeA 7C591C5F 5 Bytes JMP 0018001C
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateNamedPipeW 7C591CCF 5 Bytes JMP 00180FC9
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 70FF000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 70FC000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreatePipe 7C5946A1 5 Bytes JMP 00180F50
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateProcessA 7C595040 5 Bytes JMP 001800BF
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateProcessW 7C596981 5 Bytes JMP 00180F12
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7023000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7164000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!GetStartupInfoW 7C596B15 5 Bytes JMP 00180F3F
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!GetStartupInfoA 7C596BAA 5 Bytes JMP 0018008B
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!WinExec 7C59752A 5 Bytes JMP 00180F2E
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7161000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 7064000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 7061000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 705E000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 705B000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70BC000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 7125000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 72, 70] {AND EAX, 0x7072001e}
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70BF000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7058000A
.text C:\WINNT\Explorer.EXE[1496] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7032000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 711F000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [18, 71]
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70A5000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 703D000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7146000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 711C000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 704F000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [9E, 70]
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7055000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 704C000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 7052000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70A2000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7143000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 703A000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 7116000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!EndTask 77E420FA 6 Bytes JMP 7128000A
.text C:\WINNT\Explorer.EXE[1496] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 7106000A
.text C:\WINNT\Explorer.EXE[1496] msvcrt.dll!_wsystem 78018E1D 5 Bytes JMP 0019004C
.text C:\WINNT\Explorer.EXE[1496] msvcrt.dll!system 78018EBF 5 Bytes JMP 00190030
.text C:\WINNT\Explorer.EXE[1496] msvcrt.dll!_creat 7801A00D 5 Bytes JMP 00190000
.text C:\WINNT\Explorer.EXE[1496] msvcrt.dll!_open 7801B65E 5 Bytes JMP 00190FEF
.text C:\WINNT\Explorer.EXE[1496] msvcrt.dll!_wcreat 7801C0F3 5 Bytes JMP 0019001F
.text C:\WINNT\Explorer.EXE[1496] msvcrt.dll!_!!!en 7801C1B1 5 Bytes JMP 00190FCA
.text C:\WINNT\Explorer.EXE[1496] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 712F000A
.text C:\WINNT\Explorer.EXE[1496] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7132000A
.text C:\WINNT\Explorer.EXE[1496] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 7135000A
.text C:\WINNT\Explorer.EXE[1496] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 7138000A
.text C:\WINNT\Explorer.EXE[1496] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 708A000A
.text C:\WINNT\Explorer.EXE[1496] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 708D000A
.text C:\WINNT\Explorer.EXE[1496] WS2_32.DLL!socket 7503353D 5 Bytes JMP 00F30000
.text C:\WINNT\Explorer.EXE[1496] WININET.dll!InternetOpenA 63017813 5 Bytes JMP 01A80000
.text C:\WINNT\Explorer.EXE[1496] WININET.dll!InternetOpenUrlA 63017FDC 5 Bytes JMP 01A8002D
.text C:\WINNT\Explorer.EXE[1496] WININET.dll!InternetOpenW 6301A14B 5 Bytes JMP 01A8001C
.text C:\WINNT\Explorer.EXE[1496] WININET.dll!InternetOpenUrlW 6301A462 5 Bytes JMP 01A8003E
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A0, 70] {AND EAX, 0x70a0001e}
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateDirectoryW 7C57FF46 6 Bytes JMP 709E000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!WriteFile 7C5863E8 6 Bytes JMP 709B000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 6D, 70] {AND EAX, 0x706d001e}
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!DeleteFileW 7C587643 6 Bytes JMP 706B000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!MoveFileA + 4 7C5878A2 2 Bytes [58, 70]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 52, 70] {AND EAX, 0x7052001e}
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!MoveFileW + 4 7C587BB6 2 Bytes [55, 70]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 4F, 70] {AND EAX, 0x704f001e}
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!OpenProcess 7C5969AD 6 Bytes JMP 704D000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!WinExec 7C59752A 6 Bytes JMP 7141000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateMutexA 7C599DF3 6 Bytes JMP 7089000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateMutexW 7C599E5B 6 Bytes JMP 7086000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!OpenMutexA 7C599EFD 6 Bytes JMP 7083000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!OpenMutexW 7C599F6A 6 Bytes JMP 7080000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 97, 70] {AND EAX, 0x7097001e}
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 707D000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] KERNEL32.DLL!WideCharToMultiByte 7C5B9279 6 Bytes JMP 705C000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7062000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 7074000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 707A000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7071000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 7077000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 705F000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 7065000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 7068000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 708F000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 708C000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7092000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 94, 70] {AND EAX, 0x7094001e}
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] WININET.dll!InternetOpenUrlA 63017FDC 6 Bytes JMP 70AE000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1532] WININET.dll!InternetOpenUrlW 6301A462 6 Bytes JMP 70A4000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1604] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] ADVAPI32.DLL!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\Program Files\SiteAdvisor\6261\SiteAdv.exe[1636] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 7065000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 7068000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 708F000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 708C000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7092000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 94, 70] {AND EAX, 0x7094001e}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A0, 70] {AND EAX, 0x70a0001e}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 709E000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 709B000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 6D, 70] {AND EAX, 0x706d001e}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 706B000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [58, 70]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 52, 70] {AND EAX, 0x7052001e}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [55, 70]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 4F, 70] {AND EAX, 0x704f001e}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 704D000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 7089000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 7086000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7083000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7080000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 97, 70] {AND EAX, 0x7097001e}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 707D000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 705C000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7062000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 7074000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 707A000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7071000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 7077000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 705F000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] WININET.dll!InternetOpenUrlA 63017FDC 6 Bytes JMP 70AE000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] WININET.dll!InternetOpenUrlW 6301A462 6 Bytes JMP 70A4000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] SHELL32.dll!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] SHELL32.dll!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] SHELL32.dll!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] SHELL32.dll!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] SHELL32.dll!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1692] SHELL32.dll!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A
.text C:\Program Files\Eraser\eraser.exe[1744] ntdll.dll!NtLoadDriver 77F885BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Eraser\eraser.exe[1744] ntdll.dll!NtLoadDriver + 4 77F885C0 2 Bytes [25, 71]
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!DeviceIoControl 7C579423 6 Bytes JMP 70B1000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateRemoteThread 7C57B412 6 Bytes JMP 716E000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 7138000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateDirectoryA + 1 7C57FF2B 5 Bytes [25, 1E, 00, A6, 70] {AND EAX, 0x70a6001e}
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateDirectoryW 7C57FF46 6 Bytes JMP 70A4000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!WriteFile 7C5863E8 6 Bytes JMP 70A1000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!DeleteFileA + 1 7C58762C 5 Bytes [25, 1E, 00, 73, 70] {AND EAX, 0x7073001e}
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!DeleteFileW 7C587643 6 Bytes JMP 7071000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!MoveFileA 7C58789E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!MoveFileA + 4 7C5878A2 2 Bytes [5E, 70]
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!MoveFileExA + 1 7C5878B5 5 Bytes [25, 1E, 00, 58, 70] {AND EAX, 0x7058001e}
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!MoveFileW 7C587BB2 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!MoveFileW + 4 7C587BB6 2 Bytes [5B, 70]
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!MoveFileExW + 1 7C587BC9 5 Bytes [25, 1E, 00, 55, 70] {AND EAX, 0x7055001e}
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CopyFileA 7C589075 6 Bytes JMP 70C3000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CopyFileW 7C5890CA 6 Bytes JMP 70C0000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CopyFileExA 7C5890E9 6 Bytes JMP 70BD000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CopyFileExW 7C589DDE 6 Bytes JMP 70BA000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateFileA 7C58C243 6 Bytes JMP 70E4000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateFileW 7C58C275 6 Bytes JMP 70E7000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!VirtualAlloc 7C58E8DD 6 Bytes JMP 70DB000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!VirtualProtect 7C58E9EE 6 Bytes JMP 70D8000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!VirtualProtectEx 7C58EA08 6 Bytes JMP 7129000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!LoadLibraryA 7C59026D 6 Bytes JMP 715F000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!LoadLibraryW 7C59031E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!LoadLibraryW + 4 7C590322 2 Bytes [5B, 71]
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 716B000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!GetProcAddress 7C590CF7 6 Bytes JMP 711A000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!LoadResource 7C591150 6 Bytes JMP 70C6000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!GetVolumeInformationA 7C593C52 6 Bytes JMP 7117000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!GetVolumeInformationW 7C593E22 6 Bytes JMP 7114000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateProcessA 7C595040 6 Bytes JMP 7153000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateProcessW 7C596981 6 Bytes JMP 7150000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 7053000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!TerminateProcess 7C596A9D 6 Bytes JMP 7165000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!WinExec 7C59752A 6 Bytes JMP 7141000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!WriteProcessMemory 7C597990 6 Bytes JMP 7162000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateMutexA 7C599DF3 6 Bytes JMP 708F000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateMutexW 7C599E5B 6 Bytes JMP 708C000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!OpenMutexA 7C599EFD 6 Bytes JMP 7089000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!OpenMutexW 7C599F6A 6 Bytes JMP 7086000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateThread 7C59B87C 6 Bytes JMP 70DE000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!TerminateThread 7C59BB59 6 Bytes JMP 713B000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!SetThreadContext + 1 7C59BBEE 5 Bytes [25, 1E, 00, 9D, 70] {AND EAX, 0x709d001e}
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!CreateToolhelp32Snapshot 7C59CC0E 6 Bytes JMP 70E1000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!MultiByteToWideChar 7C5B89EC 6 Bytes JMP 7083000A
.text C:\Program Files\Eraser\eraser.exe[1744] KERNEL32.dll!WideCharToMultiByte 7C5B9279 6 Bytes JMP 7062000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegDeleteKeyW 7C2DC9DF 6 Bytes JMP 706B000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegQueryValueA 7C2E2C47 6 Bytes JMP 70F3000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!OpenSCManagerA 7C2E2E37 6 Bytes JMP 70D5000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!OpenSCManagerW 7C2E4230 6 Bytes JMP 70D2000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegDeleteKeyA 7C2E7025 6 Bytes JMP 706E000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegCreateKeyA 7C2E96C8 6 Bytes JMP 710B000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegCreateKeyW 7C2E9954 6 Bytes JMP 7108000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!LookupPrivilegeValueW 7C2ECE3F 6 Bytes JMP 7095000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!AdjustTokenPrivileges 7C2ED6D0 6 Bytes JMP 7092000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!LookupPrivilegeValueA 7C2ED762 6 Bytes JMP 7098000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegCreateKeyExA 7C2ED804 6 Bytes JMP 7111000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!OpenProcessToken + 1 7C2EDA8A 5 Bytes [25, 1E, 00, 9A, 70] {AND EAX, 0x709a001e}
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegOpenKeyA 7C2EDC59 6 Bytes JMP 7105000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegSetValueExW 7C2EE5CB 6 Bytes JMP 70F6000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegQueryValueW 7C2EE7C9 6 Bytes JMP 70F0000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegSetValueExA 7C2EE841 6 Bytes JMP 70F9000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegOpenKeyExA 7C2EF4C0 6 Bytes JMP 70FF000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegQueryValueExA 7C2EF5E6 4 Bytes [FF, 25, 1E, 00]
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegQueryValueExA + 5 7C2EF5EB 1 Byte [70]
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegCreateKeyExW 7C2EF8EA 6 Bytes JMP 710E000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegOpenKeyExW 7C2F49B1 6 Bytes JMP 70FC000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegQueryValueExW 7C2F4ABA 6 Bytes JMP 70EA000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!RegOpenKeyW 7C2F4C09 6 Bytes JMP 7102000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!LsaRemoveAccountRights 7C30D051 6 Bytes JMP 7168000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!CreateServiceA 7C314B39 6 Bytes JMP 7123000A
.text C:\Program Files\Eraser\eraser.exe[1744] ADVAPI32.dll!CreateServiceW 7C314CF9 6 Bytes JMP 7120000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!GetKeyState 77E165F2 6 Bytes JMP 7135000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!GetKeyboardState 77E176B8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!GetKeyboardState + 4 77E176BC 2 Bytes [2E, 71]
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!GetWindowTextA 77E176C6 6 Bytes JMP 70CF000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!SetWindowTextA 77E18C24 6 Bytes JMP 7068000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!SetWindowsHookExA 77E19BE4 6 Bytes JMP 7159000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!GetAsyncKeyState 77E1A2A0 6 Bytes JMP 7132000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!CreateWindowExA 77E1CF8C 6 Bytes JMP 707A000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!ShowWindow 77E1CFBE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!ShowWindow + 4 77E1CFC2 2 Bytes [C8, 70]
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!DrawTextA 77E22BEE 6 Bytes JMP 7080000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!CreateWindowExW 77E23CA5 6 Bytes JMP 7077000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!DrawTextW 77E287C2 6 Bytes JMP 707D000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!GetWindowTextW 77E2F254 6 Bytes JMP 70CC000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!SetWindowsHookExW 77E39C81 6 Bytes JMP 7156000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!SetWindowTextW 77E3A311 6 Bytes JMP 7065000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!DdeConnect 77E3FE82 6 Bytes JMP 712C000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!EndTask 77E420FA 6 Bytes JMP 713E000A
.text C:\Program Files\Eraser\eraser.exe[1744] USER32.dll!SetWinEventHook 77E508C3 6 Bytes JMP 711D000A
.text C:\Program Files\Eraser\eraser.exe[1744] SHELL32.DLL!ShellExecuteExW 7CF5204B 6 Bytes JMP 7144000A
.text C:\Program Files\Eraser\eraser.exe[1744] SHELL32.DLL!ShellExecuteEx 7CF59607 6 Bytes JMP 7147000A
.text C:\Program Files\Eraser\eraser.exe[1744] SHELL32.DLL!ShellExecuteW 7CFA6B71 6 Bytes JMP 714A000A
.text C:\Program Files\Eraser\eraser.exe[1744] SHELL32.DLL!ShellExecuteA 7CFA6BE5 6 Bytes JMP 714D000A
.text C:\Program Files\Eraser\eraser.exe[1744] SHELL32.DLL!Shell_NotifyIconW 7CFA815D 6 Bytes JMP 70B4000A
.text C:\Program Files\Eraser\eraser.exe[1744] SHELL32.DLL!Shell_NotifyIcon 7CFA825C 6 Bytes JMP 70B7000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\services.exe [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\services.exe [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\services.exe [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\services.exe [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\services.exe [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\services.exe [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\WS2_32.DLL [ADVAPI32.DLL!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\WS2_32.DLL [ADVAPI32.DLL!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\WS2HELP.DLL [ADVAPI32.DLL!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\iphlpapi.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\iphlpapi.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyA] 70F80000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyA] 71000000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyA] 70F80000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\services.exe[224] @ C:\WINNT\system32\shell32.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\svchost.exe [ADVAPI32.DLL!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\svchost.exe [KERNEL32.DLL!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\svchost.exe [KERNEL32.DLL!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyA] 70F80000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\rpcss.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\WS2_32.dll [KERNEL32.DLL!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\WS2_32.dll [KERNEL32.DLL!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\WS2_32.dll [ADVAPI32.DLL!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\WS2_32.dll [ADVAPI32.DLL!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\WS2HELP.DLL [ADVAPI32.DLL!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\Secur32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\Secur32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ c:\winnt\system32\Secur32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\iphlpapi.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\iphlpapi.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyA] 71000000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyA] 70F80000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\svchost.exe[412] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\MSVCRT.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\WS2_32.DLL [ADVAPI32.DLL!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\WS2_32.DLL [ADVAPI32.DLL!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\WS2HELP.DLL [ADVAPI32.DLL!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] 714F0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyA] 71000000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyA] 70F80000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyW] 70FC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 71590000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!CreateProcessW] 714B0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyW] 70F40000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyA] 70F80000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\iphlpapi.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\iphlpapi.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExW] 70EC0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExA] 70F00000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExW] 71040000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExA] 71080000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 71120000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 715D0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716A0000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 70D20000
IAT C:\WINNT\system32\MSTask.exe[1048] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 70D60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegCreateKeyW] 70EC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegOpenKeyW] 70E40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [ADVAPI32.DLL!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateFileA] 70C20000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyW] 70E40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] 70F80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateFileA] 70C20000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExA] 70F80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyA] 70F00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyW] 70EC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyA] 70E80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyW] 70E40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHLWAPI.DLL [ADVAPI32.dll!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateFileA] 70C20000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyW] 70EC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyW] 70E40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyW] 70E40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegOpenKeyA] 70E80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\OLE32.DLL [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegOpenKeyW] 70E40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [ADVAPI32.dll!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\Secur32.dll [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2_32.DLL [ADVAPI32.DLL!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2_32.DLL [ADVAPI32.DLL!RegCreateKeyExA] 70F80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2HELP.DLL [ADVAPI32.DLL!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [ADVAPI32.dll!RegCreateKeyW] 70EC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [ADVAPI32.dll!RegOpenKeyW] 70E40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [ADVAPI32.dll!RegCreateKeyExA] 70F80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 70C20000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 70C60000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [ADVAPI32.dll!RegCreateKeyA] 70F00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyA] 70E80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyExW] 70DC0000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [ADVAPI32.dll!RegCreateKeyExA] 70F80000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyExA] 70E00000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [ADVAPI32.dll!RegCreateKeyExW] 70F40000
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1496] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!CreateFileA] 70C20000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

End of GMER full scan
==================

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-17-2009 3:04 (GMT +2)

Some type of possible worm activity shows. Let's correct a little, then repair scan, which is also set to correct the problem services.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Make a copy of the following list, then close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

-------------------

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-17-2009 9:24 (GMT +2)

Hallo

Thanks for the reply, and all your assistance

Combofix had some problems when I ran it :

I wasn't offered the option of installing recovery console
3 'pev.exe' errors came on screen with a dialog box
Also there was an error accessing a 32788R22FWKJFW\n.pif file

Here's the log

Thanks again

==================================
ComboFix 09-11-16.05 - Simon 17/11/2009 18:47..1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.293 [GMT 0:00]
Running from: c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Desktop\sjr298765.com

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 4
SED: can't read PersonalFile99: No such file or directory

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\winnt\Web\default.htt

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 18:45 . 2009-11-17 18:45 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_504.dat
2009-11-17 18:32 . 2009-11-17 18:32 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_23c.dat
2009-11-16 19:01 . 2009-11-16 19:02 -------- d-----w- C:\rsit
2009-11-15 23:17 . 2009-11-15 23:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-14 15:43 . 2009-11-14 15:43 -------- d-----w- C:\VundoFix Backups
2009-11-14 11:44 . 2009-11-14 16:20 -------- d-----w- C:\Tools
2009-11-14 11:06 . 2009-11-14 11:07 -------- d-----w- c:\documents and settings\Emily\Application Data\SiteAdvisor
2009-11-13 23:33 . 2003-06-19 12:05 30749 ----a-w- c:\winnt\system32\vbajet32.dll
2009-11-13 23:33 . 2003-06-19 12:05 380957 ----a-w- c:\winnt\system32\expsrv.dll
2009-11-13 22:23 . 1999-11-30 23:40 107792 -c--a-w- c:\winnt\system32\dllcache\xlog.exe
2009-11-13 22:22 . 1999-09-24 19:16 17168 -c--a-w- c:\winnt\system32\dllcache\xem336n5.sys
2009-11-13 22:22 . 1999-09-24 19:17 24848 -c--a-w- c:\winnt\system32\dllcache\wvlan48.sys
2009-11-13 22:22 . 1999-09-25 10:35 8016 -c--a-w- c:\winnt\system32\dllcache\wmiacpi.sys
2009-11-13 22:22 . 1999-09-24 19:17 35088 -c--a-w- c:\winnt\system32\dllcache\wlandrv2.sys
2009-11-13 22:22 . 1999-09-24 23:55 602128 -c--a-w- c:\winnt\system32\dllcache\winacpci.sys
2009-11-13 22:22 . 1999-09-25 10:37 30960 -c--a-w- c:\winnt\system32\dllcache\weitekp9.sys
2009-11-13 22:22 . 1999-12-07 16:43 41552 -c--a-w- c:\winnt\system32\dllcache\weitekp9.dll
2009-11-13 22:22 . 1999-09-25 10:37 27024 -c--a-w- c:\winnt\system32\dllcache\wdvga.sys
2009-11-13 22:22 . 1999-11-30 23:40 88576 -c--a-w- c:\winnt\system32\dllcache\wcom32.exe
2009-11-13 22:21 . 1999-10-21 11:34 8976 -c--a-w- c:\winnt\system32\dllcache\wangqic.sys
2009-11-13 22:21 . 1999-10-04 14:01 18704 -c--a-w- c:\winnt\system32\dllcache\w940nd.sys
2009-11-13 22:21 . 1999-09-24 19:17 17264 -c--a-w- c:\winnt\system32\dllcache\w926nd.sys
2009-11-13 22:21 . 1999-12-07 16:43 48304 -c--a-w- c:\winnt\system32\dllcache\w32.dll
2009-11-13 22:21 . 1999-11-30 23:39 253200 -c--a-w- c:\winnt\system32\dllcache\vssetup.dll
2009-11-13 22:21 . 1999-10-29 15:00 53008 -c--a-w- c:\winnt\system32\dllcache\voodoo3.sys
2009-11-13 22:21 . 1999-09-24 19:17 80304 -c--a-w- c:\winnt\system32\dllcache\vslinka.sys
2009-11-13 22:21 . 1999-12-07 16:43 333168 -c--a-w- c:\winnt\system32\dllcache\voodoo3.dll
2009-11-13 22:21 . 2003-06-19 12:05 22416 -c--a-w- c:\winnt\system32\dllcache\viaagp.sys
2009-11-13 22:21 . 2003-06-19 12:05 51472 -c--a-w- c:\winnt\system32\dllcache\vfwwdm32.dll
2009-11-13 22:21 . 2003-06-19 12:05 22768 -c--a-w- c:\winnt\system32\dllcache\usbser.sys
2009-11-13 22:21 . 2003-06-19 12:05 12592 -c--a-w- c:\winnt\system32\dllcache\usbscan.sys
2009-11-13 22:19 . 1999-11-30 23:39 346624 -c--a-w- c:\winnt\system32\dllcache\syncprop.dll
2009-11-13 22:18 . 2003-06-19 12:05 9776 -c--a-w- c:\winnt\system32\dllcache\snyaitmc.sys
2009-11-13 22:17 . 1999-12-07 16:43 493424 -c--a-w- c:\winnt\system32\dllcache\sgiul50.dll
2009-11-13 22:17 . 1999-09-25 10:36 6736 -c--a-w- c:\winnt\system32\dllcache\serscan.sys
2009-11-13 22:17 . 1999-09-25 10:34 17136 -c--a-w- c:\winnt\system32\dllcache\sermouse.sys
2009-11-13 22:17 . 2003-06-19 19:45 234768 -c--a-w- c:\winnt\system32\dllcache\smtp_seo.dll
2009-11-13 22:17 . 2003-06-19 12:05 9392 -c--a-w- c:\winnt\system32\dllcache\seaddsmc.sys
2009-11-13 22:17 . 1999-09-25 10:36 10576 -c--a-w- c:\winnt\system32\dllcache\scsiscan.sys
2009-11-13 22:17 . 2003-06-19 12:05 11632 -c--a-w- c:\winnt\system32\dllcache\scsiprnt.sys
2009-11-13 22:17 . 2003-06-19 19:45 77584 -c--a-w- c:\winnt\system32\dllcache\smtp_scripto.dll
2009-11-13 22:17 . 1999-09-25 10:36 16976 -c--a-w- c:\winnt\system32\dllcache\scmstcs.sys
2009-11-13 22:17 . 2003-06-19 12:05 35760 -c--a-w- c:\winnt\system32\dllcache\sbp2port.sys
2009-11-13 22:15 . 1999-11-30 23:39 12560 -c--a-w- c:\winnt\system32\dllcache\reg32.dll
2009-11-13 22:15 . 1999-11-30 23:39 20240 -c--a-w- c:\winnt\system32\dllcache\qvusd.dll
2009-11-13 22:15 . 1999-09-25 10:36 28592 -c--a-w- c:\winnt\system32\dllcache\qv.sys
2009-11-13 22:15 . 1999-12-07 16:43 41776 -c--a-w- c:\winnt\system32\dllcache\qv.dll
2009-11-13 22:15 . 2003-06-19 12:05 8848 -c--a-w- c:\winnt\system32\dllcache\qntmmc.sys
2009-11-13 22:15 . 2003-06-19 12:05 10768 -c--a-w- c:\winnt\system32\dllcache\qlstrmc.sys
2009-11-13 22:15 . 1999-09-25 11:11 64400 -c--a-w- c:\winnt\system32\dllcache\ql2100.sys
2009-11-13 22:15 . 1999-09-25 11:11 40592 -c--a-w- c:\winnt\system32\dllcache\ql1240.sys
2009-11-13 22:15 . 1999-09-25 11:11 33488 -c--a-w- c:\winnt\system32\dllcache\ql10wnt.sys
2009-11-13 22:15 . 1999-09-25 11:11 40464 -c--a-w- c:\winnt\system32\dllcache\ql1080.sys
2009-11-13 22:15 . 1999-10-21 11:34 5008 -c--a-w- c:\winnt\system32\dllcache\qic157.sys
2009-11-13 22:13 . 2003-06-19 12:05 37680 -c--a-w- c:\winnt\system32\dllcache\ohci1394.sys
2009-11-13 22:12 . 2003-06-19 19:45 38672 -c--a-w- c:\winnt\system32\dllcache\smtp_ntfsdrv.dll
2009-11-13 22:12 . 1999-09-30 21:28 28816 -c--a-w- c:\winnt\system32\dllcache\ntepc.sys
2009-11-13 22:12 . 1999-11-05 13:40 28272 -c--a-w- c:\winnt\system32\dllcache\ntcx.sys
2009-11-13 22:12 . 1999-09-25 10:36 9104 -c--a-w- c:\winnt\system32\dllcache\ntapm.sys
2009-11-13 22:12 . 2003-06-19 12:05 10256 -c--a-w- c:\winnt\system32\dllcache\nsmmc.sys
2009-11-13 22:12 . 1999-09-30 15:26 35600 -c--a-w- c:\winnt\system32\dllcache\nscirda.sys
2009-11-13 22:12 . 1999-09-25 10:35 84784 -c--a-w- c:\winnt\system32\dllcache\nm6wdm.sys
2009-11-13 22:12 . 1999-10-06 16:17 111920 -c--a-w- c:\winnt\system32\dllcache\nm5a2wdm.sys
2009-11-13 22:12 . 1999-09-30 15:25 26832 -c--a-w- c:\winnt\system32\dllcache\netflx.sys
2009-11-13 22:12 . 1999-10-18 14:39 39888 -c--a-w- c:\winnt\system32\dllcache\neo20xx.sys
2009-11-13 22:12 . 1999-12-07 16:43 60944 -c--a-w- c:\winnt\system32\dllcache\neo20xx.dll
2009-11-13 22:12 . 1999-09-30 15:25 16016 -c--a-w- c:\winnt\system32\dllcache\ne2000.sys
2009-11-13 22:11 . 1999-09-25 11:11 11344 -c--a-w- c:\winnt\system32\dllcache\ncrc710.sys
2009-11-13 22:11 . 1999-12-07 16:43 128240 -c--a-w- c:\winnt\system32\dllcache\n9i3disp.dll
2009-11-13 22:11 . 1999-09-25 10:37 28240 -c--a-w- c:\winnt\system32\dllcache\n9i3d.sys
2009-11-13 22:11 . 1999-09-25 10:37 33392 -c--a-w- c:\winnt\system32\dllcache\n9i128v2.sys
2009-11-13 22:11 . 1999-12-07 16:43 100592 -c--a-w- c:\winnt\system32\dllcache\n9i128v2.dll
2009-11-13 22:11 . 1999-09-25 10:37 13936 -c--a-w- c:\winnt\system32\dllcache\n9i128.sys
2009-11-13 22:11 . 1999-12-07 16:43 35760 -c--a-w- c:\winnt\system32\dllcache\n9i128.dll
2009-11-13 22:11 . 1999-10-27 14:48 87824 -c--a-w- c:\winnt\system32\dllcache\n100nt5.sys
2009-11-13 22:11 . 1999-10-12 15:35 34576 -c--a-w- c:\winnt\system32\dllcache\n1000nt5.sys
2009-11-13 22:11 . 1999-11-01 16:49 20112 -c--a-w- c:\winnt\system32\dllcache\mxnic.sys
2009-11-13 22:10 . 1999-11-30 23:39 11024 -c--a-w- c:\winnt\system32\dllcache\msmusd.dll
2009-11-13 22:10 . 1999-09-25 10:35 2832 -c--a-w- c:\winnt\system32\dllcache\msmpu401.sys
2009-11-13 22:10 . 2002-08-09 16:10 86097 -c--a-w- c:\winnt\system32\dllcache\msir2jp.dll
2009-11-13 22:09 . 1999-10-26 15:30 35440 -c--a-w- c:\winnt\system32\dllcache\msgame.sys
2009-11-13 22:09 . 1999-11-05 21:23 9488 -c--a-w- c:\winnt\system32\dllcache\mraid35x.sys
2009-11-13 22:08 . 2003-06-19 12:05 11632 -c--a-w- c:\winnt\system32\dllcache\mouhid.sys
2009-11-13 22:08 . 1999-10-21 11:34 6608 -c--a-w- c:\winnt\system32\dllcache\miniqic.sys
2009-11-13 22:07 . 1999-09-30 21:29 8976 -c--a-w- c:\winnt\system32\dllcache\mgwantr5.sys
2009-11-13 22:07 . 1999-11-30 23:39 41984 -c--a-w- c:\winnt\system32\dllcache\mgwanpp.dll
2009-11-13 22:07 . 1999-09-24 19:17 67504 -c--a-w- c:\winnt\system32\dllcache\mgwan5.sys
2009-11-13 22:07 . 1999-11-30 23:40 91408 -c--a-w- c:\winnt\system32\dllcache\mgwan.exe
2009-11-13 22:07 . 1999-09-24 19:18 33840 -c--a-w- c:\winnt\system32\dllcache\mgsync5.sys
2009-11-13 22:07 . 1999-11-30 23:39 21264 -c--a-w- c:\winnt\system32\dllcache\mgslpp.dll
2009-11-13 22:07 . 1999-09-24 19:17 40944 -c--a-w- c:\winnt\system32\dllcache\mgsl5.sys
2009-11-13 22:07 . 1999-09-24 19:17 10000 -c--a-w- c:\winnt\system32\dllcache\mgfrtrc5.sys
2009-11-13 22:07 . 1999-11-30 23:39 63760 -c--a-w- c:\winnt\system32\dllcache\mgfrpp.dll
2009-11-13 22:07 . 1999-11-30 23:40 97040 -c--a-w- c:\winnt\system32\dllcache\mgfrmon.exe
2009-11-13 22:07 . 1999-09-30 21:29 53232 -c--a-w- c:\winnt\system32\dllcache\mgfr5.sys
2009-11-13 22:05 . 2003-06-19 12:05 33328 -c--a-w- c:\winnt\system32\dllcache\lp6nds35.sys
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth3.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth2.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth1.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth0.dll
2009-11-13 22:04 . 1999-11-30 01:33 8464 -c--a-w- c:\winnt\system32\dllcache\kbdkor.dll
2009-11-13 22:04 . 1999-11-30 01:33 8976 -c--a-w- c:\winnt\system32\dllcache\kbdjpn.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdintam.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdinmar.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdinhin.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdindev.dll
2009-11-13 22:03 . 2002-08-09 16:09 7440 -c--a-w- c:\winnt\system32\dllcache\kbdhu.dll
2009-11-13 22:03 . 1999-10-04 15:04 13744 -c--a-w- c:\winnt\system32\dllcache\kbdhid.sys
2009-11-13 22:03 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdheb.dll
2009-11-13 22:03 . 1999-11-30 01:33 7440 -c--a-w- c:\winnt\system32\dllcache\kbd106.dll
2009-11-13 22:03 . 1999-11-30 01:33 6416 -c--a-w- c:\winnt\system32\dllcache\kbd103.dll
2009-11-13 22:03 . 1999-11-30 01:33 6928 -c--a-w- c:\winnt\system32\dllcache\kbd101c.dll
2009-11-13 22:03 . 1999-11-30 01:33 6416 -c--a-w- c:\winnt\system32\dllcache\kbd101b.dll
2009-11-13 22:03 . 2003-06-19 12:05 9968 -c--a-w- c:\winnt\system32\dllcache\jvcmc.sys
2009-11-13 22:03 . 1999-11-30 23:39 45840 -c--a-w- c:\winnt\system32\dllcache\iyuv_32.dll
2009-11-13 22:02 . 1999-11-30 23:39 17168 -c--a-w- c:\winnt\system32\dllcache\isaprop.dll
2009-11-13 22:02 . 1999-09-25 11:11 14736 -c--a-w- c:\winnt\system32\dllcache\ipsraidn.sys
2009-11-13 22:02 . 1999-09-24 19:17 27408 -c--a-w- c:\winnt\system32\dllcache\ipc08a5.sys
2009-11-13 22:02 . 1999-10-19 14:28 46160 -c--a-w- c:\winnt\system32\dllcache\ip5515.sys
2009-11-13 22:02 . 1999-09-30 21:29 36592 -c--a-w- c:\winnt\system32\dllcache\io8.sys
2009-11-13 22:02 . 2003-06-19 12:05 4624 -c--a-w- c:\winnt\system32\dllcache\intelide.sys
2009-11-13 22:02 . 1999-09-25 10:34 12816 -c--a-w- c:\winnt\system32\dllcache\inport.sys
2009-11-13 22:02 . 1999-09-25 11:11 16208 -c--a-w- c:\winnt\system32\dllcache\ini910u.sys
2009-11-13 22:02 . 2002-08-09 16:10 45056 -c--a-w- c:\winnt\system32\dllcache\imejpuex.exe
2009-11-13 22:02 . 2002-08-09 16:10 57344 -c--a-w- c:\winnt\system32\dllcache\imejpmgr.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 23:21 . 2008-10-29 07:37 -------- d-----w- c:\program files\Java
2009-11-14 15:46 . 2009-06-04 17:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 14:56 . 2009-06-04 17:45 -------- d---a-w- c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2009-11-14 11:45 . 2008-10-29 20:52 -------- d-----w- c:\program files\UltimateZip
2009-11-13 21:20 . 2008-10-29 18:50 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-11-13 21:20 . 2008-10-29 18:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-13 21:17 . 2008-10-29 18:51 -------- d---a-w- c:\documents and settings\All Users.WINNT\Application Data\TEMP
2009-11-12 20:18 . 2009-06-04 17:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-05 21:35 . 2008-10-29 20:09 -------- d-----w- c:\program files\Opera
2009-11-05 21:29 . 2008-12-06 16:54 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-10-17 15:17 . 2009-10-17 15:17 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2009-10-15 18:08 . 2009-10-15 18:08 -------- d-----w- c:\documents and settings\Emily\Application Data\Malwarebytes
2009-10-14 15:39 . 2009-10-14 15:39 -------- d-----w- c:\documents and settings\Jackie\Application Data\Malwarebytes
2009-10-13 08:36 . 2009-10-13 08:36 -------- d-----w- c:\documents and settings\Sandra\Application Data\Malwarebytes
2009-10-12 20:11 . 2009-06-28 18:08 4045528 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-29 13:18 . 2009-03-24 09:42 -------- d-----w- c:\program files\ThreatFire
2009-09-23 14:07 . 2009-09-23 13:44 59664 ----a-w- c:\winnt\system32\drivers\TfSysMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 33552 ----a-w- c:\winnt\system32\drivers\TfNetMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 51984 ----a-w- c:\winnt\system32\drivers\TfFsMon.sys
2009-09-10 13:54 . 2009-06-04 17:41 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-06-04 17:41 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-05 06:36 . 1999-12-07 19:00 55056 ----a-w- c:\winnt\system32\msasn1.dll
2009-08-29 08:28 . 2009-08-29 08:28 152576 ----a-w- c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-27 14:51 . 2009-08-27 14:51 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-08-21 16:06 . 2008-10-28 23:25 247326 ----a-w- c:\winnt\system32\strmdll.dll
2009-08-20 14:09 . 2009-08-20 14:09 1193832 ----a-w- c:\winnt\system32\FM20.DLL
2008-10-28 22:28 . 2008-10-26 07:08 21952 ---h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2002-11-26 19:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\eraser.exe" [2009-06-10 334224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-10-06 5058560]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2003-10-06 49152]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 36640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Emily\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Jackie\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 TfFsMon;TfFsMon;c:\winnt\system32\drivers\TfFsMon.sys [23/09/2009 13:44 51984]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\winnt\system32\drivers\TfNetMon.sys [23/09/2009 13:44 33552]
S3 PSI;PSI;c:\winnt\system32\drivers\psi_mf.sys [17/06/2009 12:20 12648]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

NETSVCS REQUIRES REPAIRS - current entries shown
wzcsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\winnt\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-13 15:10]
.
.
------- Supplementary Scan -------
.
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://powersoccer.mygames.co.uk/applet/PowerLoader.cab
FF - ProfilePath - c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Application Data\Mozilla\Firefox\Profiles\rz9xtfv1.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCman000&fl=0&ptb=CwcPOhlLb.u2Qui8Y6Itow&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\OpenOffice.org 3\program\npsoplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSMSGS - c:\program files\Messenger\Msmsgs.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 18:58
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(1424)
c:\winnt\AppPatch\AcLayers.DLL
c:\program files\SiteAdvisor\6261\saHook.dll
c:\winnt\system32\SHDOCVW.DLL

- - - - - - - > 'csrss.exe'(176)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2009-11-17 19:02
ComboFix-quarantined-files.txt 2009-11-17 19:02

Pre-Run: 88,087,834,624 bytes free
Post-Run: 88,066,301,952 bytes free

- - End Of File - - 7B74946338A890F0D5C1E12ED416ED14

==============================================================

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-18-2009 2:48 (GMT +2)

A missing system file that ComboFix did not automatically replace. Even though it ran into some troubles we will need to sue ComboFix to attempt to locate a replacement for that file. Be very sure all security software, including firewall software, is temp disabled when running ComboFix.

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KillAll::
MIA::
c:\winnt\system32\comres.dll

Save this to your desktop as CFScript.txt

You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-19-2009 1:45 (GMT +2)

HAllo

I installed recovery console from the Win2k CD, and ran CScript with those commands as you requested.

I did have an error on screen - "cannot import creg.dat - error accessing registry"

I also notice that the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows is greyed out, unreadable and I can't change its permissions even with regedt32 in Safe mode...

Here's the log

Thanks again
=============
ComboFix 09-11-16.05 - Simon 18/11/2009 18:50..1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.330 [GMT 0:00]
Running from: c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Desktop\sjr298765.com
Command switches used :: c:\docume~1\SIMON~1.HOM\Desktop\CFScript.txt
.
/wow section - STAGE 4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-18 18:57 . 2009-11-18 18:57 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_138.dat
2009-11-18 18:57 . 2009-11-18 18:57 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_234.dat
2009-11-17 19:05 . 2009-11-17 19:05 -------- d--h--w- c:\winnt\PIF
2009-11-15 23:17 . 2009-11-15 23:26 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-14 11:44 . 2009-11-18 06:54 -------- d-----w- C:\Tools
2009-11-13 23:33 . 2003-06-19 12:05 30749 ----a-w- c:\winnt\system32\vbajet32.dll
2009-11-13 23:33 . 2003-06-19 12:05 380957 ----a-w- c:\winnt\system32\expsrv.dll
2009-11-13 22:23 . 1999-11-30 23:40 107792 -c--a-w- c:\winnt\system32\dllcache\xlog.exe
2009-11-13 22:22 . 1999-09-24 19:16 17168 -c--a-w- c:\winnt\system32\dllcache\xem336n5.sys
2009-11-13 22:22 . 1999-09-24 19:17 24848 -c--a-w- c:\winnt\system32\dllcache\wvlan48.sys
2009-11-13 22:22 . 1999-09-25 10:35 8016 -c--a-w- c:\winnt\system32\dllcache\wmiacpi.sys
2009-11-13 22:22 . 1999-09-24 19:17 35088 -c--a-w- c:\winnt\system32\dllcache\wlandrv2.sys
2009-11-13 22:22 . 1999-09-24 23:55 602128 -c--a-w- c:\winnt\system32\dllcache\winacpci.sys
2009-11-13 22:22 . 1999-09-25 10:37 30960 -c--a-w- c:\winnt\system32\dllcache\weitekp9.sys
2009-11-13 22:22 . 1999-12-07 16:43 41552 -c--a-w- c:\winnt\system32\dllcache\weitekp9.dll
2009-11-13 22:22 . 1999-09-25 10:37 27024 -c--a-w- c:\winnt\system32\dllcache\wdvga.sys
2009-11-13 22:22 . 1999-11-30 23:40 88576 -c--a-w- c:\winnt\system32\dllcache\wcom32.exe
2009-11-13 22:21 . 1999-10-21 11:34 8976 -c--a-w- c:\winnt\system32\dllcache\wangqic.sys
2009-11-13 22:21 . 1999-10-04 14:01 18704 -c--a-w- c:\winnt\system32\dllcache\w940nd.sys
2009-11-13 22:21 . 1999-09-24 19:17 17264 -c--a-w- c:\winnt\system32\dllcache\w926nd.sys
2009-11-13 22:21 . 1999-12-07 16:43 48304 -c--a-w- c:\winnt\system32\dllcache\w32.dll
2009-11-13 22:21 . 1999-11-30 23:39 253200 -c--a-w- c:\winnt\system32\dllcache\vssetup.dll
2009-11-13 22:21 . 1999-10-29 15:00 53008 -c--a-w- c:\winnt\system32\dllcache\voodoo3.sys
2009-11-13 22:21 . 1999-09-24 19:17 80304 -c--a-w- c:\winnt\system32\dllcache\vslinka.sys
2009-11-13 22:21 . 1999-12-07 16:43 333168 -c--a-w- c:\winnt\system32\dllcache\voodoo3.dll
2009-11-13 22:21 . 2003-06-19 12:05 22416 -c--a-w- c:\winnt\system32\dllcache\viaagp.sys
2009-11-13 22:21 . 2003-06-19 12:05 51472 -c--a-w- c:\winnt\system32\dllcache\vfwwdm32.dll
2009-11-13 22:21 . 2003-06-19 12:05 22768 -c--a-w- c:\winnt\system32\dllcache\usbser.sys
2009-11-13 22:21 . 2003-06-19 12:05 12592 -c--a-w- c:\winnt\system32\dllcache\usbscan.sys
2009-11-13 22:19 . 1999-11-30 23:39 346624 -c--a-w- c:\winnt\system32\dllcache\syncprop.dll
2009-11-13 22:18 . 2003-06-19 12:05 9776 -c--a-w- c:\winnt\system32\dllcache\snyaitmc.sys
2009-11-13 22:17 . 1999-12-07 16:43 493424 -c--a-w- c:\winnt\system32\dllcache\sgiul50.dll
2009-11-13 22:17 . 1999-09-25 10:36 6736 -c--a-w- c:\winnt\system32\dllcache\serscan.sys
2009-11-13 22:17 . 1999-09-25 10:34 17136 -c--a-w- c:\winnt\system32\dllcache\sermouse.sys
2009-11-13 22:17 . 2003-06-19 19:45 234768 -c--a-w- c:\winnt\system32\dllcache\smtp_seo.dll
2009-11-13 22:17 . 2003-06-19 12:05 9392 -c--a-w- c:\winnt\system32\dllcache\seaddsmc.sys
2009-11-13 22:17 . 1999-09-25 10:36 10576 -c--a-w- c:\winnt\system32\dllcache\scsiscan.sys
2009-11-13 22:17 . 2003-06-19 12:05 11632 -c--a-w- c:\winnt\system32\dllcache\scsiprnt.sys
2009-11-13 22:17 . 2003-06-19 19:45 77584 -c--a-w- c:\winnt\system32\dllcache\smtp_scripto.dll
2009-11-13 22:17 . 1999-09-25 10:36 16976 -c--a-w- c:\winnt\system32\dllcache\scmstcs.sys
2009-11-13 22:17 . 2003-06-19 12:05 35760 -c--a-w- c:\winnt\system32\dllcache\sbp2port.sys
2009-11-13 22:15 . 1999-11-30 23:39 12560 -c--a-w- c:\winnt\system32\dllcache\reg32.dll
2009-11-13 22:15 . 1999-11-30 23:39 20240 -c--a-w- c:\winnt\system32\dllcache\qvusd.dll
2009-11-13 22:15 . 1999-09-25 10:36 28592 -c--a-w- c:\winnt\system32\dllcache\qv.sys
2009-11-13 22:15 . 1999-12-07 16:43 41776 -c--a-w- c:\winnt\system32\dllcache\qv.dll
2009-11-13 22:15 . 2003-06-19 12:05 8848 -c--a-w- c:\winnt\system32\dllcache\qntmmc.sys
2009-11-13 22:15 . 2003-06-19 12:05 10768 -c--a-w- c:\winnt\system32\dllcache\qlstrmc.sys
2009-11-13 22:15 . 1999-09-25 11:11 64400 -c--a-w- c:\winnt\system32\dllcache\ql2100.sys
2009-11-13 22:15 . 1999-09-25 11:11 40592 -c--a-w- c:\winnt\system32\dllcache\ql1240.sys
2009-11-13 22:15 . 1999-09-25 11:11 33488 -c--a-w- c:\winnt\system32\dllcache\ql10wnt.sys
2009-11-13 22:15 . 1999-09-25 11:11 40464 -c--a-w- c:\winnt\system32\dllcache\ql1080.sys
2009-11-13 22:15 . 1999-10-21 11:34 5008 -c--a-w- c:\winnt\system32\dllcache\qic157.sys
2009-11-13 22:13 . 2003-06-19 12:05 37680 -c--a-w- c:\winnt\system32\dllcache\ohci1394.sys
2009-11-13 22:12 . 2003-06-19 19:45 38672 -c--a-w- c:\winnt\system32\dllcache\smtp_ntfsdrv.dll
2009-11-13 22:12 . 1999-09-30 21:28 28816 -c--a-w- c:\winnt\system32\dllcache\ntepc.sys
2009-11-13 22:12 . 1999-11-05 13:40 28272 -c--a-w- c:\winnt\system32\dllcache\ntcx.sys
2009-11-13 22:12 . 1999-09-25 10:36 9104 -c--a-w- c:\winnt\system32\dllcache\ntapm.sys
2009-11-13 22:12 . 2003-06-19 12:05 10256 -c--a-w- c:\winnt\system32\dllcache\nsmmc.sys
2009-11-13 22:12 . 1999-09-30 15:26 35600 -c--a-w- c:\winnt\system32\dllcache\nscirda.sys
2009-11-13 22:12 . 1999-09-25 10:35 84784 -c--a-w- c:\winnt\system32\dllcache\nm6wdm.sys
2009-11-13 22:12 . 1999-10-06 16:17 111920 -c--a-w- c:\winnt\system32\dllcache\nm5a2wdm.sys
2009-11-13 22:12 . 1999-09-30 15:25 26832 -c--a-w- c:\winnt\system32\dllcache\netflx.sys
2009-11-13 22:12 . 1999-10-18 14:39 39888 -c--a-w- c:\winnt\system32\dllcache\neo20xx.sys
2009-11-13 22:12 . 1999-12-07 16:43 60944 -c--a-w- c:\winnt\system32\dllcache\neo20xx.dll
2009-11-13 22:12 . 1999-09-30 15:25 16016 -c--a-w- c:\winnt\system32\dllcache\ne2000.sys
2009-11-13 22:11 . 1999-09-25 11:11 11344 -c--a-w- c:\winnt\system32\dllcache\ncrc710.sys
2009-11-13 22:11 . 1999-12-07 16:43 128240 -c--a-w- c:\winnt\system32\dllcache\n9i3disp.dll
2009-11-13 22:11 . 1999-09-25 10:37 28240 -c--a-w- c:\winnt\system32\dllcache\n9i3d.sys
2009-11-13 22:11 . 1999-09-25 10:37 33392 -c--a-w- c:\winnt\system32\dllcache\n9i128v2.sys
2009-11-13 22:11 . 1999-12-07 16:43 100592 -c--a-w- c:\winnt\system32\dllcache\n9i128v2.dll
2009-11-13 22:11 . 1999-09-25 10:37 13936 -c--a-w- c:\winnt\system32\dllcache\n9i128.sys
2009-11-13 22:11 . 1999-12-07 16:43 35760 -c--a-w- c:\winnt\system32\dllcache\n9i128.dll
2009-11-13 22:11 . 1999-10-27 14:48 87824 -c--a-w- c:\winnt\system32\dllcache\n100nt5.sys
2009-11-13 22:11 . 1999-10-12 15:35 34576 -c--a-w- c:\winnt\system32\dllcache\n1000nt5.sys
2009-11-13 22:11 . 1999-11-01 16:49 20112 -c--a-w- c:\winnt\system32\dllcache\mxnic.sys
2009-11-13 22:10 . 1999-11-30 23:39 11024 -c--a-w- c:\winnt\system32\dllcache\msmusd.dll
2009-11-13 22:10 . 1999-09-25 10:35 2832 -c--a-w- c:\winnt\system32\dllcache\msmpu401.sys
2009-11-13 22:10 . 2002-08-09 16:10 86097 -c--a-w- c:\winnt\system32\dllcache\msir2jp.dll
2009-11-13 22:09 . 1999-10-26 15:30 35440 -c--a-w- c:\winnt\system32\dllcache\msgame.sys
2009-11-13 22:09 . 1999-11-05 21:23 9488 -c--a-w- c:\winnt\system32\dllcache\mraid35x.sys
2009-11-13 22:08 . 2003-06-19 12:05 11632 -c--a-w- c:\winnt\system32\dllcache\mouhid.sys
2009-11-13 22:08 . 1999-10-21 11:34 6608 -c--a-w- c:\winnt\system32\dllcache\miniqic.sys
2009-11-13 22:07 . 1999-09-30 21:29 8976 -c--a-w- c:\winnt\system32\dllcache\mgwantr5.sys
2009-11-13 22:07 . 1999-11-30 23:39 41984 -c--a-w- c:\winnt\system32\dllcache\mgwanpp.dll
2009-11-13 22:07 . 1999-09-24 19:17 67504 -c--a-w- c:\winnt\system32\dllcache\mgwan5.sys
2009-11-13 22:07 . 1999-11-30 23:40 91408 -c--a-w- c:\winnt\system32\dllcache\mgwan.exe
2009-11-13 22:07 . 1999-09-24 19:18 33840 -c--a-w- c:\winnt\system32\dllcache\mgsync5.sys
2009-11-13 22:07 . 1999-11-30 23:39 21264 -c--a-w- c:\winnt\system32\dllcache\mgslpp.dll
2009-11-13 22:07 . 1999-09-24 19:17 40944 -c--a-w- c:\winnt\system32\dllcache\mgsl5.sys
2009-11-13 22:07 . 1999-09-24 19:17 10000 -c--a-w- c:\winnt\system32\dllcache\mgfrtrc5.sys
2009-11-13 22:07 . 1999-11-30 23:39 63760 -c--a-w- c:\winnt\system32\dllcache\mgfrpp.dll
2009-11-13 22:07 . 1999-11-30 23:40 97040 -c--a-w- c:\winnt\system32\dllcache\mgfrmon.exe
2009-11-13 22:07 . 1999-09-30 21:29 53232 -c--a-w- c:\winnt\system32\dllcache\mgfr5.sys
2009-11-13 22:05 . 2003-06-19 12:05 33328 -c--a-w- c:\winnt\system32\dllcache\lp6nds35.sys
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth3.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth2.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth1.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdth0.dll
2009-11-13 22:04 . 1999-11-30 01:33 8464 -c--a-w- c:\winnt\system32\dllcache\kbdkor.dll
2009-11-13 22:04 . 1999-11-30 01:33 8976 -c--a-w- c:\winnt\system32\dllcache\kbdjpn.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdintam.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdinmar.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdinhin.dll
2009-11-13 22:04 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdindev.dll
2009-11-13 22:03 . 2002-08-09 16:09 7440 -c--a-w- c:\winnt\system32\dllcache\kbdhu.dll
2009-11-13 22:03 . 1999-10-04 15:04 13744 -c--a-w- c:\winnt\system32\dllcache\kbdhid.sys
2009-11-13 22:03 . 2002-08-09 16:10 6416 -c--a-w- c:\winnt\system32\dllcache\kbdheb.dll
2009-11-13 22:03 . 1999-11-30 01:33 7440 -c--a-w- c:\winnt\system32\dllcache\kbd106.dll
2009-11-13 22:03 . 1999-11-30 01:33 6416 -c--a-w- c:\winnt\system32\dllcache\kbd103.dll
2009-11-13 22:03 . 1999-11-30 01:33 6928 -c--a-w- c:\winnt\system32\dllcache\kbd101c.dll
2009-11-13 22:03 . 1999-11-30 01:33 6416 -c--a-w- c:\winnt\system32\dllcache\kbd101b.dll
2009-11-13 22:03 . 2003-06-19 12:05 9968 -c--a-w- c:\winnt\system32\dllcache\jvcmc.sys
2009-11-13 22:03 . 1999-11-30 23:39 45840 -c--a-w- c:\winnt\system32\dllcache\iyuv_32.dll
2009-11-13 22:02 . 1999-11-30 23:39 17168 -c--a-w- c:\winnt\system32\dllcache\isaprop.dll
2009-11-13 22:02 . 1999-09-25 11:11 14736 -c--a-w- c:\winnt\system32\dllcache\ipsraidn.sys
2009-11-13 22:02 . 1999-09-24 19:17 27408 -c--a-w- c:\winnt\system32\dllcache\ipc08a5.sys
2009-11-13 22:02 . 1999-10-19 14:28 46160 -c--a-w- c:\winnt\system32\dllcache\ip5515.sys
2009-11-13 22:02 . 1999-09-30 21:29 36592 -c--a-w- c:\winnt\system32\dllcache\io8.sys
2009-11-13 22:02 . 2003-06-19 12:05 4624 -c--a-w- c:\winnt\system32\dllcache\intelide.sys
2009-11-13 22:02 . 1999-09-25 10:34 12816 -c--a-w- c:\winnt\system32\dllcache\inport.sys
2009-11-13 22:02 . 1999-09-25 11:11 16208 -c--a-w- c:\winnt\system32\dllcache\ini910u.sys
2009-11-13 22:02 . 2002-08-09 16:10 45056 -c--a-w- c:\winnt\system32\dllcache\imejpuex.exe
2009-11-13 22:02 . 2002-08-09 16:10 57344 -c--a-w- c:\winnt\system32\dllcache\imejpmgr.exe
2009-11-13 22:02 . 2002-08-09 16:10 475136 -c--a-w- c:\winnt\system32\dllcache\imejpcus.dll
2009-11-13 22:01 . 1999-10-22 14:54 32592 -c--a-w- c:\winnt\system32\dllcache\ichaud.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 07:27 . 2008-11-03 21:49 20312 ----a-w- c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 06:37 . 2009-06-04 17:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 23:21 . 2008-10-29 07:37 -------- d-----w- c:\program files\Java
2009-11-14 14:56 . 2009-06-04 17:45 -------- d---a-w- c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2009-11-14 11:45 . 2008-10-29 20:52 -------- d-----w- c:\program files\UltimateZip
2009-11-13 21:20 . 2008-10-29 18:50 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-11-13 21:20 . 2008-10-29 18:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-13 21:17 . 2008-10-29 18:51 -------- d---a-w- c:\documents and settings\All Users.WINNT\Application Data\TEMP
2009-11-12 20:18 . 2009-06-04 17:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-05 21:35 . 2008-10-29 20:09 -------- d-----w- c:\program files\Opera
2009-11-05 21:29 . 2008-12-06 16:54 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-10-17 15:17 . 2009-10-17 15:17 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2009-10-15 18:08 . 2009-10-15 18:08 -------- d-----w- c:\documents and settings\Emily\Application Data\Malwarebytes
2009-10-14 15:39 . 2009-10-14 15:39 -------- d-----w- c:\documents and settings\Jackie\Application Data\Malwarebytes
2009-10-13 08:36 . 2009-10-13 08:36 -------- d-----w- c:\documents and settings\Sandra\Application Data\Malwarebytes
2009-10-12 20:11 . 2009-06-28 18:08 4045528 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-29 13:18 . 2009-03-24 09:42 -------- d-----w- c:\program files\ThreatFire
2009-09-23 14:07 . 2009-09-23 13:44 59664 ----a-w- c:\winnt\system32\drivers\TfSysMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 33552 ----a-w- c:\winnt\system32\drivers\TfNetMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 51984 ----a-w- c:\winnt\system32\drivers\TfFsMon.sys
2009-09-10 13:54 . 2009-06-04 17:41 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-06-04 17:41 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-05 06:36 . 1999-12-07 19:00 55056 ----a-w- c:\winnt\system32\msasn1.dll
2009-08-29 08:28 . 2009-08-29 08:28 152576 ----a-w- c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-27 14:51 . 2009-08-27 14:51 576512 ------w- c:\winnt\system32\WININET.DLL
2009-08-21 16:06 . 2008-10-28 23:25 247326 ----a-w- c:\winnt\system32\strmdll.dll
2008-10-28 22:28 . 2008-10-26 07:08 21952 ---h--w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2002-11-26 19:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-17_18.58.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-28 22:18 . 2009-11-18 06:40 131688 c:\winnt\system32\FNTCACHE.DAT
- 2008-10-28 22:18 . 2009-06-15 16:04 131688 c:\winnt\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\eraser.exe" [2009-06-10 334224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-10-06 5058560]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2003-10-06 49152]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-05 149280]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Emily\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Jackie\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

R0 TfFsMon;TfFsMon;c:\winnt\system32\drivers\TfFsMon.sys [23/09/2009 13:44 51984]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\winnt\system32\drivers\TfNetMon.sys [23/09/2009 13:44 33552]
S3 PSI;PSI;c:\winnt\system32\drivers\psi_mf.sys [17/06/2009 12:20 12648]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

NETSVCS REQUIRES REPAIRS - current entries shown
wzcsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
.
------- Supplementary Scan -------
.
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://powersoccer.mygames.co.uk/applet/PowerLoader.cab
FF - ProfilePath - c:\documents and settings\Simon.HOME-PQTX7ZVV6M\Application Data\Mozilla\Firefox\Profiles\rz9xtfv1.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCman000&fl=0&ptb=CwcPOhlLb.u2Qui8Y6Itow&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-18 18:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(1308)
c:\winnt\AppPatch\AcLayers.DLL
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\winnt\system32\SHDOCVW.DLL

- - - - - - - > 'csrss.exe'(176)
c:\program files\ThreatFire\TFWAH.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\LEXBCES.EXE
c:\winnt\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\winnt\system32\nvsvc32.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\program files\ThreatFire\TFService.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-11-18 19:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 19:02
ComboFix2.txt 2009-11-18 07:47
ComboFix3.txt 2009-11-17 19:02

Pre-Run: 88,369,868,800 bytes free
Post-Run: 88,367,505,408 bytes free

- - End Of File - - 78D143B48E84597A11740E3D9A50F820

=============

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-19-2009 2:37 (GMT +2)

Damaged important Registry value we will need to check and repair. And still that missing file. You may need to locate a clean copy of the following file from a different Win 2K system:

c:\winnt\system32\comres.dll <----

Open Firefox, and click the dropdown arrow at the top right next to the search setting,
and select "Manage Search Engines". In that list click to hilight MyWebSearch, then click the Remove button. If necessary select a different one as a default first, then remove MyWebSearch.

------------------

Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

:filefind
comres.dll

Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.

--------------------

@ECHO OFF
if exist winkey.txt del winkey.txt
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v NetSvcs > winkey.txt
notepad winkey.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "cfgcheck.bat"

Be sure to include the "" quotes in the name. Then click on cfgcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-19-2009 2:39 (GMT +2)

One additional check, to verify the file paths of those problem services there.

@ECHO OFF
if exist Checkit.txt del /q Checkit.txt
REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS"  /v ImagePath > Checkit2.txt
REG QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv"  /v ImagePath> Checkit3.txt
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem"  /v ImagePath> Checkit4.txt
Type Checkit*.txt > Results.txt
del /q Checkit*.txt
Notepad Results.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "3serv.bat"

Be sure to include the "" quotes in the name. Then click on 3serv.bat. When the scan completes a textbox will open - copy/paste those contents back here please.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-20-2009 1:54 (GMT +2)

The last instructions are causing me trouble :

1. Am having problems locating comres.dll. It's not on another win2k system I have
2. The command 'reg' doesn't work in a win2k dos window - is it an XP onwards .exe ?

So no news to report. Sorry
I'll read the values you want directly out of the registry later. (PC is at home...)

Thanks

Simon

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-20-2009 7:16 (GMT +2)

I tend to forget this is not XP. ComboFix added a command function we should be able to use though. As for the file, I will check for you and see if it is a system specific version required, but it may take some time to make time for that.

@ECHO OFF
if exist Checkit.txt del /q Checkit.txt
swreg QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS"  /v ImagePath > Checkit2.txt
swreg QUERY "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv"  /v ImagePath> Checkit3.txt
swreg QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem"  /v ImagePath> Checkit4.txt
swreg QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v NetSvcs > Checkit5.txt
Type Checkit*.txt > Results.txt
del /q Checkit*.txt
Notepad Results.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "4serv.bat"

Be sure to include the "" quotes in the name. Then click on 3serv.bat. When the scan completes a textbox will open - copy/paste those contents back here please.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-20-2009 7:29 (GMT +2)

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-21-2009 12:10 (GMT +2)

Hi

Here are the results

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\bits
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k BITSgroup

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\wuauserv
ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k wugroup

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\eventsystem
ImagePath REG_EXPAND_SZ C:\WINNT\System32\svchost.exe -k netsvcs

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
NetSvcs REG_MULTI_SZ wzcsvc\0\0

Thanks

Simon

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-22-2009 2:36 (GMT +2)

Those file paths look okay, which is one area something has been altering lately. I did some checking, and you will need to locate a clean copy of that file. Maybe start emailing friends etc., and ask.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-25-2009 1:44 (GMT +2)

Hi. I installed win2000 into a VMWare machine, and no comres.dll appeared. However, I did alter the last registry key in your list to match the fresh install, and the Windows Update function is now working. Also, I logged on in Safe Mode as Administrator and was able to unlock that 'Windows' key

Apart from teh missing comres.dll, is there any thing else I should try to do? Is the PC Free of malware now, so I can pick up one of the 'now your pc is cleaned up' lists and make sure I follow it ?

Thanks for your help

Simon

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-25-2009 4:31 (GMT +2)

That's a pretty sharp idea. A bit labor intensive, but your findings seem to match what I am picking up in some web researching on the file. I see Java using it on 2K systems, but nothing that indicates it is native to 2K, and so perhaps missing because the file name is on the wrong list. Better to go ahead while we still have this thread open and do one other scan. Are you having any problems right now we need to address still?

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.

If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-25-2009 9:29 (GMT +2)

Here's the output :

C:\Documents and Settings\Jonathan\Local Settings\Application Data\Opera\Opera\profile\cache4\opr00MF7 a variant of Win32/AdInstaller application deleted - quarantined

D:\Recovery\Documents and Settings\Simon\Local Settings\Temp\07290802203\z4barSpInstall.exe a variant of Win32/AdInstaller application cleaned by deleting - quarantined

Thanks again for your help

Simon

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-26-2009 1:04 (GMT +2)

Malware installers, so no active infection being picked up. Let's check on value ComboFix suggested is altered.

cd\
swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v netsvcs > lookie.txt
notepad lookie.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "netcheck.bat"

Be sure to include the "" quotes in the name. Then click on netcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-26-2009 1:14 (GMT +2)

Hi

Interacting in real time - yippee

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
netsvcs REG_MULTI_SZ EventSystem\0Ias\0Iprip\0Irmon\0Netman\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0SENS\0Sharedaccess\0Tapisrv\0Ntmssvc\0wzcsvc\0\0

Those are values I inserted from the fresh VMWare install ....

Simon

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-26-2009 1:36 (GMT +2)

Very good. Just a caution - copying from what is called a "vanilla" install is not always the correct method, so not good to assume it is in every instance. For this value though, as malware apparently had already basically gutted it then your choice would be the right one. No malware or it's settings/changes showing now, so all clean. Before we just do some last steps here to finish our work, post back if there are any problems we still need to address please.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-26-2009 2:10 (GMT +2)

No other problems I am aware of. Appreciate your word of warning. Wasn't quite vanilla, it had had SP4 applied as well.

BTW Your link about sponsoring your friend is now closed for donations....

Thanks

Simon

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-26-2009 2:55 (GMT +2)

Thanks - I knew she had met her quota, but was not sure exactly when the whole procedure would be done. Other equally good worthy causes I can replace that with. Just some last steps now to finish our work here.

Eset, if you don't plan to use it again, uninstalls through Add/Remove Programs.

You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTM.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used.

Click OTM.exe to run it and click on Cleanup. You'll be asked if you want to begin cleanup process? Select Yes.

OTM will search for and delete/uninstall many of the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. Go ahead and do that now to complete the removals, and then can delete what remains.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

sjrsquared
New Member

Date Joined Nov 2009
Total Posts : 14

Posted 11-28-2009 1:44 (GMT +2)

Thanks very much for all your help

Simon

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 1424

Posted 11-28-2009 6:01 (GMT +2)

It was a good team effort, and I was glad to have helped.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Forum Information

Currently it is Thursday, May 24, 2012 4:25 PM (GMT +2)
There are a total of 82.924 posts in 18.687 threads.
In the last 3 days there were 1 new threads and 5 reply posts. View Active Threads