ICQ-Hackerangriff abwehren! |
||
---|---|---|
#0
| ||
08.04.2010, 10:47
Member
Beiträge: 28 |
||
|
||
08.04.2010, 11:54
Member
Beiträge: 3716 |
||
|
||
08.04.2010, 13:13
Member
Themenstarter Beiträge: 28 |
#3
okay! Ich habe alle Schritte abgearbeitet. Hier sind die Logfiles. Vielen Dank schon mal für die Hilfe!!
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:48:16, on 08.04.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DellTPad\Apoint.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\IDT\WDM\sttray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Spybot\TeaTimer.exe C:\Apache\bin\ApacheMonitor.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\DellTPad\Apntex.exe C:\Windows\system32\wuauclt.exe C:\Program Files\iTunes\iTunes.exe C:\Users\SAM\Desktop\ck3xgdpu.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/8 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.218.211.57:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Google Update] "C:\Users\SAM\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exe O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyPoker\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyPoker\PartyPoker\RunApp.exe (file missing) O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stibo.swh.mhn.de O17 - HKLM\Software\..\Telephony: DomainName = stibo.swh.mhn.de O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stibo.swh.mhn.de O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache\bin\httpd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\FHMünchen\VPN Client\cvpnd.exe O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 10042 bytes Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Datenbank Version: 3967 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 08.04.2010 12:14:52 mbam-log-2010-04-08 (12-14-52).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 106725 Laufzeit: 4 Minute(n), 19 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) 7-Zip 4.65 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9.3.1 - Deutsch Advanced Audio FX Engine Apache HTTP Server 2.2.14 Apple Application Support Apple Mobile Device Support Apple Software Update ATI Catalyst Control Center Audacity 1.2.6 Avira AntiVir Personal - Free Antivirus Bonjour CamStudio CamStudio Lossless Codec v1.4 Catalyst Control Center - Branding CCleaner (remove only) Cisco Systems VPN Client 5.0.05.0290 DebugMode Wax 2.0 Dell Dock Dell Edoc Viewer Dell Getting Started Guide Dell Support Center (Support Software) Dell Touchpad Dell Video Chat Dell Webcam Central devolo dLAN-Konfigurationsassistent devolo Informer Dexpot Directory Submitter 1.0.29 DivX Codec DivX Converter DivX Player DivX Plus DirectShow Filters DivX Web Player EA Download Manager Free Audio CD Burner version 1.2 Free M4a to MP3 Converter 6.1 Free YouTube Download 2.3 Free YouTube to MP3 Converter version 3.2 GIMP 2.6.6 GoToAssist 8.0.0.514 Half-Life 2 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) ICQ6.5 Integrated Webcam Driver (1.05.02.1227) ITECIR iTunes Java(TM) 6 Update 17 Junk Mail filter update LAME v3.98.2 for Audacity Lullabye Magnifying Glass 1.0 Malwarebytes' Anti-Malware MediaCoder Audio Edition 0.7.0.4399 Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme Microsoft .NET Framework 3.5 Language Pack SP1 - deu Microsoft .NET Framework 3.5 Language Pack SP1 - DEU Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 SP1 Microsoft Choice Guard Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Access MUI (German) 2007 Microsoft Office Excel MUI (German) 2007 Microsoft Office Groove MUI (German) 2007 Microsoft Office InfoPath MUI (German) 2007 Microsoft Office OneNote MUI (German) 2007 Microsoft Office Outlook Connector Microsoft Office Outlook Connector Microsoft Office Outlook MUI (German) 2007 Microsoft Office PowerPoint MUI (German) 2007 Microsoft Office PowerPoint Viewer 2007 (German) Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (German) 2007 Microsoft Office Proof (Italian) 2007 Microsoft Office Proofing (German) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Publisher MUI (German) 2007 Microsoft Office Shared MUI (German) 2007 Microsoft Office Suite Activation Assistant Microsoft Office Ultimate 2007 Microsoft Office Ultimate 2007 Microsoft Office Word MUI (German) 2007 Microsoft Search Enhancement Pack Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Sync Framework Runtime Native v1.0 (x86) Microsoft Sync Framework Services Native v1.0 (x86) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Works Mozilla Firefox (3.6.3) MSVCRT MySQL Server 5.1 Need for Speed™ Undercover NVIDIA PhysX PartyPoker PHP 5.2.13 PokerStars QuickSet QuickTime Roxio Creator Audio Roxio Creator Copy Roxio Creator Data Roxio Creator DE Roxio Creator DE Roxio Creator Tools Roxio Express Labeler 3 Roxio Update Manager Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB978380) Security Update for Microsoft Office Excel 2007 (KB978382) Security Update for Microsoft Office Outlook 2007 (KB972363) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office Publisher 2007 (KB969693) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Skype™ 4.1 Spybot - Search & Destroy Steam SUPER © Version 2010.bld.37 (Jan 2, 2010) Uninstall 1.0.0.1 Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office InfoPath 2007 (KB976416) Update for Microsoft Office Word 2007 (KB974561) Update for Outlook 2007 Junk Email Filter (kb979895) Update für Microsoft Office Excel 2007 Help (KB963678) Update für Microsoft Office Outlook 2007 Help (KB963677) Update für Microsoft Office Powerpoint 2007 Help (KB963669) Update für Microsoft Office Word 2007 Help (KB963665) VC80CRTRedist - 8.0.50727.762 VLC media player 1.0.5 WIDCOMM Bluetooth Software 6.1.0.4402 Windows Live Anmelde-Assistent Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Essentials Windows Live Fotogalerie Windows Live Mail Windows Live Messenger Windows Live Sync Windows Live Toolbar Windows Live Writer Windows Live-Uploadtool Windows Media Player Firefox Plugin WinRAR Xvid 1.2.1 final uninstall GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-08 12:42:30 Windows 6.0.6002 Service Pack 2 Running: ck3xgdpu.exe; Driver: C:\Users\SAM\AppData\Local\Temp\pxddrpow.sys ---- System - GMER 1.0.15 ---- SSDT 810B5A1C ZwCreateThread SSDT 810B5A08 ZwOpenProcess SSDT 810B5A0D ZwOpenThread SSDT 810B5A17 ZwTerminateProcess INT 0x52 ? 86798BF8 INT 0x52 ? 86798BF8 INT 0x62 ? 86798BF8 INT 0x82 ? 86798BF8 INT 0x92 ? 84B97BF8 INT 0x92 ? 84B97BF8 INT 0x92 ? 84B97BF8 INT 0x92 ? 84B97BF8 INT 0x92 ? 86798BF8 INT 0x92 ? 86798BF8 INT 0x92 ? 86798BF8 INT 0x92 ? 84B97BF8 INT 0xB2 ? 86798BF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 221 820B3984 4 Bytes [1C, 5A, 0B, 81] .text ntkrnlpa.exe!KeSetEvent + 3F1 820B3B54 4 Bytes [08, 5A, 0B, 81] .text ntkrnlpa.exe!KeSetEvent + 40D 820B3B70 4 Bytes [0D, 5A, 0B, 81] .text ntkrnlpa.exe!KeSetEvent + 621 820B3D84 4 Bytes [17, 5A, 0B, 81] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + 540 820C6C00 23 Bytes [90, 90, 90, 33, C0, 40, C3, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + 558 820C6C18 42 Bytes CALL 8204D23D \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv6AddressToStringA + 584 820C6C44 10 Bytes [85, C0, 76, 2B, 8D, 8C, 46, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + 58F 820C6C4F 56 Bytes [66, 8B, 11, 66, 3B, 55, 14, ...] .text ntkrnlpa.exe!RtlIpv6AddressToStringA + 5C8 820C6C88 1 Byte [00] .text ... .text ntkrnlpa.exe!PsGetProcessDebugPort + BA 820C6FD6 35 Bytes [53, 53, 53, FF, 75, E0, FF, ...] .text ntkrnlpa.exe!PsGetProcessDebugPort + DE 820C6FFA 333 Bytes [00, 00, 3B, F3, 75, 0A, 68, ...] .text ntkrnlpa.exe!PsGetProcessDebugPort + 22C 820C7148 415 Bytes JMP 820C70BB \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!PsGetProcessDebugPort + 3CC 820C72E8 73 Bytes CALL 820E7711 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!PsGetProcessDebugPort + 416 820C7332 1 Byte [00] .text ... .text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + 21 820C7640 63 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...] .text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + 61 820C7680 11 Bytes CALL 8204D829 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + 6D 820C768C 75 Bytes [90, 90, 90, 90, 90, 8B, 5D, ...] .text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + B9 820C76D8 15 Bytes [66, FF, 00, 0F, B7, 00, 66, ...] .text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + C9 820C76E8 87 Bytes CALL 82029CAB \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!WheaReportHwError + 5B 820C8422 39 Bytes [00, 00, 8B, F8, 3B, FE, 89, ...] .text ntkrnlpa.exe!WheaReportHwError + 83 820C844A 81 Bytes [68, 22, 01, 00, 00, E8, 1B, ...] .text ntkrnlpa.exe!WheaReportHwError + D6 820C849D 47 Bytes JMP 820C83E1 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!WheaReportHwError + 106 820C84CD 30 Bytes [74, 4A, F6, 47, 0C, 01, 74, ...] .text ntkrnlpa.exe!WheaReportHwError + 125 820C84EC 136 Bytes [01, 00, 00, 8B, 44, 24, 10, ...] .text ... .text ntkrnlpa.exe!WheaGetErrorSource + 11 820C8CC8 1 Byte [00] .text ntkrnlpa.exe!WheaGetErrorSource + 11 820C8CC8 17 Bytes [00, 00, 85, C0, 5F, 74, 05, ...] .text ntkrnlpa.exe!WheaGetErrorSource + 23 820C8CDA 93 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!WheaGetErrorSource + 81 820C8D38 6 Bytes [00, 82, 33, C0, 5E, 5B] {ADD [EDX+0x5b5ec033], AL} .text ntkrnlpa.exe!WheaGetErrorSource + 88 820C8D3F 75 Bytes [C2, 04, 00, 80, FB, 01, 75, ...] .text ... .text ntkrnlpa.exe!CcGetFileObjectFromSectionPtrsRef + 5 820C951C 502 Bytes [53, 56, 6A, 05, 59, 33, F6, ...] .text ntkrnlpa.exe!CcDeferWrite + 14A 820C9713 2 Bytes [FF, 3B] .text ntkrnlpa.exe!CcDeferWrite + 14D 820C9716 345 Bytes [74, 29, 8B, 46, 14, 3B, C7, ...] .text ntkrnlpa.exe!CcUnpinRepinnedBcb + 86 820C9870 54 Bytes [A6, FB, FA, FF, 8B, 0B, 8B, ...] .text ntkrnlpa.exe!CcUnpinRepinnedBcb + BE 820C98A8 5 Bytes [80, 74, 07, 3D, 54] {XOR BYTE [EDI+EAX+0x3d], 0x54} .text ntkrnlpa.exe!CcUnpinRepinnedBcb + C5 820C98AF 12 Bytes [C0, 75, 08, 6A, 00, 57, E8, ...] .text ntkrnlpa.exe!CcUnpinRepinnedBcb + D2 820C98BC 1 Byte [6A] .text ntkrnlpa.exe!CcUnpinRepinnedBcb + D2 820C98BC 27 Bytes CALL 820BA703 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!CcIsThereDirtyData + 13 820C99D6 41 Bytes [6A, 05, 59, FF, D7, 8B, 35, ...] .text ntkrnlpa.exe!CcIsThereDirtyData + 3D 820C9A00 2 Bytes [74, 08] {JZ 0xa} .text ntkrnlpa.exe!CcIsThereDirtyData + 40 820C9A03 90 Bytes [F7, 41, 2C, 00, 80, 74, 47, ...] .text ntkrnlpa.exe!CcIsThereDirtyData + 9B 820C9A5E 36 Bytes [5F, 5E, 8A, C3, 5B, C9, C2, ...] .text ntkrnlpa.exe!CcIsThereDirtyDataEx + 10 820C9A83 24 Bytes [33, DB, FF, 15, 5C, 81, 00, ...] .text ntkrnlpa.exe!CcIsThereDirtyDataEx + 29 820C9A9C 7 Bytes [EB, 37, 8B, 41, 6C, 66, A9] .text ntkrnlpa.exe!CcIsThereDirtyDataEx + 31 820C9AA4 31 Bytes [08, 75, 29, 8B, 51, 44, 83, ...] .text ntkrnlpa.exe!CcIsThereDirtyDataEx + 51 820C9AC4 115 Bytes [C6, 45, FF, 01, 74, 12, 85, ...] .text ntkrnlpa.exe!CcGetLsnForFileObject + 31 820C9B38 1 Byte [00] .text ntkrnlpa.exe!CcGetLsnForFileObject + 31 820C9B38 5 Bytes [00, 00, 8D, 8E, B8] .text ntkrnlpa.exe!CcGetLsnForFileObject + 39 820C9B40 9 Bytes [8D, 54, 24, 24, FF, 15, 54, ...] .text ntkrnlpa.exe!CcGetLsnForFileObject + 43 820C9B4A 17 Bytes [8D, 7E, 10, 8B, 07, EB, 62, ...] .text ntkrnlpa.exe!CcGetLsnForFileObject + 55 820C9B5C 72 Bytes [74, 53, 8B, 70, 20, 8B, 50, ...] .text ... .text ntkrnlpa.exe!CcMdlWriteAbort + 21 820C9C30 11 Bytes [74, 05, C6, 44, 24, 0F, 01, ...] .text ntkrnlpa.exe!CcMdlWriteAbort + 2D 820C9C3C 29 Bytes [8B, 1F, 74, 06, 57, E8, 24, ...] .text ntkrnlpa.exe!CcMdlWriteAbort + 4D 820C9C5C 17 Bytes [6A, 05, 59, FF, 15, 5C, 81, ...] .text ntkrnlpa.exe!CcMdlWriteAbort + 5F 820C9C6E 1 Byte [00] .text ntkrnlpa.exe!CcMdlWriteAbort + 5F 820C9C6E 6 Bytes [00, 00, 8B, 46, 6C, A9] .text ... .text ntkrnlpa.exe!CcTestControl + 4 820C9D16 3 Bytes [C0, C2, 0C] {ROL DL, 0xc} .text ntkrnlpa.exe!CcTestControl + 8 820C9D1A 43 Bytes [90, 90, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 11 820C9D48 7 Bytes [53, 56, 57, 8B, B8, C8, 06] .text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 19 820C9D50 34 Bytes [00, FF, 47, 0C, 8B, CF, 89, ...] .text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 3D 820C9D74 39 Bytes [FF, 47, 0C, 8B, CF, E8, B2, ...] .text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 65 820C9D9C 8 Bytes [00, 8D, 46, 08, 89, 40, 04, ...] {ADD [EBP+0x40890846], CL; ADD AL, 0x89} .text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 6E 820C9DA5 74 Bytes [C6, 46, 14, 04, 8D, 44, 24, ...] .text ... .text ntkrnlpa.exe!ZwFreezeRegistry + 10 820CA886 5 Bytes [00, 76, 07, B8, 0D] .text ntkrnlpa.exe!ZwFreezeRegistry + 16 820CA88C 9 Bytes [00, C0, EB, 38, 64, A1, 24, ...] .text ntkrnlpa.exe!ZwFreezeRegistry + 20 820CA896 3 Bytes [8A, 80, E7] .text ntkrnlpa.exe!ZwFreezeRegistry + 24 820CA89A 1 Byte [00] .text ntkrnlpa.exe!ZwFreezeRegistry + 24 820CA89A 15 Bytes [00, 00, 88, 44, 24, 04, FF, ...] .text ... .text ntkrnlpa.exe!ZwThawRegistry + F 820CA8EA 5 Bytes [00, 8A, 80, E7, 00] .text ntkrnlpa.exe!ZwThawRegistry + 15 820CA8F0 6 Bytes [00, 88, 44, 24, 04, FF] {ADD [EAX-0xfbdbbc], CL} .text ntkrnlpa.exe!ZwThawRegistry + 1C 820CA8F7 18 Bytes [24, 04, FF, 35, 88, D1, 31, ...] .text ntkrnlpa.exe!ZwThawRegistry + 2F 820CA90A 7 Bytes [84, C0, 75, 07, B8, 61, 00] .text ntkrnlpa.exe!ZwThawRegistry + 37 820CA912 7 Bytes [C0, EB, 05, E8, F9, 36, 19] .text ... .text ntkrnlpa.exe!CmGetBoundTransaction + 16 820CA93E 49 Bytes [90, 90, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!CmGetBoundTransaction + 48 820CA970 27 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!CmGetBoundTransaction + 64 820CA98C 9 Bytes [00, 74, 0C, 6A, 01, 68, 50, ...] {ADD [ESP+ECX+0x6a], DH; ADD [EAX+0x50], EBP; LDS EDX, DWORD [EBX]} .text ntkrnlpa.exe!CmGetBoundTransaction + 6E 820CA996 27 Bytes CALL 820B36ED \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!CmGetBoundTransaction + 8A 820CA9B2 5 Bytes [74, 0C, 6A, 01, 68] .text ... .text ntkrnlpa.exe!FsRtlIncrementCcFastReadNoWait + 4 820CAD4C 1 Byte [00] .text ntkrnlpa.exe!FsRtlIncrementCcFastReadNoWait + 4 820CAD4C 7 Bytes [00, 00, 33, C9, 05, E0, 05] .text ntkrnlpa.exe!FsRtlIncrementCcFastReadNoWait + C 820CAD54 21 Bytes [00, 41, F0, 0F, C1, 08, C3, ...] .text ntkrnlpa.exe!FsRtlIncrementCcFastReadResourceMiss + 5 820CAD6A 7 Bytes [00, 33, C9, 05, 60, 06, 00] .text ntkrnlpa.exe!FsRtlIncrementCcFastReadResourceMiss + D 820CAD72 19 Bytes [41, F0, 0F, C1, 08, C3, CC, ...] .text ntkrnlpa.exe!FsRtlIncrementCcFastMdlReadWait + 4 820CAD86 1 Byte [00] .text ntkrnlpa.exe!FsRtlIncrementCcFastMdlReadWait + 4 820CAD86 7 Bytes [00, 00, 33, C9, 05, 24, 06] .text ntkrnlpa.exe!FsRtlIncrementCcFastMdlReadWait + C 820CAD8E 31 Bytes [00, 41, F0, 0F, C1, 08, C3, ...] .text ntkrnlpa.exe!FsRtlTruncateMcb + A 820CADAE 91 Bytes [FF, 75, 0C, FF, 75, 08, E8, ...] .text ntkrnlpa.exe!FsRtlRemoveMcbEntry + F 820CAE0A 9 Bytes [FF, 75, 0C, FF, 75, 08, E8, ...] .text ntkrnlpa.exe!FsRtlRemoveMcbEntry + 19 820CAE14 6 Bytes [00, 8B, E5, 5D, C2, 0C] {ADD [EBX+0xcc25de5], CL} .text ntkrnlpa.exe!FsRtlRemoveMcbEntry + 20 820CAE1B 72 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!FsRtlLookupMcbEntry + 3D 820CAE64 39 Bytes [3A, C3, 74, 1C, 8B, 4C, 24, ...] .text ntkrnlpa.exe!FsRtlLookupMcbEntry + 65 820CAE8C 33 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!FsRtlLookupLastMcbEntry + 18 820CAEAE 31 Bytes [84, C0, 74, 18, 8B, 4D, 0C, ...] .text ntkrnlpa.exe!FsRtlLookupLastMcbEntry + 38 820CAECE 21 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ntkrnlpa.exe!FsRtlNumberOfRunsInMcb + B 820CAEE4 39 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!FsRtlGetNextMcbEntry + 1E 820CAF0C 99 Bytes [00, 84, C0, 74, 20, 8B, 4D, ...] .text ntkrnlpa.exe!FsRtlResetLargeMcb + 9 820CAF70 11 Bytes [74, 0C, 8B, 45, 08, 83, 60, ...] .text ntkrnlpa.exe!FsRtlResetLargeMcb + 17 820CAF7E 7 Bytes [53, 64, 8B, 1D, 24, 01, 00] .text ntkrnlpa.exe!FsRtlResetLargeMcb + 1F 820CAF86 11 Bytes [56, 57, 8B, 7D, 08, 8B, 37, ...] .text ntkrnlpa.exe!FsRtlResetLargeMcb + 2B 820CAF92 1 Byte [00] .text ntkrnlpa.exe!FsRtlResetLargeMcb + 2B 820CAF92 79 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...] .text ... .text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 18 820CB03E 5 Bytes [66, FF, 8F, 82, 00] .text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 1E 820CB044 7 Bytes [00, 8B, C6, F0, 0F, BA, 30] .text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 26 820CB04C 41 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 50 820CB076 1 Byte [00] .text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 50 820CB076 9 Bytes CALL 8204D82B \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 7 820CB0FC 19 Bytes CALL 8204D7E8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 1B 820CB110 5 Bytes [00, 66, FF, 8F, 82] .text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 21 820CB116 1 Byte [00] .text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 21 820CB116 20 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...] .text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 36 820CB12B 44 Bytes [FC, 00, FF, 75, 24, FF, 75, ...] .text ... .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 1B 820CB1F6 5 Bytes [00, 66, FF, 8F, 82] .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 21 820CB1FC 1 Byte [00] .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 21 820CB1FC 51 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...] .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 55 820CB230 11 Bytes CALL 8204D829 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 61 820CB23C 69 Bytes [90, 90, 90, 90, 90, 8B, 5D, ...] .text ... .text ntkrnlpa.exe!FsRtlLookupLastBaseMcbEntryAndIndex + 19 820CB2C3 122 Bytes [8B, 41, 0C, 83, 7C, D0, FC, ...] .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 7 820CB33E 19 Bytes CALL 8204D7E8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 1B 820CB352 5 Bytes [00, 66, FF, 8F, 82] .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 21 820CB358 1 Byte [00] .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 21 820CB358 22 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...] .text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 38 820CB36F 30 Bytes [FF, 75, 14, FF, 75, 10, FF, ...] .text ... .text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + D 820CB418 11 Bytes [56, 57, 8B, 7D, 08, 8B, 37, ...] .text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 19 820CB424 1 Byte [00] .text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 19 820CB424 27 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...] .text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 35 820CB440 49 Bytes [33, C9, 41, 8B, C2, F0, 0F, ...] .text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 67 820CB472 5 Bytes [00, 8D, 81, 82, 00] .text ... .text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + C 820CB4B6 13 Bytes [00, 56, 57, 8B, 7D, 08, 8B, ...] .text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 1A 820CB4C4 7 Bytes [00, 8B, C6, F0, 0F, BA, 30] .text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 22 820CB4CC 89 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 7C 820CB526 3 Bytes [8D, 81, 82] .text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 80 820CB52A 1 Byte [00] .text ... .text ntkrnlpa.exe!FsRtlSplitBaseMcb + 21 820CB578 23 Bytes [00, 8B, 5D, 08, 8B, 46, 0C, ...] .text ntkrnlpa.exe!FsRtlSplitBaseMcb + 39 820CB590 32 Bytes [00, 85, DB, 75, 04, 33, C9, ...] .text ntkrnlpa.exe!FsRtlSplitBaseMcb + 5A 820CB5B1 38 Bytes [05, 21, 4D, 08, EB, 07, 8B, ...] .text ntkrnlpa.exe!FsRtlSplitBaseMcb + 81 820CB5D8 181 Bytes [00, 85, DB, 75, 04, 33, D2, ...] .text ntkrnlpa.exe!FsRtlSplitBaseMcb + 137 820CB68E 25 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!FsRtlSplitLargeMcb + 10 820CB6A8 11 Bytes [8B, 5D, 08, 8B, 33, 64, 8B, ...] .text ntkrnlpa.exe!FsRtlSplitLargeMcb + 1C 820CB6B4 5 Bytes [66, FF, 8F, 82, 00] .text ntkrnlpa.exe!FsRtlSplitLargeMcb + 22 820CB6BA 7 Bytes [00, 8B, C6, F0, 0F, BA, 30] .text ntkrnlpa.exe!FsRtlSplitLargeMcb + 2A 820CB6C2 13 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlSplitLargeMcb + 38 820CB6D0 33 Bytes [FF, 75, 18, FF, 75, 14, FF, ...] .text ... .text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + 1F 820CB8D6 83 Bytes [CC, CC, CC, CC, CC, 90, CC, ...] .text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + 73 820CB92A 3 Bytes [C6, 45, FF] .text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + 77 820CB92E 93 Bytes [74, 23, 0F, B6, 47, 25, 50, ...] .text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + D5 820CB98C 17 Bytes [8B, 0B, 89, 08, 75, 08, 3B, ...] .text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + E7 820CB99E 3 Bytes [80, 7D, FF] .text ... .text ntkrnlpa.exe!FsRtlAllocatePool + 15 820CBA18 6 Bytes [85, C0, 75, 0A, 68, 9A] .text ntkrnlpa.exe!FsRtlAllocatePool + 1C 820CBA1F 59 Bytes CALL 8204F242 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlAllocatePoolWithQuota + 27 820CBA5B 28 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!FsRtlAllocatePoolWithTag + 13 820CBA78 6 Bytes [85, C0, 75, 0A, 68, 9A] .text ntkrnlpa.exe!FsRtlAllocatePoolWithTag + 1A 820CBA7F 10 Bytes CALL 8204F242 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlAllocatePoolWithTag + 25 820CBA8A 116 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 6B 820CBAFF 12 Bytes [8B, D8, 89, 1E, 89, 5D, E0, ...] .text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 79 820CBB0D 4 Bytes [C7, 45, DC, 01] .text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 7F 820CBB13 8 Bytes [00, 8B, 73, 1C, 64, A1, 24, ...] {ADD [EBX-0x5e9be38d], CL; AND AL, 0x1} .text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 89 820CBB1D 26 Bytes [89, 45, E4, 8B, C6, F0, 0F, ...] .text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + A4 820CBB38 9 Bytes [F6, 43, 18, 11, 0F, 84, A2, ...] .text ... .text ntkrnlpa.exe!FsRtlOplockBreakToNone + 10 820CC055 16 Bytes [33, C0, EB, 26, 8B, 45, 0C, ...] .text ntkrnlpa.exe!FsRtlOplockBreakToNone + 21 820CC066 28 Bytes [74, 03, 33, D2, 42, FF, 75, ...] .text ntkrnlpa.exe!FsRtlOplockBreakToNone + 3E 820CC083 78 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!FsRtlOplockBreakToNone + 8E 820CC0D3 10 Bytes [00, 8B, CE, B2, 01, 1B, C0, ...] .text ntkrnlpa.exe!FsRtlOplockBreakToNone + 99 820CC0DE 40 Bytes JMP 7C25FF5B .text ... .text ntkrnlpa.exe!FsRtlCreateSectionForDataScan + 5C 820CC694 23 Bytes [00, 64, 8B, 0D, 24, 01, 00, ...] .text ntkrnlpa.exe!FsRtlCreateSectionForDataScan + 74 820CC6AC 217 Bytes [8B, D8, 3B, DF, 7D, 40, 64, ...] .text ntkrnlpa.exe!FsRtlCreateSectionForDataScan + 14E 820CC786 249 Bytes [64, 8B, 0D, 24, 01, 00, 00, ...] .text ntkrnlpa.exe!FsRtlInsertPerFileContext + 41 820CC880 5 Bytes [00, C0, E9, B0, 00] .text ntkrnlpa.exe!FsRtlInsertPerFileContext + 47 820CC886 13 Bytes [00, 8B, 55, 08, 8D, 46, 04, ...] .text ntkrnlpa.exe!FsRtlInsertPerFileContext + 55 820CC894 27 Bytes [8B, CE, 33, C0, F0, 0F, B1, ...] .text ntkrnlpa.exe!FsRtlInsertPerFileContext + 71 820CC8B0 5 Bytes [00, 66, FF, 88, 80] .text ntkrnlpa.exe!FsRtlInsertPerFileContext + 77 820CC8B6 1 Byte [00] .text ... .text ntkrnlpa.exe!FsRtlLookupPerFileContext + 12 820CC95A 1 Byte [00] .text ntkrnlpa.exe!FsRtlLookupPerFileContext + 12 820CC95A 11 Bytes [00, 00, 8D, 77, 04, 39, 36, ...] .text ntkrnlpa.exe!FsRtlLookupPerFileContext + 1E 820CC966 5 Bytes [00, 64, A1, 24, 01] .text ntkrnlpa.exe!FsRtlLookupPerFileContext + 24 820CC96C 153 Bytes [00, 66, FF, 88, 80, 00, 00, ...] .text ntkrnlpa.exe!FsRtlLookupPerFileContext + BE 820CCA06 5 Bytes [00, 8D, 81, 80, 00] .text ... .text ntkrnlpa.exe!FsRtlRemovePerFileContext + 1B 820CCA60 9 Bytes [00, 8D, 73, 04, 39, 36, 0F, ...] .text ntkrnlpa.exe!FsRtlRemovePerFileContext + 25 820CCA6A 1 Byte [00] .text ntkrnlpa.exe!FsRtlRemovePerFileContext + 25 820CCA6A 7 Bytes [00, 00, 64, A1, 24, 01, 00] .text ntkrnlpa.exe!FsRtlRemovePerFileContext + 2D 820CCA72 5 Bytes [66, FF, 88, 80, 00] .text ntkrnlpa.exe!FsRtlRemovePerFileContext + 33 820CCA78 7 Bytes [00, 8B, C3, F0, 0F, BA, 28] .text ... .text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 1 820CCB5E 77 Bytes [FF, 55, 8B, EC, 57, 8B, 7D, ...] .text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 4F 820CCBAC 10 Bytes [00, 82, 8A, D8, 8B, C6, F0, ...] .text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 5A 820CCBB7 18 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 6D 820CCBCA 71 Bytes [89, 46, 1C, 8B, 55, 10, 33, ...] .text ntkrnlpa.exe!FsRtlRemovePerStreamContext + B5 820CCC12 8 Bytes [74, 25, EB, F3, EB, 21, 8B, ...] {JZ 0x27; JMP 0xfffffffffffffff7; JMP 0x27; MOV ECX, EAX} .text ... .text ntkrnlpa.exe!FsRtlPostStackOverflow + 8 820CCD1D 63 Bytes [75, 10, FF, 75, 0C, FF, 75, ...] .text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + 25 820CCD5D 30 Bytes [55, 8B, EC, 53, 68, 46, 53, ...] .text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + 45 820CCD7D 24 Bytes CALL 8204F243 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + 5E 820CCD96 82 Bytes [8B, 4D, 08, 89, 48, 14, 8B, ...] .text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + B2 820CCDEA 39 Bytes [57, 33, FF, 47, 89, B8, 34, ...] .text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + DA 820CCE12 6 Bytes [0C, 39, 3D, 44, C1, 13] .text ... .text ntkrnlpa.exe!PsWrapApcWow64Thread + 59 820CD20C 27 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ntkrnlpa.exe!HvlQueryConnection + 12 820CD229 6 Bytes [C0, EB, 07, 8B, 4D, 08] {SHR BL, 0x7; MOV ECX, [EBP+0x8]} .text ntkrnlpa.exe!HvlQueryConnection + 19 820CD230 6 Bytes [01, 33, C0, 5D, C2, 04] {ADD [EBX], ESI; RCR BYTE [EBP-0x3e], 0x4} .text ntkrnlpa.exe!HvlQueryConnection + 20 820CD237 55 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!HvlQueryConnection + 58 820CD26F 12 Bytes [00, 40, C7, 45, D4, 03, 00, ...] {ADD [EAX-0x39], AL; INC EBP; AAM 0x3; ADD [EAX], AL; INC EAX; JZ 0x54; DEC EAX} .text ntkrnlpa.exe!HvlQueryConnection + 65 820CD27C 2 Bytes [85, D5] {TEST EBP, EDX} .text ... .text ntkrnlpa.exe!InbvIsBootDriverInstalled + D 820CD814 13 Bytes [CC, CC, 90, 90, 90, 90, 90, ...] .text ntkrnlpa.exe!InbvResetDisplay + 7 820CD822 8 Bytes [74, 13, 83, 3D, 90, 6E, 10, ...] .text ntkrnlpa.exe!InbvResetDisplay + 11 820CD82C 197 Bytes CALL 820F168A \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!InbvSetTextColor + 34 820CD8F2 11 Bytes [C9, C2, 04, 00, CC, CC, CC, ...] {LEAVE ; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP } .text ntkrnlpa.exe!InbvSetTextColor + 40 820CD8FE 33 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...] .text ntkrnlpa.exe!InbvInstallDisplayStringFilter + 1F 820CD920 13 Bytes [90, C7, 05, FC, C0, 13, 82, ...] .text ntkrnlpa.exe!InbvInstallDisplayStringFilter + 2D 820CD92E 287 Bytes [C1, 13, 82, 1A, 01, 00, 00, ...] .text ntkrnlpa.exe!IoAllocateController + 37 820CDA4E 8 Bytes [75, 08, FF, 75, 08, E8, 27, ...] .text ntkrnlpa.exe!IoAllocateController + 41 820CDA58 34 Bytes [5F, 5E, 5B, 5D, C2, 10, 00, ...] .text ntkrnlpa.exe!IoAllocateController + 64 820CDA7B 69 Bytes CALL 82015053 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!IoFreeErrorLogEntry + 2F 820CDAC1 1 Byte [F0] .text ntkrnlpa.exe!IoFreeErrorLogEntry + 2F 820CDAC1 5 Bytes [F0, 0F, C1, 01, 6A] .text ntkrnlpa.exe!IoFreeErrorLogEntry + 35 820CDAC7 5 Bytes [56, E8, 38, 65, 02] .text ntkrnlpa.exe!IoFreeErrorLogEntry + 3B 820CDACD 25 Bytes [5E, 5D, C2, 04, 00, 90, 90, ...] .text ntkrnlpa.exe!IoFreeErrorLogEntry + 56 820CDAE8 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ... .text ntkrnlpa.exe!IoAttachDeviceByPointer 820CDAFB 349 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] .text ntkrnlpa.exe!IoRaiseHardError + 1A 820CDC59 15 Bytes [00, F6, C2, 20, 74, 19, F6, ...] .text ntkrnlpa.exe!IoRaiseHardError + 2A 820CDC69 61 Bytes [B2, 01, 8B, CF, FF, 15, 7C, ...] .text ntkrnlpa.exe!IoRaiseHardError + 68 820CDCA7 7 Bytes [D8, 85, DB, 74, BD, 57, 6A] .text ntkrnlpa.exe!IoRaiseHardError + 70 820CDCAF 4 Bytes [68, AE, 23, 27] .text ntkrnlpa.exe!IoRaiseHardError + 75 820CDCB4 101 Bytes [68, 74, 1B, 27, 82, 68, FB, ...] .text ... .text ntkrnlpa.exe!IoRaiseInformationalHardError + 16 820CDE21 5 Bytes [00, EB, 0C, 64, A1] .text ntkrnlpa.exe!IoRaiseInformationalHardError + 1C 820CDE27 101 Bytes [01, 00, 00, 8B, 80, 60, 02, ...] .text ntkrnlpa.exe!IoRaiseInformationalHardError + 82 820CDE8D 29 Bytes [45, 08, 89, 43, 08, 74, 4C, ...] .text ntkrnlpa.exe!IoRaiseInformationalHardError + A0 820CDEAB 24 Bytes [3B, C6, 75, 10, 56, 53, E8, ...] .text ntkrnlpa.exe!IoRaiseInformationalHardError + B9 820CDEC4 16 Bytes [4B, 0C, 66, 8B, 0F, 66, 89, ...] {DEC EBX; OR AL, 0x66; MOV ECX, [EDI]; MOV [EBX+0xe], CX; MOV [EBX+0x10], EAX; MOVZX ECX, [EDI]; PUSH ECX} .text ... .text ntkrnlpa.exe!IoSetDeviceToVerify + 62 820CE0AE 2 Bytes CALL 820D726A \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!IoSetDeviceToVerify + 66 820CE0B2 41 Bytes [3B, C3, 74, 30, 39, 5D, 08, ...] .text ntkrnlpa.exe!IoSetDeviceToVerify + 91 820CE0DD 56 Bytes [08, 57, 56, FF, 50, 30, 5F, ...] .text ntkrnlpa.exe!IoStartNextPacketByKey + 1 820CE116 11 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...] .text ntkrnlpa.exe!IoStartNextPacketByKey + D 820CE122 7 Bytes [00, 00, 66, F7, 40, 24, 00] .text ntkrnlpa.exe!IoStartNextPacketByKey + 15 820CE12A 86 Bytes [74, 1A, 8A, 45, 0C, 8B, 4D, ...] .text ntkrnlpa.exe!IoStopTimer + 13 820CE181 6 Bytes [CF, FF, 15, 84, 81, 00] .text ntkrnlpa.exe!IoStopTimer + 1A 820CE188 17 Bytes [66, 83, 7E, 02, 00, 74, 0B, ...] .text ntkrnlpa.exe!IoStopTimer + 2C 820CE19A 252 Bytes [8A, D0, 8B, CF, FF, 15, 80, ...] .text ntkrnlpa.exe!IoIsFileOriginRemote + 14 820CE297 176 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!IoSetIoPriorityHintIntoFileObject + 11 820CE348 89 Bytes [00, C0, EB, 17, 8D, 45, 0C, ...] .text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + 30 820CE3A2 20 Bytes [F0, 0B, CF, 8B, DA, F0, 0F, ...] .text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + 45 820CE3B7 93 Bytes [00, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + A3 820CE415 42 Bytes [3F, 8B, CF, EB, 0A, 8B, 55, ...] .text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + CE 820CE440 10 Bytes [5B, 5F, 5E, C9, C2, 10, 00, ...] .text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + D9 820CE44B 7 Bytes [74, 1A, 8B, 4D, 10, 83, 21] .text ... .text ntkrnlpa.exe!IoAllocateSfioStreamIdentifier + 10 820CE4CD 169 Bytes [C0, EB, 30, 83, 7D, 0C, 00, ...] .text ntkrnlpa.exe!IoFreeSfioStreamIdentifier + 30 820CE577 82 Bytes [06, EB, 0A, 8B, 48, 0C, 3B, ...] .text ntkrnlpa.exe!IoClearIrpExtraCreateParameter + B 820CE5CA 6 Bytes [80, 74, 04, 83, 60, 3C] .text ntkrnlpa.exe!IoClearIrpExtraCreateParameter + 12 820CE5D1 62 Bytes [5D, C2, 04, 00, 90, 90, 90, ...] .text ntkrnlpa.exe!IoClearIrpExtraCreateParameter + 51 820CE610 206 Bytes [F0, 74, 04, 32, C0, EB, 02, ...] .text ntkrnlpa.exe!IoCallDriverStackSafe + A7 820CE6DF 20 Bytes [25, 48, 81, 00, 82, 83, 61, ...] .text ntkrnlpa.exe!IoCallDriverStackSafe + BD 820CE6F5 21 Bytes [76, 04, 89, 36, 8A, 41, 23, ...] .text ntkrnlpa.exe!IoCallDriverStackSafe + D3 820CE70B 1 Byte [70] .text ntkrnlpa.exe!IoCallDriverStackSafe + D3 820CE70B 25 Bytes [70, 14, EB, 02, 33, F6, 6A, ...] .text ntkrnlpa.exe!IoCallDriverStackSafe + ED 820CE725 6 Bytes [19, 6A, 30, 56, E8, EA] .text ... .text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 1F 820CF3C6 54 Bytes [C0, EB, 30, 39, 4D, 0C, 74, ...] .text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 56 820CF3FD 53 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 8C 820CF433 1 Byte [B7] .text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 8C 820CF433 22 Bytes [B7, 4E, 2C, 8B, 46, 30, E8, ...] .text ntkrnlpa.exe!KeInitializeCrashDumpHeader + A3 820CF44A 5 Bytes [36, 8D, 5C, 03, 09] .text ... .text ntkrnlpa.exe!KeCapturePersistentThreadState + 16 820D01DC 11 Bytes [00, 83, 7D, 0C, 00, 75, 09, ...] .text ntkrnlpa.exe!KeCapturePersistentThreadState + 22 820D01E8 7 Bytes [00, 89, 45, 0C, 56, 57, BF] .text ntkrnlpa.exe!KeCapturePersistentThreadState + 2A 820D01F0 156 Bytes [00, 02, 00, 57, 6A, 00, 53, ...] .text ntkrnlpa.exe!KeCapturePersistentThreadState + C8 820D028E 16 Bytes CALL 0A0E2698 .text ntkrnlpa.exe!KeCapturePersistentThreadState + D9 820D029F 4 Bytes [89, 83, E0, 07] .text ... .text ntkrnlpa.exe!IoReleaseRemoveLockAndWaitEx + 2 820D15DA 154 Bytes [55, 8B, EC, 53, 8B, 5D, 08, ...] .text ntkrnlpa.exe!IoRequestDeviceEjectEx + 1D 820D1675 30 Bytes [40, 14, 3B, C3, 0F, 84, A6, ...] .text ntkrnlpa.exe!IoRequestDeviceEjectEx + 3C 820D1694 103 Bytes [68, B4, 05, 00, 00, 53, E8, ...] .text ntkrnlpa.exe!IoRequestDeviceEjectEx + A4 820D16FC 44 Bytes [10, 6A, 01, 50, 89, 7E, 08, ...] .text ntkrnlpa.exe!IoRequestDeviceEjectEx + D1 820D1729 24 Bytes CALL 8200A956 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!IoRequestDeviceEjectEx + EA 820D1742 130 Bytes [47, 08, 83, C0, 1C, 66, 39, ...] .text ... .text ntkrnlpa.exe!IoRequestDeviceEject + AF 820D18E0 65 Bytes [85, F6, 76, 13, 66, F7, 45, ...] .text ntkrnlpa.exe!IoRequestDeviceEject + F1 820D1922 30 Bytes [8B, 70, 14, EB, 02, 33, F6, ...] .text ntkrnlpa.exe!IoRequestDeviceEject + 110 820D1941 93 Bytes [A9, 00, 20, 74, 25, 8D, 96, ...] .text ntkrnlpa.exe!IoTranslateBusAddress + 4 820D199F 23 Bytes [EC, 83, E4, F8, 83, EC, 34, ...] .text ntkrnlpa.exe!IoTranslateBusAddress + 1C 820D19B7 88 Bytes [45, 1C, 89, 08, 8B, 4D, 14, ...] .text ntkrnlpa.exe!IoTranslateBusAddress + 75 820D1A10 23 Bytes CALL 821B5D78 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!IoTranslateBusAddress + 8D 820D1A28 52 Bytes [00, 8A, 4C, 24, 20, 8D, 44, ...] .text ntkrnlpa.exe!IoTranslateBusAddress + C2 820D1A5D 59 Bytes [74, 24, 18, EB, 0B, 8B, 44, ...] .text ... .text ntkrnlpa.exe!ZwReplacePartitionUnit + 8B 820D3462 40 Bytes [C5, 7F, 1E, 00, CC, 8D, 4A, ...] .text ntkrnlpa.exe!ZwReplacePartitionUnit + B4 820D348B 2 Bytes [F0, 77] .text ntkrnlpa.exe!ZwReplacePartitionUnit + B7 820D348E 19 Bytes [3B, F1, 73, 03, C6, 00, 00, ...] .text ntkrnlpa.exe!ZwReplacePartitionUnit + CB 820D34A2 13 Bytes [89, 45, CC, 8B, 49, 04, 89, ...] .text ntkrnlpa.exe!ZwReplacePartitionUnit + D9 820D34B0 8 Bytes [FF, FF, 66, 3B, C7, 0F, 84, ...] .text ... .text ntkrnlpa.exe!KdChangeOption + 38 820D3750 19 Bytes [80, 74, 07, B8, 22, 00, 00, ...] .text ntkrnlpa.exe!KdChangeOption + 4C 820D3764 15 Bytes [33, C0, 8B, 4D, 1C, 3B, CA, ...] .text ntkrnlpa.exe!KdChangeOption + 5C 820D3774 43 Bytes [00, C0, 5D, C2, 18, 00, 90, ...] .text ntkrnlpa.exe!KdChangeOption + 88 820D37A0 3 Bytes JMP 820D3857 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KdChangeOption + 8C 820D37A4 7 Bytes [00, 00, 38, 1D, 84, 93, 13] .text ... .text ntkrnlpa.exe!KdDisableDebugger + 49 820D38C8 2 Bytes [00, 38] {ADD [EAX], BH} .text ntkrnlpa.exe!KdDisableDebugger + 4C 820D38CB 32 Bytes [08, BE, 80, F3, 13, 82, 74, ...] .text ntkrnlpa.exe!KdDisableDebugger + 6D 820D38EC 23 Bytes [75, 26, 38, 5D, 08, 74, 18, ...] .text ntkrnlpa.exe!KdDisableDebugger + 85 820D3904 3 Bytes [B8, 0D, 00] .text ntkrnlpa.exe!KdDisableDebugger + 89 820D3908 35 Bytes [C0, EB, 4A, 53, 53, E8, D3, ...] .text ... .text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 11 820D3990 47 Bytes [74, 04, B0, 01, EB, 3A, B8, ...] .text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 41 820D39C0 55 Bytes [FF, 75, FC, 8A, 1D, 89, 93, ...] .text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 79 820D39F8 15 Bytes [00, 89, 45, FC, 76, 07, 66, ...] .text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 89 820D3A08 79 Bytes [66, 89, 45, F8, 38, 0D, 89, ...] .text ntkrnlpa.exe!KdPowerTransition + 1B 820D3A58 247 Bytes [EB, 0C, BE, EF, 00, 00, C0, ...] .text ntkrnlpa.exe!KdPowerTransition + 113 820D3B50 107 Bytes [EB, 09, FF, 75, 14, 56, E8, ...] .text ntkrnlpa.exe!KdPowerTransition + 17F 820D3BBC 71 Bytes [75, 15, 33, F6, A2, E8, 2F, ...] .text ntkrnlpa.exe!KdPowerTransition + 1C7 820D3C04 19 Bytes CALL 822E523D \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KdPowerTransition + 1DB 820D3C18 7 Bytes [73, 69, 3B, 05, 98, 26, 32] .text ... .text ntkrnlpa.exe!KeQueryRuntimeThread + 1 820D4134 11 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] .text ntkrnlpa.exe!KeQueryRuntimeThread + E 820D4141 97 Bytes [8B, 55, 0C, 89, 0A, 8B, 80, ...] .text ntkrnlpa.exe!KeQueryRuntimeThread + 70 820D41A3 134 Bytes [00, 83, 7D, 08, 00, 74, 07, ...] .text ntkrnlpa.exe!KeQueryRuntimeThread + F7 820D422A 133 Bytes [FE, FF, FF, 8D, 55, E4, E8, ...] .text ntkrnlpa.exe!KeQueryRuntimeThread + 17E 820D42B1 6 Bytes [75, 16, 8D, 41, 38, 39] .text ... .text ntkrnlpa.exe!KeIsAttachedProcess + 25 820D441C 25 Bytes [90, 8B, FF, 55, 8B, EC, 51, ...] .text ntkrnlpa.exe!KeIsAttachedProcess + 3F 820D4436 134 Bytes [FF, 56, 04, 08, 45, FC, 8B, ...] .text ntkrnlpa.exe!KeDeregisterNmiCallback + 2 820D44BD 12 Bytes [55, 8B, EC, 51, 51, 83, 65, ...] .text ntkrnlpa.exe!KeDeregisterNmiCallback + F 820D44CA 62 Bytes [53, 56, 57, BF, DC, 92, 13, ...] .text ntkrnlpa.exe!KeDeregisterNmiCallback + 4E 820D4509 33 Bytes [CF, FF, 15, 80, 81, 00, 82, ...] .text ntkrnlpa.exe!KeDeregisterNmiCallback + 70 820D452B 80 Bytes CALL 82032E1F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeDeregisterNmiCallback + C1 820D457C 104 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ... .text ntkrnlpa.exe!KeBugCheckEx + A 820D4B79 121 Bytes [FF, 75, 18, FF, 75, 14, FF, ...] .text ntkrnlpa.exe!KeBugCheckEx + 84 820D4BF3 5 Bytes [45, DC, 2B, F2, 89] .text ntkrnlpa.exe!KeBugCheckEx + 8A 820D4BF9 79 Bytes [E0, 39, 5D, E0, 74, 0D, 0F, ...] .text ntkrnlpa.exe!KeBugCheckEx + DA 820D4C49 4 Bytes [68, 00, 5E, 05] .text ntkrnlpa.exe!KeBugCheckEx + DF 820D4C4E 62 Bytes CALL 8200DBA3 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!KeDeregisterBugCheckCallback + 16 820D5C03 118 Bytes CALL 820AD9DC \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeDeregisterBugCheckCallback + 8E 820D5C7B 22 Bytes [00, 89, 45, E4, 89, 5D, E0, ...] .text ntkrnlpa.exe!KeDeregisterBugCheckCallback + A5 820D5C92 4 Bytes CALL 82085598 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeDeregisterBugCheckCallback + AB 820D5C98 169 Bytes [74, 64, 46, 47, 83, FF, 20, ...] .text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + 34 820D5D42 82 Bytes [89, 41, 04, FE, C3, 8B, CE, ...] .text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + 87 820D5D95 26 Bytes [82, 00, 0F, 84, CB, 00, 00, ...] .text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + A2 820D5DB0 23 Bytes [C6, 45, E7, 00, F6, C3, 03, ...] .text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + BB 820D5DC9 81 Bytes [81, C6, 1B, 10, 00, 00, C1, ...] .text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + 10D 820D5E1B 170 Bytes [E7, 01, 8B, 45, E0, 89, 45, ...] .text ... .text ntkrnlpa.exe!KeAcquireSpinLockForDpc + 6 820D637C 47 Bytes [8A, 80, 1B, 1A, 00, 00, 84, ...] .text ntkrnlpa.exe!KeReleaseSpinLockForDpc + 5 820D63AC 87 Bytes [00, 8A, 80, 1B, 1A, 00, 00, ...] .text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + C 820D6405 1 Byte [84] .text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + C 820D6405 48 Bytes JMP 25FFFFFD .text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + 3D 820D6436 111 Bytes [90, 90, 90, 90, 8B, FF, 0F, ...] .text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + AD 820D64A6 33 Bytes [47, 68, 89, 45, D8, FF, 15, ...] .text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + CF 820D64C8 9 Bytes [8D, 4D, D8, 8B, C7, E8, 83, ...] .text ... .text ntkrnlpa.exe!Ke386SetIoAccessMap + 9D 820D68C1 13 Bytes [5F, 5E, 5D, C2, 10, 00, 90, ...] {POP EDI; POP ESI; POP EBP; RET 0x10; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ntkrnlpa.exe!Ke386SetIoAccessMap + AB 820D68CF 30 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] .text ntkrnlpa.exe!Ke386QueryIoAccessMap + 1B 820D68EE 39 Bytes [68, FF, 00, 00, 00, FF, 75, ...] .text ntkrnlpa.exe!Ke386QueryIoAccessMap + 43 820D6916 95 Bytes [00, 8B, 40, 40, 68, 00, 20, ...] .text ntkrnlpa.exe!Ke386IoSetAccessProcess + 2A 820D6976 52 Bytes [0F, B7, C0, 8B, 4D, 08, 66, ...] .text ntkrnlpa.exe!Ke386IoSetAccessProcess + 60 820D69AC 58 Bytes [8B, 48, 20, 8B, 49, 04, 8B, ...] .text ntkrnlpa.exe!Ke386IoSetAccessProcess + 9B 820D69E7 89 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ntkrnlpa.exe!Ke386IoSetAccessProcess + F5 820D6A41 195 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!KeReadStateTimer + B8 820D6B06 34 Bytes [72, 99, 64, 8B, 0D, 20, 00, ...] .text ntkrnlpa.exe!KeReadStateTimer + DB 820D6B29 6 Bytes [6A, 00, 68, C7, 00, 00] .text ntkrnlpa.exe!KeReadStateTimer + E2 820D6B30 8 Bytes CALL 820D4B6F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeReadStateTimer + EB 820D6B39 226 Bytes [6A, 01, EB, EE, 57, 56, 50, ...] .text ntkrnlpa.exe!KeReadStateTimer + 1CE 820D6C1C 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ... .text ntkrnlpa.exe!KeFlushEntireTb + 4D 820D6C74 159 Bytes CALL 820CD6FD \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 2 820D6D14 1 Byte [55] .text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 2 820D6D14 5 Bytes [55, 8B, EC, 8B, 45] .text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 8 820D6D1A 10 Bytes [83, C9, FF, F0, 0F, C1, 08, ...] .text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 13 820D6D25 85 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!KeI386GetLid + 4 820D6D7B 104 Bytes [EC, 83, EC, 10, 33, C0, 40, ...] .text ntkrnlpa.exe!KeI386GetLid + 6D 820D6DE4 68 Bytes CALL 8204D240 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeI386GetLid + B2 820D6E29 131 Bytes CALL 820D6D36 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeI386GetLid + 136 820D6EAD 63 Bytes [0A, 66, 85, D2, 74, 05, BB, ...] .text ntkrnlpa.exe!KeI386ReleaseLid + 12 820D6EED 156 Bytes [C0, EB, 47, 56, 57, BF, CC, ...] .text ntkrnlpa.exe!KeI386AbiosCall + 43 820D6F8A 56 Bytes [07, B8, 12, 01, 00, C0, EB, ...] .text ntkrnlpa.exe!KeI386AbiosCall + 7C 820D6FC3 45 Bytes CALL 8204BFE1 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeI386AllocateGdtSelectors + 12 820D6FF1 87 Bytes [56, BE, D0, 5D, 13, 82, 8B, ...] .text ntkrnlpa.exe!KeI386AllocateGdtSelectors + 6A 820D7049 16 Bytes [C0, 5F, 5D, C2, 08, 00, 90, ...] {RCR BYTE [EDI+0x5d], 0xc2; OR [EAX], AL; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP } .text ntkrnlpa.exe!KeI386ReleaseGdtSelectors 820D705B 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP} .text ntkrnlpa.exe!KeI386ReleaseGdtSelectors + 4 820D705F 17 Bytes [EC, 51, 53, 57, BF, D0, 5D, ...] {IN AL, DX ; PUSH ECX; PUSH EBX; PUSH EDI; MOV EDI, 0x82135dd0; MOV ECX, EDI; CALL [0x82008184]} .text ntkrnlpa.exe!KeI386ReleaseGdtSelectors + 16 820D7071 69 Bytes [5D, 0C, 66, 01, 1D, 10, 72, ...] .text ntkrnlpa.exe!KeI386ReleaseGdtSelectors + 5C 820D70B7 56 Bytes [5F, 33, C0, 5B, C9, C2, 08, ...] .text ntkrnlpa.exe!KeI386FlatToGdtSelector + 25 820D70F0 4 Bytes JMP 820D717B \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeI386FlatToGdtSelector + 2B 820D70F6 40 Bytes [53, 56, 57, BF, D0, 5D, 13, ...] .text ntkrnlpa.exe!KeI386FlatToGdtSelector + 54 820D711F 52 Bytes [66, 89, 59, 02, C1, EB, 10, ...] .text ntkrnlpa.exe!KeI386FlatToGdtSelector + 89 820D7154 43 Bytes [04, 85, E0, 5D, 13, 82, FF, ...] .text ntkrnlpa.exe!KeI386FlatToGdtSelector + B5 820D7180 215 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!KeInsertByKeyDeviceQueue + 9F 820D7258 61 Bytes [CC, CC, CC, CC, CC, 90, CC, ...] .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueue + 2D 820D7296 18 Bytes CALL 820ADB40 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueue + 40 820D72A9 75 Bytes [50, 04, 8B, 4D, 0C, 39, 4A, ...] .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueue + 8C 820D72F5 26 Bytes [00, CC, CC, CC, CC, CC, 90, ...] .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 10 820D7310 5 Bytes [00, 83, EC, 0C, 56] .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 16 820D7316 38 Bytes [75, 08, 57, 33, FF, 84, C0, ...] .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 3D 820D733D 23 Bytes [75, 06, C6, 46, 10, 00, EB, ...] .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 55 820D7355 20 Bytes [3B, C8, 75, F0, 3B, C8, 74, ...] .text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 6A 820D736A 128 Bytes [10, 8B, 0A, 89, 08, 89, 41, ...] .text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 40 820D73EB 72 Bytes [00, CC, CC, CC, CC, CC, 90, ...] .text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 89 820D7434 99 Bytes [75, 10, 0F, B6, C3, 8B, 34, ...] .text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + ED 820D7498 58 Bytes JMP 82055888 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 128 820D74D3 17 Bytes [88, 0C, 02, 00, 00, 89, 0E, ...] .text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 13A 820D74E5 3 Bytes [0D, 20, 00] .text ... .text ntkrnlpa.exe!KeRundownQueue + 15 820D755D 104 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!KeRaiseUserException + 13 820D75C6 24 Bytes [B0, 20, 01, 00, 00, 85, F6, ...] .text ntkrnlpa.exe!KeRaiseUserException + 2C 820D75DF 115 Bytes [8B, 5D, 08, 89, 98, A4, 01, ...] .text ntkrnlpa.exe!KeRaiseUserException + A0 820D7653 226 Bytes [90, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!KeRaiseUserException + 183 820D7736 92 Bytes CALL 820D7D7C \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!KeRaiseUserException + 1E0 820D7793 6 Bytes [0F, 8B, C1, 83, E0, FB] {JNP 0xfffffffffbe083c7} .text ... .text ntkrnlpa.exe!KeSaveStateForHibernate + 4A 820D78E1 46 Bytes [DD, 40, C6, 00, 31, 40, C6, ...] .text ntkrnlpa.exe!KeSaveStateForHibernate + 79 820D7910 90 Bytes [FF, 55, 8B, EC, 51, 8A, 45, ...] .text ntkrnlpa.exe!KeSaveStateForHibernate + D4 820D796B 173 Bytes [F4, 13, 82, 75, 1B, 39, 3D, ...] .text ntkrnlpa.exe!KeSaveStateForHibernate + 182 820D7A19 24 Bytes [89, 86, BC, 1A, 00, 00, 33, ...] .text ntkrnlpa.exe!KeSaveStateForHibernate + 19B 820D7A32 11 Bytes [00, 00, C6, 86, C4, 05, 00, ...] {ADD [EAX], AL; MOV BYTE [ESI+0x5c4], 0x1; JZ 0x82} .text ... .text ntkrnlpa.exe!ZwGetWriteWatch + 5 820D8D31 16 Bytes [68, C8, D9, 05, 82, E8, AD, ...] .text ntkrnlpa.exe!ZwGetWriteWatch + 16 820D8D42 4 Bytes [C7, 85, 04, FF] .text ntkrnlpa.exe!ZwGetWriteWatch + 1B 820D8D47 21 Bytes [FF, 21, 00, 00, 00, 6A, FE, ...] .text ntkrnlpa.exe!ZwGetWriteWatch + 31 820D8D5D 25 Bytes [00, 64, A1, 24, 01, 00, 00, ...] .text ntkrnlpa.exe!ZwGetWriteWatch + 4B 820D8D77 47 Bytes [8B, 75, 10, 84, C0, 0F, 84, ...] .text ... .text ntkrnlpa.exe!ZwResetWriteWatch + E 820D94A5 77 Bytes CALL E69116BD .text ntkrnlpa.exe!ZwResetWriteWatch + 5C 820D94F3 71 Bytes [00, 8B, 47, 48, 89, 7C, 24, ...] .text ntkrnlpa.exe!ZwResetWriteWatch + A4 820D953B 36 Bytes [00, 83, 64, 24, 24, 00, 8D, ...] .text ntkrnlpa.exe!ZwResetWriteWatch + C9 820D9560 56 Bytes [19, 8D, 84, 24, D8, 00, 00, ...] .text ntkrnlpa.exe!ZwResetWriteWatch + 102 820D9599 10 Bytes [40, 23, D1, 23, D9, 2B, D0, ...] .text ... .text ntkrnlpa.exe!ObDereferenceObject + 2 820DE540 25 Bytes [55, 8B, EC, 8B, 4D, 08, E8, ...] .text ntkrnlpa.exe!ObIsKernelHandle + 1 820DE55A 21 Bytes [FF, 55, 8B, EC, 8B, 4D, 08, ...] .text ntkrnlpa.exe!ObIsKernelHandle + 17 820DE570 7 Bytes [74, 0A, 83, 7D, 08, FF, 74] .text ntkrnlpa.exe!ObIsKernelHandle + 1F 820DE578 125 Bytes [B0, 01, EB, 02, 32, C0, 5D, ...] .text ntkrnlpa.exe!ObIsKernelHandle + 9D 820DE5F6 28 Bytes CALL 8204D7E8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!ObIsKernelHandle + BB 820DE614 78 Bytes [00, 8D, 45, E0, 50, 6A, 54, ...] .text ... .text ntkrnlpa.exe!PoRegisterDeviceNotify + 21 820DF316 2 Bytes [8A, 00] {MOV AL, [EAX]} .text ntkrnlpa.exe!PoRegisterDeviceNotify + 25 820DF31A 88 Bytes [39, 45, 18, 0F, 84, 81, 00, ...] .text ntkrnlpa.exe!PoRegisterDeviceNotify + 7E 820DF373 37 Bytes [75, 17, 6A, 00, 56, 53, E8, ...] .text ntkrnlpa.exe!PoRegisterDeviceNotify + A4 820DF399 22 Bytes CALL 820DF46F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!PoRegisterDeviceNotify + BB 820DF3B0 81 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!PoCancelDeviceNotify + 48 820DF402 1 Byte [71] .text ntkrnlpa.exe!PoCancelDeviceNotify + 4B 820DF405 1 Byte [16] .text ntkrnlpa.exe!PoCancelDeviceNotify + 4B 820DF405 3 Bytes [16, 89, 72] .text ntkrnlpa.exe!PoCancelDeviceNotify + 4F 820DF409 6 Bytes [83, 48, 04, FF, 33, D2] {OR DWORD [EAX+0x4], -0x1; XOR EDX, EDX} .text ntkrnlpa.exe!PoCancelDeviceNotify + 57 820DF411 4 Bytes [4E, 4F, 4E, 4F] {DEC ESI; DEC EDI; DEC ESI; DEC EDI} .text ... .text ntkrnlpa.exe!PoSetDeviceBusyEx + C7 820DFBD9 46 Bytes [74, 17, BA, 00, 01, 00, 00, ...] .text ntkrnlpa.exe!PoSetDeviceBusyEx + F6 820DFC08 141 Bytes [81, C1, 18, 04, 00, 00, E8, ...] .text ntkrnlpa.exe!PoSetDeviceBusyEx + 184 820DFC96 1 Byte [55] .text ntkrnlpa.exe!PoSetDeviceBusyEx + 184 820DFC96 98 Bytes [55, 8B, EC, 83, E4, F8, 83, ...] .text ntkrnlpa.exe!PoSetDeviceBusyEx + 1E7 820DFCF9 123 Bytes CALL F7900E51 .text ... .text ntkrnlpa.exe!PsChargeProcessCpuCycles + 2 820E2AA1 1 Byte [55] .text ntkrnlpa.exe!PsChargeProcessCpuCycles + 2 820E2AA1 68 Bytes [55, 8B, EC, 83, E4, F8, 8B, ...] .text ntkrnlpa.exe!PsChargeProcessCpuCycles + 47 820E2AE6 12 Bytes [0F, B1, 13, 3B, C1, 74, 05, ...] {CMPXCHG [EBX], EDX; CMP EAX, ECX; JZ 0xc; CALL 0xfffffffffff4d1ff} .text ntkrnlpa.exe!PsChargeProcessCpuCycles + 54 820E2AF3 1 Byte [07] .text ntkrnlpa.exe!PsChargeProcessCpuCycles + 54 820E2AF3 12 Bytes [07, 8B, 57, 04, 8B, 4F, 08, ...] {POP ES; MOV EDX, [EDI+0x4]; MOV ECX, [EDI+0x8]; MOV ESI, [EDI+0xc]; MOV EBX, EAX} .text ... .text ntkrnlpa.exe!PsGetJobSessionId + C 820E2C3C 55 Bytes [00, 00, 5D, C2, 04, 00, CC, ...] .text ntkrnlpa.exe!PsGetProcessExitStatus + B 820E2C74 84 Bytes [02, 00, 00, 5D, C2, 04, 00, ...] .text ntkrnlpa.exe!PsGetProcessPriorityClass + E 820E2CC9 13 Bytes [5D, C2, 04, 00, 90, 90, 90, ...] {POP EBP; RET 0x4; NOP ; NOP ; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 } .text ntkrnlpa.exe!PsGetProcessPriorityClass + 1D 820E2CD8 260 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ntkrnlpa.exe!PsSetProcessPriorityClass + 72 820E2DDD 20 Bytes [47, 48, 8B, B0, 1C, 01, 00, ...] .text ntkrnlpa.exe!PsSetProcessPriorityClass + 87 820E2DF2 39 Bytes [1E, FF, 15, 60, 81, 00, 82, ...] .text ntkrnlpa.exe!PsSetProcessPriorityClass + AF 820E2E1A 39 Bytes [00, EB, 04, 8B, 7C, 24, 14, ...] .text ntkrnlpa.exe!PsSetProcessPriorityClass + D7 820E2E42 107 Bytes [00, 01, 00, 33, FB, 81, E7, ...] .text ntkrnlpa.exe!PsSetProcessPriorityClass + 143 820E2EAE 4 Bytes [8B, 8F, 10, 02] .text ... .text ntkrnlpa.exe!RtlTimeToSecondsSince1980 + 10 820E392D 313 Bytes [FF, 35, 38, 88, 0A, 82, FF, ...] .text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + F8 820E3A67 10 Bytes [00, C0, EB, 3C, 80, 7D, 08, ...] .text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 103 820E3A72 27 Bytes [8C, 00, 00, 00, 8B, 75, 0C, ...] .text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 11F 820E3A8E 11 Bytes [F7, D8, 1B, C0, 25, F3, FF, ...] .text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 12B 820E3A9A 6 Bytes [00, C0, EB, 09, 8B, 45] .text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 132 820E3AA1 32 Bytes [03, D7, 89, 10, 33, C0, 5E, ...] .text ... .text ntkrnlpa.exe!DbgPrompt + DF 820E3C8C 9 Bytes [0D, 64, E1, 0F, 82, 8D, 47, ...] .text ntkrnlpa.exe!DbgPrompt + E9 820E3C96 200 Bytes [60, E1, 0F, 82, 89, 48, 04, ...] .text ntkrnlpa.exe!DbgPrompt + 1B2 820E3D5F 68 Bytes [F0, 0F, C1, 08, 8D, 4F, 04, ...] .text ntkrnlpa.exe!DbgPrompt + 1F7 820E3DA4 10 Bytes [75, 11, F6, 05, 90, EB, 13, ...] .text ntkrnlpa.exe!DbgPrompt + 202 820E3DAF 69 Bytes CALL 820CD6FE \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!RtlSizeHeap + 2 820E3F69 149 Bytes [55, 8B, EC, 8B, 4D, 10, 53, ...] .text ntkrnlpa.exe!RtlSizeHeap + 98 820E3FFF 39 Bytes [33, C8, EB, 3B, F6, C1, 40, ...] .text ntkrnlpa.exe!RtlSizeHeap + C0 820E4027 72 Bytes [85, 4E, 4C, 74, 03, 33, 4E, ...] .text ntkrnlpa.exe!RtlSizeHeap + 109 820E4070 187 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!RtlSizeHeap + 1C5 820E412C 6 Bytes CALL 820B4E28 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ... .text ntkrnlpa.exe!RtlTestBit + 23 820E434E 24 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text ntkrnlpa.exe!RtlTestBit + 3D 820E4368 112 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] .text ntkrnlpa.exe!RtlFindLongestRunClear + E 820E43D9 103 Bytes CALL 8201EDA8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!RtlFindLongestRunClear + 76 820E4441 6 Bytes [EC, 8B, 52, 04, 56, 57] {IN AL, DX ; MOV EDX, [EDX+0x4]; PUSH ESI; PUSH EDI} .text ntkrnlpa.exe!RtlFindLongestRunClear + 7D 820E4448 38 Bytes [7D, 08, 8B, CF, C1, E9, 05, ...] .text ntkrnlpa.exe!RtlFindLongestRunClear + A4 820E446F 245 Bytes [C8, D3, E2, 8B, CF, 4A, D3, ...] .text ntkrnlpa.exe!RtlAssert + 74 820E4565 78 Bytes [FF, 50, 68, 30, 71, 05, 82, ...] .text ntkrnlpa.exe!RtlAssert + C3 820E45B4 196 Bytes [FF, FF, 8D, 85, 30, FD, FF, ...] .text ntkrnlpa.exe!RtlFindClosestEncodableLength + 2F 820E4679 59 Bytes [00, 3B, D7, 77, 31, BB, 00, ...] .text ntkrnlpa.exe!RtlFindClosestEncodableLength + 6B 820E46B5 5 Bytes [D3, 77, 31, BF, 00] .text ntkrnlpa.exe!RtlFindClosestEncodableLength + 71 820E46BB 109 Bytes [FF, FF, 72, 04, 3B, F7, 77, ...] .text ntkrnlpa.exe!RtlFindClosestEncodableLength + DF 820E4729 54 Bytes [00, C0, 5F, 5B, 5E, 5D, C2, ...] .text ntkrnlpa.exe!RtlFindClosestEncodableLength + 117 820E4761 229 Bytes [00, 5E, C3, CC, CC, CC, CC, ...] .text ... .text ntkrnlpa.exe!RtlSubtreeSuccessor + 14 820E488E 45 Bytes [C1, 8B, 48, 04, 85, C9, 74, ...] .text ntkrnlpa.exe!RtlRealPredecessor + 9 820E48BC 12 Bytes [41, 04, 85, C0, 75, 06, EB, ...] .text ntkrnlpa.exe!RtlRealPredecessor + 16 820E48C9 19 Bytes [48, 08, 85, C9, 74, 1C, EB, ...] {DEC EAX; OR [EBP-0x14e38b37], AL; CMC ; JMP 0x22; MOV ECX, EAX; MOV EAX, [ECX]; CMP [EAX+0x4], ECX; JZ 0xa} .text ntkrnlpa.exe!RtlRealPredecessor + 2A 820E48DD 119 Bytes [D0, 8B, 42, 08, 2B, C1, F7, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTable + 2C 820E4955 74 Bytes [89, 07, 8B, C6, 83, C6, 18, ...] .text ntkrnlpa.exe!RtlGetElementGenericTable + 2 820E49A0 97 Bytes [55, 8B, EC, 8B, 4D, 08, 8B, ...] .text ntkrnlpa.exe!RtlGetElementGenericTable + 64 820E4A02 58 Bytes [74, 16, 4F, 8B, 00, 74, 11, ...] .text ntkrnlpa.exe!RtlNumberGenericTableElements + 4 820E4A3D 21 Bytes [EC, 8B, 45, 08, 8B, 40, 14, ...] .text ntkrnlpa.exe!RtlEnumerateGenericTableWithoutSplaying + 1 820E4A53 164 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 7 820E4AF8 1 Byte [5D] .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 7 820E4AF8 74 Bytes [5D, 0C, 83, FB, FF, 56, 8B, ...] .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 52 820E4B43 9 Bytes JMP 1472DA3B .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 5C 820E4B4D 95 Bytes [D1, 74, 6A, 8B, C8, E8, FF, ...] .text ntkrnlpa.exe!RtlGetElementGenericTableAvl + BC 820E4BAD 23 Bytes [D2, 74, 0A, 8B, C8, E8, 9F, ...] .text ... .text ntkrnlpa.exe!RtlIsNtDdiVersionAvailable + 27 820E4C3E 113 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] .text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 68 820E4CB0 31 Bytes [00, C0, EB, 34, B8, 05, 00, ...] .text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 88 820E4CD0 3 Bytes [00, 85, C0] .text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 8C 820E4CD4 44 Bytes [4D, 08, 8D, 0C, 4E, 7D, 07, ...] .text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + B9 820E4D01 93 Bytes [8B, 5D, 0C, 56, 8B, F0, 57, ...] .text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 117 820E4D5F 82 Bytes [B7, C2, 05, 00, 28, 00, 00, ...] .text ... .text ntkrnlpa.exe!RtlIpv6AddressToStringExA + C8 820E4F81 54 Bytes [C0, 8B, 4D, FC, 5F, 5E, 33, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringA + 19 820E4FB8 34 Bytes [51, 50, 68, 90, 72, 05, 82, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringA + 3F 820E4FDE 85 Bytes [90, 8B, FF, 55, 8B, EC, 83, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 55 820E5034 24 Bytes CALL 8201BC0F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 6E 820E504D 319 Bytes [3E, B8, 0D, 00, 00, C0, 8B, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringW + 1 820E518D 120 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringExW + 39 820E5206 38 Bytes [83, 7D, 0C, 00, 8B, F0, 74, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringExW + 60 820E522D 45 Bytes [83, C4, 10, 8D, 34, 46, 8D, ...] .text ntkrnlpa.exe!RtlIpv4AddressToStringExW + 8E 820E525B 117 Bytes [8D, 45, D0, 50, 53, E8, BB, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 59 820E52D1 144 Bytes [00, 85, C0, 59, 74, 13, 57, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + EA 820E5362 17 Bytes [45, FC, 83, 65, F4, 00, E9, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + FE 820E5376 48 Bytes [80, 7D, 0B, 00, 0F, 85, 36, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 12F 820E53A7 23 Bytes [39, 55, FC, 0F, 87, 06, 01, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressA + 147 820E53BF 55 Bytes [75, 10, FF, 45, F0, 6A, 02, ...] .text ... .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 84 820E561E 10 Bytes [85, C0, 59, 74, E1, 53, E8, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 8F 820E5629 38 Bytes [85, C0, 59, 74, D6, 8B, 45, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + B6 820E5650 87 Bytes [77, B2, 8B, 45, F8, 6B, C0, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 10F 820E56A9 20 Bytes [00, C7, 45, 0C, 10, 00, 00, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 124 820E56BE 77 Bytes [00, 85, C0, 59, 74, 49, 56, ...] .text ... .text ntkrnlpa.exe!RtlIpv4StringToAddressA + 1D 820E5800 61 Bytes [C7, 45, FC, 0A, 00, 00, 00, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressA + 5B 820E583E 32 Bytes [08, C7, 45, FC, 10, 00, 00, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressA + 7C 820E585F 55 Bytes [00, 00, 0F, BE, F8, 57, E8, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressA + B4 820E5897 3 Bytes CALL 820F0205 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv4StringToAddressA + B8 820E589B 148 Bytes [85, C0, 59, 74, 4B, 57, E8, ...] .text ... .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 1C 820E5A1F 7 Bytes [39, 75, 14, 0F, 84, 4F, 01] .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 24 820E5A27 38 Bytes [00, FF, 75, 10, 8D, 45, 10, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 4B 820E5A4E 8 Bytes [00, 47, 80, 3F, 30, C6, 45, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 54 820E5A57 23 Bytes [89, 75, 08, C7, 45, 0C, 0A, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 6C 820E5A6F 18 Bytes [74, 04, 3C, 58, 75, 08, C7, ...] {JZ 0x6; CMP AL, 0x58; JNZ 0xe; MOV DWORD [EBP+0xc], 0x10; INC EDI; MOV AL, [EDI]; TEST AL, AL} .text ... .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 34 820E5BDA 46 Bytes [48, 74, 0F, 48, 0F, 84, 0E, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 63 820E5C09 28 Bytes [68, 80, 00, 00, 00, 56, E8, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 80 820E5C26 2 Bytes [00, C6] {ADD DH, AL} .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 83 820E5C29 7 Bytes JMP 820E5DB4 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) .text ntkrnlpa.exe!RtlIpv6StringToAddressW + 8C 820E5C32 115 Bytes [FE, 3A, 75, 52, 33, D2, 39, ...] .text ... .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 1 820E5EA6 29 Bytes [FF, 55, 8B, EC, 51, 51, 8B, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 1F 820E5EC4 40 Bytes [00, 39, 5D, 10, 0F, 84, 28, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 48 820E5EED 29 Bytes [75, 0C, 8D, 4D, 0C, 51, 50, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 66 820E5F0B 160 Bytes [00, 00, 00, 47, 47, 0F, B7, ...] .text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 107 820E5FAC 42 Bytes [0F, 84, 44, 01, 00, 00, 6A, ...] .text ... .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 40 820E6153 29 Bytes [5D, 10, 0F, B7, 03, 66, 83, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 5F 820E6172 5 Bytes [00, 75, 21, 43, 43] {ADD [EBP+0x21], DH; INC EBX; INC EBX} .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 65 820E6178 27 Bytes [B7, 03, 66, 83, F8, 78, C7, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 82 820E6195 218 Bytes [43, 0F, B7, 03, 66, 3B, C7, ...] .text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 15D 820E6270 25 Bytes [C0, 5F, 5E, 5B, 5D, C2, 10, ...] .text ... .text ntkrnlpa.exe!RtlLargeIntegerDivide + 28 820E69DB 5 Bytes [45, 08, 8B, 55, 0C] .text ntkrnlpa.exe!RtlLargeIntegerDivide + 2E 820E69E1 31 Bytes [8B, D9, C1, EB, 1F, 03, F6, ...] ? System32\Drivers\sphg.sys Das System kann den angegebenen Pfad nicht finden. ! PAGE ataport.SYS!DllUnload 82683B2E 5 Bytes JMP 84B971D8 .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E605000, 0x20BE32, 0xE8000020] .text USBPORT.SYS!DllUnload 8EBE241B 5 Bytes JMP 867981D8 .text abwatj55.SYS 8E2D8000 22 Bytes [82, 73, 3C, 82, 6C, 72, 3C, ...] .text abwatj55.SYS 8E2D8017 135 Bytes [00, 32, 37, 79, 80, 3D, 35, ...] .text abwatj55.SYS 8E2D809F 45 Bytes [82, 20, 00, 0B, 82, 64, F6, ...] .text abwatj55.SYS 8E2D80CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX} .text abwatj55.SYS 8E2D80DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...] .text ... ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806976D6] \SystemRoot\System32\Drivers\sphg.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80697042] \SystemRoot\System32\Drivers\sphg.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80697800] \SystemRoot\System32\Drivers\sphg.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806970C0] \SystemRoot\System32\Drivers\sphg.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069713E] \SystemRoot\System32\Drivers\sphg.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A6B90] \SystemRoot\System32\Drivers\sphg.sys IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortNotification] CC358B04 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortWritePortUchar] 838E2FEF IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\Daemon Tools\Engine.dll (Helper library/DT Soft Ltd) IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8E2FC0 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortStallExecution] 54771129 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortInitialize] B18D0502 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8 IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8552C1F8 Device \FileSystem\fastfat \FatCdrom 9A2431F8 Device \Driver\volmgr \Device\VolMgrControl 855281F8 Device \Driver\netbt \Device\NetBT_Tcpip_{90D9B5B7-886D-48AE-BE89-09837EA98B64} 87258500 Device \Driver\usbuhci \Device\USBPDO-0 8681C1F8 Device \Driver\usbuhci \Device\USBPDO-1 8681C1F8 Device \Driver\usbuhci \Device\USBPDO-2 8681C1F8 Device \Driver\usbehci \Device\USBPDO-3 868291F8 Device \Driver\usbuhci \Device\USBPDO-4 8681C1F8 Device \Driver\sptd \Device\4045423479 sphg.sys Device \Driver\usbuhci \Device\USBPDO-5 8681C1F8 Device \Driver\usbuhci \Device\USBPDO-6 8681C1F8 Device \Driver\PCI_PNP5466 \Device\00000057 sphg.sys Device \Driver\volmgr \Device\HarddiskVolume1 855281F8 Device \Driver\usbehci \Device\USBPDO-7 868291F8 Device \Driver\volmgr \Device\HarddiskVolume2 855281F8 Device \Driver\cdrom \Device\CdRom0 868C31F8 Device \Driver\volmgr \Device\HarddiskVolume3 855281F8 Device \Driver\cdrom \Device\CdRom1 868C31F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8552A1F8 Device \Driver\atapi \Device\Ide\IdePort0 8552A1F8 Device \Driver\atapi \Device\Ide\IdePort1 8552A1F8 Device \Driver\atapi \Device\Ide\IdePort2 8552A1F8 Device \Driver\atapi \Device\Ide\IdePort3 8552A1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 8552A1F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 8552B1F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 8552B1F8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 8552B1F8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 8552B1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{74CD83F9-ED35-43AC-9693-B650142B3A08} 87258500 Device \Driver\netbt \Device\NetBt_Wins_Export 87258500 Device \Driver\Smb \Device\NetbiosSmb 8724C500 Device \Driver\iScsiPrt \Device\RaidPort0 869601F8 Device \Driver\usbuhci \Device\USBFDO-0 8681C1F8 Device \Driver\usbuhci \Device\USBFDO-1 8681C1F8 Device \Driver\usbuhci \Device\USBFDO-2 8681C1F8 Device \Driver\usbehci \Device\USBFDO-3 868291F8 Device \Driver\usbuhci \Device\USBFDO-4 8681C1F8 Device \Driver\usbuhci \Device\USBFDO-5 8681C1F8 Device \Driver\usbuhci \Device\USBFDO-6 8681C1F8 Device \Driver\usbehci \Device\USBFDO-7 868291F8 Device \Driver\abwatj55 \Device\Scsi\abwatj551Port5Path0Target0Lun0 8692B1F8 Device \Driver\abwatj55 \Device\Scsi\abwatj551 8692B1F8 Device \FileSystem\fastfat \Fat 9A2431F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs 9935B1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00242bfad7a5 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\Daemon Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCE 0xD9 0x67 0x22 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x6D 0x34 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xF5 0xB7 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCE 0x48 0x84 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xCE 0x48 0x84 0x7F ... Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00242bfad7a5 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\Daemon Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCE 0xD9 0x67 0x22 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x6D 0x34 0xAA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xF5 0xB7 0x5F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCE 0x48 0x84 0x7F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xCE 0x48 0x84 0x7F ... ---- EOF - GMER 1.0.15 ---- |
|
|
||
08.04.2010, 13:23
Member
Beiträge: 3716 |
#4
1. downloade:
http://www.duplexsecure.com/download/SPTDinst-v162-x86.exe klicke uninstall, starte den pc neu. 2. deinstaliere falls vorhanden: Daemon Tools and Daemon Tools Lite Alcohol 120% and 52% AstroBurn das kann sonst behindern. starte neu. dann weiter mit combofix, log posten. |
|
|
||
08.04.2010, 13:26
Member
Beiträge: 3716 |
#5
hast du noch das bild, das angebliche?
|
|
|
||
08.04.2010, 14:09
Member
Themenstarter Beiträge: 28 |
||
|
||
08.04.2010, 14:20
Member
Beiträge: 3716 |
#7
nutzt du solch einen server?
http://www.ip-adress.com/whois/216.218.211.57 bitte deinstaliere mal spybot, das kann stören. hast du die oben genannten schritte alle ausgeführt, was die instalationen betrifft? |
|
|
||
08.04.2010, 14:26
Member
Themenstarter Beiträge: 28 |
#8
okay. spybot habe ich deinstalliert. daemon tools, alcohol und astroburn habe ich auf meinem pc nicht gefunden. SPTD habe vorhin ich runtergeladen, ausgeführt und pc neugestartet (wenn ich SPTD neu ausführe würde er es wieder installieren.)
soll ich nun combfix nochmals aktivieren? |
|
|
||
08.04.2010, 14:28
Member
Beiträge: 3716 |
#9
erst sag mir ob du in amerika wohnst oder einen server dort nutzt
http://www.ip-adress.com/whois/216.218.211.57 |
|
|
||
08.04.2010, 14:32
Member
Themenstarter Beiträge: 28 |
#10
nein, ich wohne in deutschland, das war ein proxi, hatte ich bei chrome drinne.. hab ich rausgemacht. (ist es hilfreich für die ipadress-anfrage, dass ich dir meine ip zusende?)
Dieser Beitrag wurde am 08.04.2010 um 14:40 Uhr von surfer30 editiert.
|
|
|
||
08.04.2010, 14:39
Member
Beiträge: 3716 |
#11
radix:
http://www.chip.de/downloads/Radix-Antirootkit_33955330.html bitte downloade das programm. schalte alles wie avira guard, sonstige laufende software ab. öffne das programm, hake auf 1-klick wartung alles an, trenne die internetverbindung, in dem du das wlan ausschaltest, bzw das lankabel ziehst, starte den scan, evtl. meldungen mit yes bestätigen, aufschreiben und dann hier posten, hänge das log als datei an, ist groß. |
|
|
||
08.04.2010, 15:07
Member
Themenstarter Beiträge: 28 |
#12
okay. habe radix durchgeführt. das log ist angehängt! Vielen Dank!
("Fix Selected" habe ich noch nicht gedrückt.) Anhang: Radix-Log.txt
|
|
|
||
08.04.2010, 15:09
Member
Beiträge: 3716 |
#13
misst, kleiner fehler die radix.exe rechtsklicken, als admin ausführen, das ganze noch mal
|
|
|
||
08.04.2010, 15:13
Member
Themenstarter Beiträge: 28 |
#14
oh.. okay.. sorry.. daran hätte ich auch denken sollen... noch eine frage: radix fragte mich etwas bezüglich "kernel", und ob dieser auchdurchgeführt werden soll... habe nein angeklickt, weil die änderungen erst bei einem neustart eingetreten wären. Soll ich das vor dem erneuten check gleich auch noch aktivieren?
|
|
|
||
08.04.2010, 15:30
Member
Beiträge: 3716 |
#15
bitte ja :-)
|
|
|
||
ich gehe davon aus, dass sich ein Hacker zugriff auf meinen Computer verschafft hat, mittels ICQ. (dieser hat mir ein bild.jpg gesendet, welches ich angenommen, geöffnet, aber nicht gespeichert habe, [dumm genug!]). Noch wurden keine "Attacken" usw. verübt, dennoch vermute ich dass dieser natürlich sämtliche passwörter ausgelesen hat, usw. Der PC wurde vom Internet getrennt.
Nun welche Möglichkeiten gibt es zu reagieren?
1) ändern der Passwörter (mit einem anderem PC)
2) Windows-Firewall: schließen des ICQ-Ports, habe ich gemacht.
3) Temporäre Dateien bereinigen (Datenträgerbereinigung, dannach Säubern der Systemwdh.stellung), habe ich noch nicht gemacht.
Hat der Hacker nachdem ich den icq-port mittels der firewall geschlossen dennoch zugrif auf meinen PC? Ich denke ja schon, da dieser ja wahrscheinlich mit dem bild eine art eigene spyware/ähnliches installiert hat. Ein Virencheck mittels Avira und Spybot (Search and Destroy) blieb erfolglos, was natürlich daran liegen könnte dass dieser seine eigene Software verwendet hat, ich gehe davon aus, dass dieser das beherrscht.
Wie kann ich nun diese Spyware identifizieren & ausschalten und dem Hacker den Zugriff auf meinen Pc verweigern? Meine Befürchtung liegt darin, dass der hacker nach Erreichen seiner Ziele einfach meinen gesamten PC löscht, um einer möglichen Verfolgung zu entgehen (habe darüber gelesen.)