GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-29 13:49:50 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 Hitachi_ rev.JP2O Running: 28vp6kon.exe; Driver: E:\DOCUME~1\KRZY~1\USTAWI~1\Temp\fgtdapob.sys ---- System - GMER 1.0.15 ---- SSDT 88DA16D0 ZwAlertResumeThread SSDT 88DA46D0 ZwAlertThread SSDT 88DA3700 ZwAllocateVirtualMemory SSDT 88E386F0 ZwConnectPort SSDT sptd.sys ZwCreateKey [0xB7ED4FA0] SSDT 88D7D700 ZwCreateMutant SSDT 8820BCB0 ZwCreateThread SSDT sptd.sys ZwEnumerateKey [0xB7F08698] SSDT sptd.sys ZwEnumerateValueKey [0xB7F08A26] SSDT 88D9D700 ZwFreeVirtualMemory SSDT 88D9B6D0 ZwImpersonateAnonymousToken SSDT 88D9E6D0 ZwImpersonateThread SSDT 88D9A6F0 ZwMapViewOfSection SSDT 88D986D0 ZwOpenEvent SSDT sptd.sys ZwOpenKey [0xB7ED4F80] SSDT 88E1D6D0 ZwOpenProcessToken SSDT 88D92700 ZwOpenThreadToken SSDT \??\E:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB822D840] SSDT sptd.sys ZwQueryKey [0xB7F08AFE] SSDT sptd.sys ZwQueryValueKey [0xB7F0897E] SSDT 88E276D0 ZwResumeThread SSDT 88DAA6D0 ZwSetContextThread SSDT 88D95700 ZwSetInformationProcess SSDT 88D8D700 ZwSetInformationThread SSDT sptd.sys ZwSetValueKey [0xB7F08B90] SSDT 88D966D0 ZwSuspendProcess SSDT 88DA66D0 ZwSuspendThread SSDT 88E266D0 ZwTerminateProcess SSDT 88DA86D0 ZwTerminateThread SSDT 88DAC6D0 ZwUnmapViewOfSection SSDT 88DA0700 ZwWriteVirtualMemory INT 0x73 ? 89BCBCB8 INT 0x83 ? 89BCBCB8 INT 0xB4 ? 89A23CB8 ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys B7E98000 28 Bytes [30, 48, 6E, 80, A4, 9B, 6E, ...] .text sptd.sys B7E9801D 3 Bytes [49, 6E, 80] .text sptd.sys B7E98024 164 Bytes [6E, 42, 53, 80, 68, A9, 54, ...] .text sptd.sys B7E980C9 259 Bytes [88, 53, 80, A0, 8A, 53, 80, ...] .text sptd.sys B7E981D4 4 Bytes [27, 39, 4F, 4E] {DAA ; CMP [EDI+0x4e], ECX} .text ... .sptd2 E:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB7F441AA] ? E:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload B7AA962C 5 Bytes JMP 89A231C8 .text E:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71B2360, 0x354C5F, 0xE8000020] init E:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB1D6E280] ---- User code sections - GMER 1.0.15 ---- .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] ntdll.dll!NtCreateThread 7C90D7D2 6 Bytes PUSH 011952A1; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] ntdll.dll!LdrLoadDll + 1 7C9161CB 5 Bytes [7C, 54, 19, 01, C3] {JL 0x56; SBB [ECX], EAX; RET } .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] KERNEL32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 011956E5; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] KERNEL32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 011956A4; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 01195762; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 0119574B; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 011A0B69; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetDC 77D38697 6 Bytes PUSH 011A0AEB; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 011925E6; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetWindowDC 77D38FF9 6 Bytes PUSH 011A0B2A; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 011A4A06; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 011A4A56; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 011A4967; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 0119A84E; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD4C7D6 .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 0119A54A; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!BeginPaint 77D3B4B1 6 Bytes PUSH 011A09E0; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!EndPaint 77D3B4C5 6 Bytes PUSH 011A0A50; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 011A0BA9; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 0119A780; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 011A4839; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 011A4807; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!SetCapture 77D3C988 6 Bytes PUSH 011A48BD; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 011A4917; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 011A0C3C; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 011A4A81; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 0119A590; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 0119A7C9; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetDCEx 77D3F21D 6 Bytes PUSH 011A0A90; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 0119A89B; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 0119A93A; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 0119A5D6; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 0119A61C; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 0119A662; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 0119A6F4; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!OpenInputDesktop 77D56607 6 Bytes PUSH 0119A4DC; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!SwitchDesktop 77D579A3 6 Bytes PUSH 0119A52C; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 011A4A2E; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 0119275C; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 0119A6AB; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 0119A73A; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 011A4880; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 01192883; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WS2_32.dll!send 71A5428A 6 Bytes PUSH 01192CAA; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 01192813; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 01192CCB; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 01192C72; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 011907A7; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 0118FB8E; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 0118FE46; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 0118FC21; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 0118FFE6; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 0118FEB3; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 0118FFBA; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 0118FC76; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 0118FB50; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 0118FF60; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 0118FEE1; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 0118FBCC; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 0118FD13; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 0118FDB0; RET .text E:\Program Files\Lexmark 1400 Series\lxdjamon.exe[348] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 0118FDFB; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] ntdll.dll!NtCreateThread 7C90D7D2 6 Bytes PUSH 02DA52A1; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] ntdll.dll!LdrLoadDll + 1 7C9161CB 5 Bytes [7C, 54, DA, 02, C3] {JL 0x56; FIADD DWORD [EDX]; RET } .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] kernel32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 02DA56E5; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 02DA56A4; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 02DB0B69; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetDC 77D38697 6 Bytes PUSH 02DB0AEB; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 02DA25E6; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetWindowDC 77D38FF9 6 Bytes PUSH 02DB0B2A; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 02DB4A06; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 02DB4A56; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 02DB4967; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 02DAA84E; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD688D6 .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 02DAA54A; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!BeginPaint 77D3B4B1 6 Bytes PUSH 02DB09E0; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!EndPaint 77D3B4C5 6 Bytes PUSH 02DB0A50; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 02DB0BA9; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 02DAA780; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 02DB4839; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 02DB4807; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!SetCapture 77D3C988 6 Bytes PUSH 02DB48BD; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 02DB4917; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 02DB0C3C; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 02DB4A81; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 02DAA590; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 02DAA7C9; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetDCEx 77D3F21D 6 Bytes PUSH 02DB0A90; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 02DAA89B; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 02DAA93A; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 02DAA5D6; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 02DAA61C; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 02DAA662; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 02DAA6F4; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!OpenInputDesktop 77D56607 6 Bytes PUSH 02DAA4DC; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!SwitchDesktop 77D579A3 6 Bytes PUSH 02DAA52C; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 02DB4A2E; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 02DA275C; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 02DAA6AB; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 02DAA73A; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 02DB4880; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 02DA5762; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 02DA574B; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 02DA2883; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WS2_32.dll!send 71A5428A 6 Bytes PUSH 02DA2CAA; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 02DA2813; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 02DA2CCB; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 02DA2C72; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 02DA07A7; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 02D9FB8E; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 02D9FE46; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 02D9FC21; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 02D9FFE6; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 02D9FEB3; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 02D9FFBA; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 02D9FC76; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 02D9FB50; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 02D9FF60; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 02D9FEE1; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 02D9FBCC; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 02D9FD13; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 02D9FDB0; RET .text E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[1248] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 02D9FDFB; RET .text E:\WINDOWS\Explorer.EXE[1588] ntdll.dll!NtCreateThread 7C90D7D2 6 Bytes PUSH 01A752A1; RET .text E:\WINDOWS\Explorer.EXE[1588] ntdll.dll!LdrLoadDll + 1 7C9161CB 5 Bytes [7C, 54, A7, 01, C3] {JL 0x56; CMPSD ; ADD EBX, EAX} .text E:\WINDOWS\Explorer.EXE[1588] kernel32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 01A756E5; RET .text E:\WINDOWS\Explorer.EXE[1588] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 01A756A4; RET .text E:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 01A75762; RET .text E:\WINDOWS\Explorer.EXE[1588] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 01A7574B; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 01A80B69; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetDC 77D38697 6 Bytes PUSH 01A80AEB; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 01A725E6; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetWindowDC 77D38FF9 6 Bytes PUSH 01A80B2A; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 01A84A06; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 01A84A56; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 01A84967; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 01A7A84E; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD555D6 .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 01A7A54A; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!BeginPaint 77D3B4B1 6 Bytes PUSH 01A809E0; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!EndPaint 77D3B4C5 6 Bytes PUSH 01A80A50; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 01A80BA9; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 01A7A780; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 01A84839; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 01A84807; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!SetCapture 77D3C988 6 Bytes PUSH 01A848BD; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 01A84917; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 01A80C3C; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 01A84A81; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 01A7A590; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 01A7A7C9; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetDCEx 77D3F21D 6 Bytes PUSH 01A80A90; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 01A7A89B; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 01A7A93A; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 01A7A5D6; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 01A7A61C; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 01A7A662; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 01A7A6F4; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!OpenInputDesktop 77D56607 6 Bytes PUSH 01A7A4DC; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!SwitchDesktop 77D579A3 6 Bytes PUSH 01A7A52C; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 01A84A2E; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 01A7275C; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 01A7A6AB; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 01A7A73A; RET .text E:\WINDOWS\Explorer.EXE[1588] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 01A84880; RET .text E:\WINDOWS\Explorer.EXE[1588] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 01A707A7; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 01A6FB8E; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 01A6FE46; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 01A6FC21; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 01A6FFE6; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 01A6FEB3; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 01A6FFBA; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 01A6FC76; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 01A6FB50; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 01A6FF60; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 01A6FEE1; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 01A6FBCC; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 01A6FD13; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 01A6FDB0; RET .text E:\WINDOWS\Explorer.EXE[1588] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 01A6FDFB; RET .text E:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 01A72883; RET .text E:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!send 71A5428A 6 Bytes PUSH 01A72CAA; RET .text E:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 01A72813; RET .text E:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 01A72CCB; RET .text E:\WINDOWS\Explorer.EXE[1588] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 01A72C72; RET .text E:\WINDOWS\system32\rundll32.exe[1624] ntdll.dll!NtCreateThread 7C90D7D2 4 Bytes [68, A1, 52, BB] .text E:\WINDOWS\system32\rundll32.exe[1624] ntdll.dll!NtCreateThread + 5 7C90D7D7 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] ntdll.dll!LdrLoadDll + 1 7C9161CB 3 Bytes [7C, 54, BB] .text E:\WINDOWS\system32\rundll32.exe[1624] ntdll.dll!LdrLoadDll + 5 7C9161CF 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] kernel32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 00BB56E5; RET .text E:\WINDOWS\system32\rundll32.exe[1624] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 00BB56A4; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 00BC0B69; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetDC 77D38697 4 Bytes [68, EB, 0A, BC] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetDC + 5 77D3869C 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 00BB25E6; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetWindowDC 77D38FF9 4 Bytes [68, 2A, 0B, BC] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetWindowDC + 5 77D38FFE 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 00BC4A06; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 00BC4A56; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 00BC4967; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 00BBA84E; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD469D6 .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 00BBA54A; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!BeginPaint 77D3B4B1 4 Bytes [68, E0, 09, BC] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!BeginPaint + 5 77D3B4B6 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!EndPaint 77D3B4C5 4 Bytes [68, 50, 0A, BC] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!EndPaint + 5 77D3B4CA 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 00BC0BA9; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 00BBA780; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 00BC4839; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 00BC4807; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!SetCapture 77D3C988 4 Bytes [68, BD, 48, BC] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!SetCapture + 5 77D3C98D 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 00BC4917; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 00BC0C3C; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 00BC4A81; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 00BBA590; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 00BBA7C9; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetDCEx 77D3F21D 4 Bytes [68, 90, 0A, BC] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetDCEx + 5 77D3F222 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 00BBA89B; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 00BBA93A; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 00BBA5D6; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 00BBA61C; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 00BBA662; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 00BBA6F4; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!OpenInputDesktop 77D56607 4 Bytes [68, DC, A4, BB] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!OpenInputDesktop + 5 77D5660C 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!SwitchDesktop 77D579A3 4 Bytes [68, 2C, A5, BB] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!SwitchDesktop + 5 77D579A8 1 Byte [C3] .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 00BC4A2E; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 00BB275C; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 00BBA6AB; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 00BBA73A; RET .text E:\WINDOWS\system32\rundll32.exe[1624] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 00BC4880; RET .text E:\WINDOWS\system32\rundll32.exe[1624] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 00BB5762; RET .text E:\WINDOWS\system32\rundll32.exe[1624] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 00BB574B; RET .text E:\WINDOWS\system32\rundll32.exe[1624] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 00BB07A7; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 00BB2883; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WS2_32.dll!send 71A5428A 6 Bytes PUSH 00BB2CAA; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 00BB2813; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 00BB2CCB; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 00BB2C72; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 00BAFB8E; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 00BAFE46; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 00BAFC21; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 00BAFFE6; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 00BAFEB3; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 00BAFFBA; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 00BAFC76; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 00BAFB50; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 00BAFF60; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 00BAFEE1; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 00BAFBCC; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 00BAFD13; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 00BAFDB0; RET .text E:\WINDOWS\system32\rundll32.exe[1624] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 00BAFDFB; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] ntdll.dll!NtCreateThread 7C90D7D2 4 Bytes [68, A1, 52, 9B] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] ntdll.dll!NtCreateThread + 5 7C90D7D7 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] ntdll.dll!LdrLoadDll + 1 7C9161CB 3 Bytes [7C, 54, 9B] {JL 0x56; WAIT } .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] ntdll.dll!LdrLoadDll + 5 7C9161CF 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] kernel32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 009B56E5; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 009B56A4; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 009B5762; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 009B574B; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 009C0B69; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetDC 77D38697 4 Bytes [68, EB, 0A, 9C] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetDC + 5 77D3869C 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 009B25E6; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetWindowDC 77D38FF9 4 Bytes [68, 2A, 0B, 9C] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetWindowDC + 5 77D38FFE 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 009C4A06; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 009C4A56; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 009C4967; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 009BA84E; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD449D6 .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 009BA54A; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!BeginPaint 77D3B4B1 4 Bytes [68, E0, 09, 9C] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!BeginPaint + 5 77D3B4B6 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!EndPaint 77D3B4C5 4 Bytes [68, 50, 0A, 9C] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!EndPaint + 5 77D3B4CA 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 009C0BA9; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 009BA780; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 009C4839; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 009C4807; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!SetCapture 77D3C988 4 Bytes [68, BD, 48, 9C] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!SetCapture + 5 77D3C98D 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 009C4917; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 009C0C3C; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 009C4A81; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 009BA590; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 009BA7C9; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetDCEx 77D3F21D 4 Bytes [68, 90, 0A, 9C] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetDCEx + 5 77D3F222 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 009BA89B; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 009BA93A; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 009BA5D6; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 009BA61C; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 009BA662; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 009BA6F4; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!OpenInputDesktop 77D56607 4 Bytes [68, DC, A4, 9B] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!OpenInputDesktop + 5 77D5660C 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!SwitchDesktop 77D579A3 4 Bytes [68, 2C, A5, 9B] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!SwitchDesktop + 5 77D579A8 1 Byte [C3] .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 009C4A2E; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 009B275C; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 009BA6AB; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 009BA73A; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 009C4880; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 009AFB8E; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 009AFE46; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 009AFC21; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 009AFFE6; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 009AFEB3; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 009AFFBA; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 009AFC76; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 009AFB50; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 009AFF60; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 009AFEE1; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 009AFBCC; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 009AFD13; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 009AFDB0; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 009AFDFB; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 009B07A7; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 009B2883; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WS2_32.dll!send 71A5428A 6 Bytes PUSH 009B2CAA; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 009B2813; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 009B2CCB; RET .text E:\Program Files\Common Files\Java\Java Update\jusched.exe[1656] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 009B2C72; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtCreateThread 7C90D7D2 4 Bytes [68, A1, 52, BA] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtCreateThread + 5 7C90D7D7 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!LdrLoadDll + 1 7C9161CB 3 Bytes [7C, 54, BA] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!LdrLoadDll + 5 7C9161CF 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] kernel32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 00BA56E5; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 00BA56A4; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 00BB0B69; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetDC 77D38697 4 Bytes [68, EB, 0A, BB] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetDC + 5 77D3869C 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 00BA25E6; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetWindowDC 77D38FF9 4 Bytes [68, 2A, 0B, BB] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetWindowDC + 5 77D38FFE 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 00BB4A06; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 00BB4A56; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 00BB4967; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 00BAA84E; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD468D6 .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 00BAA54A; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!BeginPaint 77D3B4B1 4 Bytes [68, E0, 09, BB] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!BeginPaint + 5 77D3B4B6 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!EndPaint 77D3B4C5 4 Bytes [68, 50, 0A, BB] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!EndPaint + 5 77D3B4CA 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 00BB0BA9; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 00BAA780; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 00BB4839; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 00BB4807; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!SetCapture 77D3C988 4 Bytes [68, BD, 48, BB] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!SetCapture + 5 77D3C98D 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 00BB4917; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 00BB0C3C; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 00BB4A81; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 00BAA590; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 00BAA7C9; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetDCEx 77D3F21D 4 Bytes [68, 90, 0A, BB] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetDCEx + 5 77D3F222 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 00BAA89B; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 00BAA93A; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 00BAA5D6; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 00BAA61C; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 00BAA662; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 00BAA6F4; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!OpenInputDesktop 77D56607 4 Bytes [68, DC, A4, BA] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!OpenInputDesktop + 5 77D5660C 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!SwitchDesktop 77D579A3 4 Bytes [68, 2C, A5, BA] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!SwitchDesktop + 5 77D579A8 1 Byte [C3] .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 00BB4A2E; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 00BA275C; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 00BAA6AB; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 00BAA73A; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 00BB4880; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 00BA5762; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 00BA574B; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 00BA2883; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WS2_32.dll!send 71A5428A 6 Bytes PUSH 00BA2CAA; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 00BA2813; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 00BA2CCB; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 00BA2C72; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 00BA07A7; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 00B9FB8E; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 00B9FE46; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 00B9FC21; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 00B9FFE6; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 00B9FEB3; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 00B9FFBA; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 00B9FC76; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 00B9FB50; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 00B9FF60; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 00B9FEE1; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 00B9FBCC; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 00B9FD13; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 00B9FDB0; RET .text E:\WINDOWS\system32\RUNDLL32.EXE[1996] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 00B9FDFB; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] ntdll.dll!NtCreateThread 7C90D7D2 4 Bytes [68, A1, 52, A9] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] ntdll.dll!NtCreateThread + 5 7C90D7D7 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] ntdll.dll!LdrLoadDll + 1 7C9161CB 3 Bytes [7C, 54, A9] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] ntdll.dll!LdrLoadDll + 5 7C9161CF 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] kernel32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 00A956E5; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 00A956A4; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 00A95762; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 00A9574B; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 00AA0B69; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetDC 77D38697 4 Bytes [68, EB, 0A, AA] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetDC + 5 77D3869C 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 00A925E6; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetWindowDC 77D38FF9 4 Bytes [68, 2A, 0B, AA] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetWindowDC + 5 77D38FFE 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 00AA4A06; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 00AA4A56; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 00AA4967; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 00A9A84E; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD457D6 .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 00A9A54A; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!BeginPaint 77D3B4B1 4 Bytes [68, E0, 09, AA] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!BeginPaint + 5 77D3B4B6 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!EndPaint 77D3B4C5 4 Bytes [68, 50, 0A, AA] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!EndPaint + 5 77D3B4CA 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 00AA0BA9; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 00A9A780; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 00AA4839; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 00AA4807; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!SetCapture 77D3C988 4 Bytes [68, BD, 48, AA] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!SetCapture + 5 77D3C98D 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 00AA4917; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 00AA0C3C; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 00AA4A81; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 00A9A590; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 00A9A7C9; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetDCEx 77D3F21D 4 Bytes [68, 90, 0A, AA] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetDCEx + 5 77D3F222 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 00A9A89B; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 00A9A93A; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 00A9A5D6; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 00A9A61C; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 00A9A662; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 00A9A6F4; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!OpenInputDesktop 77D56607 4 Bytes [68, DC, A4, A9] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!OpenInputDesktop + 5 77D5660C 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!SwitchDesktop 77D579A3 4 Bytes [68, 2C, A5, A9] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!SwitchDesktop + 5 77D579A8 1 Byte [C3] .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 00AA4A2E; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 00A9275C; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 00A9A6AB; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 00A9A73A; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 00AA4880; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 00A92883; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WS2_32.dll!send 71A5428A 6 Bytes PUSH 00A92CAA; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 00A92813; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 00A92CCB; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 00A92C72; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 00A907A7; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 00A8FB8E; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 00A8FE46; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 00A8FC21; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 00A8FFE6; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 00A8FEB3; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 00A8FFBA; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 00A8FC76; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 00A8FB50; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 00A8FF60; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 00A8FEE1; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 00A8FBCC; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 00A8FD13; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 00A8FDB0; RET .text E:\WINDOWS\system32\WTablet\TabUserW.exe[2076] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 00A8FDFB; RET .text E:\Program Files\28vp6kon.exe[2740] ntdll.dll!NtCreateThread 7C90D7D2 4 Bytes [68, A1, 52, 14] .text E:\Program Files\28vp6kon.exe[2740] ntdll.dll!NtCreateThread + 5 7C90D7D7 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] ntdll.dll!LdrLoadDll + 1 7C9161CB 3 Bytes [7C, 54, 14] .text E:\Program Files\28vp6kon.exe[2740] ntdll.dll!LdrLoadDll + 5 7C9161CF 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] kernel32.dll!GetFileAttributesExW 7C81130D 6 Bytes PUSH 001456E5; RET .text E:\Program Files\28vp6kon.exe[2740] kernel32.dll!ExitProcess 7C81CAA2 6 Bytes PUSH 001456A4; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!ReleaseDC 77D3866D 6 Bytes PUSH 00150B69; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetDC 77D38697 4 Bytes [68, EB, 0A, 15] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetDC + 5 77D3869C 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!TranslateMessage 77D38BCE 6 Bytes PUSH 001425E6; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetWindowDC 77D38FF9 4 Bytes [68, 2A, 0B, 15] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetWindowDC + 5 77D38FFE 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetMessageW 77D391A3 6 Bytes PUSH 00154A06; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!PeekMessageW 77D39278 6 Bytes PUSH 00154A56; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetCapture 77D394FF 6 Bytes PUSH 00154967; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!RegisterClassW 77D3A5EC 6 Bytes PUSH 0014A84E; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!RegisterClassExW 77D3AE29 6 Bytes CALL 3AD3C2D6 .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefWindowProcW 77D3B1E5 6 Bytes PUSH 0014A54A; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!BeginPaint 77D3B4B1 4 Bytes [68, E0, 09, 15] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!BeginPaint + 5 77D3B4B6 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!EndPaint 77D3B4C5 4 Bytes [68, 50, 0A, 15] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!EndPaint + 5 77D3B4CA 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetUpdateRect 77D3BCEC 6 Bytes PUSH 00150BA9; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!CallWindowProcW 77D3C019 6 Bytes PUSH 0014A780; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetCursorPos 77D3C566 6 Bytes PUSH 00154839; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetMessagePos 77D3C6E4 6 Bytes PUSH 00154807; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!SetCapture 77D3C988 4 Bytes [68, BD, 48, 15] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!SetCapture + 5 77D3C98D 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!ReleaseCapture 77D3C9A4 6 Bytes PUSH 00154917; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetUpdateRgn 77D3CE3B 6 Bytes PUSH 00150C3C; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!PeekMessageA 77D3CEFD 6 Bytes PUSH 00154A81; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefWindowProcA 77D3DF6B 6 Bytes PUSH 0014A590; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!CallWindowProcA 77D3E34B 6 Bytes PUSH 0014A7C9; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetDCEx 77D3F21D 4 Bytes [68, 90, 0A, 15] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetDCEx + 5 77D3F222 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!RegisterClassA 77D42316 6 Bytes PUSH 0014A89B; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!RegisterClassExA 77D44315 6 Bytes PUSH 0014A93A; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefDlgProcW 77D44CFA 6 Bytes PUSH 0014A5D6; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefDlgProcA 77D4759D 6 Bytes PUSH 0014A61C; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefFrameProcW 77D5430C 6 Bytes PUSH 0014A662; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefMDIChildProcW 77D54520 6 Bytes PUSH 0014A6F4; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!OpenInputDesktop 77D56607 4 Bytes [68, DC, A4, 14] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!OpenInputDesktop + 5 77D5660C 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!SwitchDesktop 77D579A3 4 Bytes [68, 2C, A5, 14] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!SwitchDesktop + 5 77D579A8 1 Byte [C3] .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetMessageA 77D5EA45 6 Bytes PUSH 00154A2E; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!GetClipboardData 77D5FCB2 6 Bytes PUSH 0014275C; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefFrameProcA 77D6F685 6 Bytes PUSH 0014A6AB; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!DefMDIChildProcA 77D6F6D4 6 Bytes PUSH 0014A73A; RET .text E:\Program Files\28vp6kon.exe[2740] USER32.dll!SetCursorPos 77D75E8C 6 Bytes PUSH 00154880; RET .text E:\Program Files\28vp6kon.exe[2740] ADVAPI32.dll!CreateProcessAsUserW 77DE7775 6 Bytes PUSH 00145762; RET .text E:\Program Files\28vp6kon.exe[2740] ADVAPI32.dll!CreateProcessAsUserA 77E00958 6 Bytes PUSH 0014574B; RET .text E:\Program Files\28vp6kon.exe[2740] WS2_32.dll!getaddrinfo 71A52A6F 6 Bytes PUSH 00142883; RET .text E:\Program Files\28vp6kon.exe[2740] WS2_32.dll!send 71A5428A 6 Bytes PUSH 00142CAA; RET .text E:\Program Files\28vp6kon.exe[2740] WS2_32.dll!gethostbyname 71A54FD4 6 Bytes PUSH 00142813; RET .text E:\Program Files\28vp6kon.exe[2740] WS2_32.dll!WSASend 71A56233 6 Bytes PUSH 00142CCB; RET .text E:\Program Files\28vp6kon.exe[2740] WS2_32.dll!closesocket 71A59639 6 Bytes PUSH 00142C72; RET .text E:\Program Files\28vp6kon.exe[2740] CRYPT32.dll!PFXImportCertStore 77ADF748 6 Bytes PUSH 001407A7; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpOpenRequestA 771B4AC5 6 Bytes PUSH 0013FB8E; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!InternetCloseHandle 771B61DC 6 Bytes PUSH 0013FE46; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpSendRequestA 771B76B8 6 Bytes PUSH 0013FC21; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpQueryInfoA 771B8C6A 6 Bytes PUSH 0013FFE6; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!InternetReadFile 771B9555 6 Bytes PUSH 0013FEB3; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!InternetQueryDataAvailable 771C325F 6 Bytes PUSH 0013FFBA; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpSendRequestExW 771C53EB 6 Bytes PUSH 0013FC76; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpOpenRequestW 771C6345 6 Bytes PUSH 0013FB50; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!InternetSetFilePointer 771E71A5 6 Bytes PUSH 0013FF60; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!InternetReadFileExA 771E7E9A 6 Bytes PUSH 0013FEE1; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpSendRequestW 77201808 6 Bytes PUSH 0013FBCC; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpSendRequestExA 7720190D 6 Bytes PUSH 0013FD13; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpEndRequestA 77201973 6 Bytes PUSH 0013FDB0; RET .text E:\Program Files\28vp6kon.exe[2740] WININET.dll!HttpEndRequestW 772019A5 6 Bytes PUSH 0013FDFB; RET ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B7E9A20E] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B7E9970C] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B7E99EEE] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7E9970C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7E998F0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7E99832] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7E9A0CC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7E99EEE] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89BC61E8 AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbohci \Device\USBPDO-0 89A221E8 Device \Driver\usbehci \Device\USBPDO-1 89A131E8 AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Cdrom \Device\CdRom0 899E0390 Device \Driver\atapi \Device\Ide\IdePort0 89C121E8 Device \Driver\atapi \Device\Ide\IdePort1 89C121E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89AA3430 Device \Driver\NetBT \Device\NetbiosSmb 89AA3430 AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbohci \Device\USBFDO-0 89A221E8 Device \Driver\usbehci \Device\USBFDO-1 89A131E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89AA6430 Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) Device \FileSystem\MRxSmb \Device\LanmanRedirector 89AA6430 Device \Driver\NetBT \Device\NetBT_Tcpip_{36D2CB52-F571-4FB1-87B5-E130B0178A60} 89AA3430 Device \Driver\nvgts \Device\Scsi\nvgts1Port2Path0Target0Lun0 89BC71E8 Device \Driver\nvgts \Device\Scsi\nvgts1Port2Path1Target1Lun0 89BC71E8 Device \Driver\nvgts \Device\Scsi\nvgts1 89BC71E8 Device \Driver\nvgts \Device\Scsi\nvgts2 89BC71E8 Device \FileSystem\Cdfs \Cdfs 89AA2430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000250 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000250@001c9ae6c30a 0xFC 0x51 0xD4 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000250 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000250@001c9ae6c30a 0xFC 0x51 0xD4 0xAC ... ---- EOF - GMER 1.0.15 ----