ICQ-Hackerangriff abwehren!

#0
08.04.2010, 10:47
Member

Beiträge: 28
#1 Hallo,

ich gehe davon aus, dass sich ein Hacker zugriff auf meinen Computer verschafft hat, mittels ICQ. (dieser hat mir ein bild.jpg gesendet, welches ich angenommen, geöffnet, aber nicht gespeichert habe, [dumm genug!]). Noch wurden keine "Attacken" usw. verübt, dennoch vermute ich dass dieser natürlich sämtliche passwörter ausgelesen hat, usw. Der PC wurde vom Internet getrennt.

Nun welche Möglichkeiten gibt es zu reagieren?

1) ändern der Passwörter (mit einem anderem PC)
2) Windows-Firewall: schließen des ICQ-Ports, habe ich gemacht.
3) Temporäre Dateien bereinigen (Datenträgerbereinigung, dannach Säubern der Systemwdh.stellung), habe ich noch nicht gemacht.

Hat der Hacker nachdem ich den icq-port mittels der firewall geschlossen dennoch zugrif auf meinen PC? Ich denke ja schon, da dieser ja wahrscheinlich mit dem bild eine art eigene spyware/ähnliches installiert hat. Ein Virencheck mittels Avira und Spybot (Search and Destroy) blieb erfolglos, was natürlich daran liegen könnte dass dieser seine eigene Software verwendet hat, ich gehe davon aus, dass dieser das beherrscht.

Wie kann ich nun diese Spyware identifizieren & ausschalten und dem Hacker den Zugriff auf meinen Pc verweigern? Meine Befürchtung liegt darin, dass der hacker nach Erreichen seiner Ziele einfach meinen gesamten PC löscht, um einer möglichen Verfolgung zu entgehen (habe darüber gelesen.)
Seitenanfang Seitenende
08.04.2010, 11:54
Member

Beiträge: 3716
Seitenanfang Seitenende
08.04.2010, 13:13
Member

Themenstarter

Beiträge: 28
#3 okay! Ich habe alle Schritte abgearbeitet. Hier sind die Logfiles. Vielen Dank schon mal für die Hilfe!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:16, on 08.04.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Apache\bin\ApacheMonitor.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Users\SAM\Desktop\ck3xgdpu.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.218.211.57:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\SAM\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyPoker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyPoker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stibo.swh.mhn.de
O17 - HKLM\Software\..\Telephony: DomainName = stibo.swh.mhn.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stibo.swh.mhn.de
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\FHMünchen\VPN Client\cvpnd.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10042 bytes


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Datenbank Version: 3967

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

08.04.2010 12:14:52
mbam-log-2010-04-08 (12-14-52).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 106725
Laufzeit: 4 Minute(n), 19 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1 - Deutsch
Advanced Audio FX Engine
Apache HTTP Server 2.2.14
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Bonjour
CamStudio
CamStudio Lossless Codec v1.4
Catalyst Control Center - Branding
CCleaner (remove only)
Cisco Systems VPN Client 5.0.05.0290
DebugMode Wax 2.0
Dell Dock
Dell Edoc Viewer
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Video Chat
Dell Webcam Central
devolo dLAN-Konfigurationsassistent
devolo Informer
Dexpot
Directory Submitter 1.0.29
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
EA Download Manager
Free Audio CD Burner version 1.2
Free M4a to MP3 Converter 6.1
Free YouTube Download 2.3
Free YouTube to MP3 Converter version 3.2
GIMP 2.6.6
GoToAssist 8.0.0.514
Half-Life 2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICQ6.5
Integrated Webcam Driver (1.05.02.1227)
ITECIR
iTunes
Java(TM) 6 Update 17
Junk Mail filter update
LAME v3.98.2 for Audacity
Lullabye
Magnifying Glass 1.0
Malwarebytes' Anti-Malware
MediaCoder Audio Edition 0.7.0.4399
Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme
Microsoft .NET Framework 3.5 Language Pack SP1 - deu
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (German) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office Groove MUI (German) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office PowerPoint Viewer 2007 (German)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (German) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.6.3)
MSVCRT
MySQL Server 5.1
Need for Speed™ Undercover
NVIDIA PhysX
PartyPoker
PHP 5.2.13
PokerStars
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype™ 4.1
Spybot - Search & Destroy
Steam
SUPER © Version 2010.bld.37 (Jan 2, 2010)
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Word 2007 (KB974561)
Update for Outlook 2007 Junk Email Filter (kb979895)
Update für Microsoft Office Excel 2007 Help (KB963678)
Update für Microsoft Office Outlook 2007 Help (KB963677)
Update für Microsoft Office Powerpoint 2007 Help (KB963669)
Update für Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.762
VLC media player 1.0.5
WIDCOMM Bluetooth Software 6.1.0.4402
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Fotogalerie
Windows Live Mail
Windows Live Messenger
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
Windows Live-Uploadtool
Windows Media Player Firefox Plugin
WinRAR
Xvid 1.2.1 final uninstall


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-08 12:42:30
Windows 6.0.6002 Service Pack 2
Running: ck3xgdpu.exe; Driver: C:\Users\SAM\AppData\Local\Temp\pxddrpow.sys


---- System - GMER 1.0.15 ----

SSDT 810B5A1C ZwCreateThread
SSDT 810B5A08 ZwOpenProcess
SSDT 810B5A0D ZwOpenThread
SSDT 810B5A17 ZwTerminateProcess

INT 0x52 ? 86798BF8
INT 0x52 ? 86798BF8
INT 0x62 ? 86798BF8
INT 0x82 ? 86798BF8
INT 0x92 ? 84B97BF8
INT 0x92 ? 84B97BF8
INT 0x92 ? 84B97BF8
INT 0x92 ? 84B97BF8
INT 0x92 ? 86798BF8
INT 0x92 ? 86798BF8
INT 0x92 ? 86798BF8
INT 0x92 ? 84B97BF8
INT 0xB2 ? 86798BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 221 820B3984 4 Bytes [1C, 5A, 0B, 81]
.text ntkrnlpa.exe!KeSetEvent + 3F1 820B3B54 4 Bytes [08, 5A, 0B, 81]
.text ntkrnlpa.exe!KeSetEvent + 40D 820B3B70 4 Bytes [0D, 5A, 0B, 81]
.text ntkrnlpa.exe!KeSetEvent + 621 820B3D84 4 Bytes [17, 5A, 0B, 81]
.text ntkrnlpa.exe!RtlIpv6AddressToStringA + 540 820C6C00 23 Bytes [90, 90, 90, 33, C0, 40, C3, ...]
.text ntkrnlpa.exe!RtlIpv6AddressToStringA + 558 820C6C18 42 Bytes CALL 8204D23D \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!RtlIpv6AddressToStringA + 584 820C6C44 10 Bytes [85, C0, 76, 2B, 8D, 8C, 46, ...]
.text ntkrnlpa.exe!RtlIpv6AddressToStringA + 58F 820C6C4F 56 Bytes [66, 8B, 11, 66, 3B, 55, 14, ...]
.text ntkrnlpa.exe!RtlIpv6AddressToStringA + 5C8 820C6C88 1 Byte [00]
.text ...
.text ntkrnlpa.exe!PsGetProcessDebugPort + BA 820C6FD6 35 Bytes [53, 53, 53, FF, 75, E0, FF, ...]
.text ntkrnlpa.exe!PsGetProcessDebugPort + DE 820C6FFA 333 Bytes [00, 00, 3B, F3, 75, 0A, 68, ...]
.text ntkrnlpa.exe!PsGetProcessDebugPort + 22C 820C7148 415 Bytes JMP 820C70BB \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!PsGetProcessDebugPort + 3CC 820C72E8 73 Bytes CALL 820E7711 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!PsGetProcessDebugPort + 416 820C7332 1 Byte [00]
.text ...
.text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + 21 820C7640 63 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...]
.text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + 61 820C7680 11 Bytes CALL 8204D829 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + 6D 820C768C 75 Bytes [90, 90, 90, 90, 90, 8B, 5D, ...]
.text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + B9 820C76D8 15 Bytes [66, FF, 00, 0F, B7, 00, 66, ...]
.text ntkrnlpa.exe!FsRtlAddLargeMcbEntry + C9 820C76E8 87 Bytes CALL 82029CAB \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntkrnlpa.exe!WheaReportHwError + 5B 820C8422 39 Bytes [00, 00, 8B, F8, 3B, FE, 89, ...]
.text ntkrnlpa.exe!WheaReportHwError + 83 820C844A 81 Bytes [68, 22, 01, 00, 00, E8, 1B, ...]
.text ntkrnlpa.exe!WheaReportHwError + D6 820C849D 47 Bytes JMP 820C83E1 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!WheaReportHwError + 106 820C84CD 30 Bytes [74, 4A, F6, 47, 0C, 01, 74, ...]
.text ntkrnlpa.exe!WheaReportHwError + 125 820C84EC 136 Bytes [01, 00, 00, 8B, 44, 24, 10, ...]
.text ...
.text ntkrnlpa.exe!WheaGetErrorSource + 11 820C8CC8 1 Byte [00]
.text ntkrnlpa.exe!WheaGetErrorSource + 11 820C8CC8 17 Bytes [00, 00, 85, C0, 5F, 74, 05, ...]
.text ntkrnlpa.exe!WheaGetErrorSource + 23 820C8CDA 93 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!WheaGetErrorSource + 81 820C8D38 6 Bytes [00, 82, 33, C0, 5E, 5B] {ADD [EDX+0x5b5ec033], AL}
.text ntkrnlpa.exe!WheaGetErrorSource + 88 820C8D3F 75 Bytes [C2, 04, 00, 80, FB, 01, 75, ...]
.text ...
.text ntkrnlpa.exe!CcGetFileObjectFromSectionPtrsRef + 5 820C951C 502 Bytes [53, 56, 6A, 05, 59, 33, F6, ...]
.text ntkrnlpa.exe!CcDeferWrite + 14A 820C9713 2 Bytes [FF, 3B]
.text ntkrnlpa.exe!CcDeferWrite + 14D 820C9716 345 Bytes [74, 29, 8B, 46, 14, 3B, C7, ...]
.text ntkrnlpa.exe!CcUnpinRepinnedBcb + 86 820C9870 54 Bytes [A6, FB, FA, FF, 8B, 0B, 8B, ...]
.text ntkrnlpa.exe!CcUnpinRepinnedBcb + BE 820C98A8 5 Bytes [80, 74, 07, 3D, 54] {XOR BYTE [EDI+EAX+0x3d], 0x54}
.text ntkrnlpa.exe!CcUnpinRepinnedBcb + C5 820C98AF 12 Bytes [C0, 75, 08, 6A, 00, 57, E8, ...]
.text ntkrnlpa.exe!CcUnpinRepinnedBcb + D2 820C98BC 1 Byte [6A]
.text ntkrnlpa.exe!CcUnpinRepinnedBcb + D2 820C98BC 27 Bytes CALL 820BA703 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntkrnlpa.exe!CcIsThereDirtyData + 13 820C99D6 41 Bytes [6A, 05, 59, FF, D7, 8B, 35, ...]
.text ntkrnlpa.exe!CcIsThereDirtyData + 3D 820C9A00 2 Bytes [74, 08] {JZ 0xa}
.text ntkrnlpa.exe!CcIsThereDirtyData + 40 820C9A03 90 Bytes [F7, 41, 2C, 00, 80, 74, 47, ...]
.text ntkrnlpa.exe!CcIsThereDirtyData + 9B 820C9A5E 36 Bytes [5F, 5E, 8A, C3, 5B, C9, C2, ...]
.text ntkrnlpa.exe!CcIsThereDirtyDataEx + 10 820C9A83 24 Bytes [33, DB, FF, 15, 5C, 81, 00, ...]
.text ntkrnlpa.exe!CcIsThereDirtyDataEx + 29 820C9A9C 7 Bytes [EB, 37, 8B, 41, 6C, 66, A9]
.text ntkrnlpa.exe!CcIsThereDirtyDataEx + 31 820C9AA4 31 Bytes [08, 75, 29, 8B, 51, 44, 83, ...]
.text ntkrnlpa.exe!CcIsThereDirtyDataEx + 51 820C9AC4 115 Bytes [C6, 45, FF, 01, 74, 12, 85, ...]
.text ntkrnlpa.exe!CcGetLsnForFileObject + 31 820C9B38 1 Byte [00]
.text ntkrnlpa.exe!CcGetLsnForFileObject + 31 820C9B38 5 Bytes [00, 00, 8D, 8E, B8]
.text ntkrnlpa.exe!CcGetLsnForFileObject + 39 820C9B40 9 Bytes [8D, 54, 24, 24, FF, 15, 54, ...]
.text ntkrnlpa.exe!CcGetLsnForFileObject + 43 820C9B4A 17 Bytes [8D, 7E, 10, 8B, 07, EB, 62, ...]
.text ntkrnlpa.exe!CcGetLsnForFileObject + 55 820C9B5C 72 Bytes [74, 53, 8B, 70, 20, 8B, 50, ...]
.text ...
.text ntkrnlpa.exe!CcMdlWriteAbort + 21 820C9C30 11 Bytes [74, 05, C6, 44, 24, 0F, 01, ...]
.text ntkrnlpa.exe!CcMdlWriteAbort + 2D 820C9C3C 29 Bytes [8B, 1F, 74, 06, 57, E8, 24, ...]
.text ntkrnlpa.exe!CcMdlWriteAbort + 4D 820C9C5C 17 Bytes [6A, 05, 59, FF, 15, 5C, 81, ...]
.text ntkrnlpa.exe!CcMdlWriteAbort + 5F 820C9C6E 1 Byte [00]
.text ntkrnlpa.exe!CcMdlWriteAbort + 5F 820C9C6E 6 Bytes [00, 00, 8B, 46, 6C, A9]
.text ...
.text ntkrnlpa.exe!CcTestControl + 4 820C9D16 3 Bytes [C0, C2, 0C] {ROL DL, 0xc}
.text ntkrnlpa.exe!CcTestControl + 8 820C9D1A 43 Bytes [90, 90, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 11 820C9D48 7 Bytes [53, 56, 57, 8B, B8, C8, 06]
.text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 19 820C9D50 34 Bytes [00, FF, 47, 0C, 8B, CF, 89, ...]
.text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 3D 820C9D74 39 Bytes [FF, 47, 0C, 8B, CF, E8, B2, ...]
.text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 65 820C9D9C 8 Bytes [00, 8D, 46, 08, 89, 40, 04, ...] {ADD [EBP+0x40890846], CL; ADD AL, 0x89}
.text ntkrnlpa.exe!CcWaitForCurrentLazyWriterActivity + 6E 820C9DA5 74 Bytes [C6, 46, 14, 04, 8D, 44, 24, ...]
.text ...
.text ntkrnlpa.exe!ZwFreezeRegistry + 10 820CA886 5 Bytes [00, 76, 07, B8, 0D]
.text ntkrnlpa.exe!ZwFreezeRegistry + 16 820CA88C 9 Bytes [00, C0, EB, 38, 64, A1, 24, ...]
.text ntkrnlpa.exe!ZwFreezeRegistry + 20 820CA896 3 Bytes [8A, 80, E7]
.text ntkrnlpa.exe!ZwFreezeRegistry + 24 820CA89A 1 Byte [00]
.text ntkrnlpa.exe!ZwFreezeRegistry + 24 820CA89A 15 Bytes [00, 00, 88, 44, 24, 04, FF, ...]
.text ...
.text ntkrnlpa.exe!ZwThawRegistry + F 820CA8EA 5 Bytes [00, 8A, 80, E7, 00]
.text ntkrnlpa.exe!ZwThawRegistry + 15 820CA8F0 6 Bytes [00, 88, 44, 24, 04, FF] {ADD [EAX-0xfbdbbc], CL}
.text ntkrnlpa.exe!ZwThawRegistry + 1C 820CA8F7 18 Bytes [24, 04, FF, 35, 88, D1, 31, ...]
.text ntkrnlpa.exe!ZwThawRegistry + 2F 820CA90A 7 Bytes [84, C0, 75, 07, B8, 61, 00]
.text ntkrnlpa.exe!ZwThawRegistry + 37 820CA912 7 Bytes [C0, EB, 05, E8, F9, 36, 19]
.text ...
.text ntkrnlpa.exe!CmGetBoundTransaction + 16 820CA93E 49 Bytes [90, 90, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!CmGetBoundTransaction + 48 820CA970 27 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!CmGetBoundTransaction + 64 820CA98C 9 Bytes [00, 74, 0C, 6A, 01, 68, 50, ...] {ADD [ESP+ECX+0x6a], DH; ADD [EAX+0x50], EBP; LDS EDX, DWORD [EBX]}
.text ntkrnlpa.exe!CmGetBoundTransaction + 6E 820CA996 27 Bytes CALL 820B36ED \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!CmGetBoundTransaction + 8A 820CA9B2 5 Bytes [74, 0C, 6A, 01, 68]
.text ...
.text ntkrnlpa.exe!FsRtlIncrementCcFastReadNoWait + 4 820CAD4C 1 Byte [00]
.text ntkrnlpa.exe!FsRtlIncrementCcFastReadNoWait + 4 820CAD4C 7 Bytes [00, 00, 33, C9, 05, E0, 05]
.text ntkrnlpa.exe!FsRtlIncrementCcFastReadNoWait + C 820CAD54 21 Bytes [00, 41, F0, 0F, C1, 08, C3, ...]
.text ntkrnlpa.exe!FsRtlIncrementCcFastReadResourceMiss + 5 820CAD6A 7 Bytes [00, 33, C9, 05, 60, 06, 00]
.text ntkrnlpa.exe!FsRtlIncrementCcFastReadResourceMiss + D 820CAD72 19 Bytes [41, F0, 0F, C1, 08, C3, CC, ...]
.text ntkrnlpa.exe!FsRtlIncrementCcFastMdlReadWait + 4 820CAD86 1 Byte [00]
.text ntkrnlpa.exe!FsRtlIncrementCcFastMdlReadWait + 4 820CAD86 7 Bytes [00, 00, 33, C9, 05, 24, 06]
.text ntkrnlpa.exe!FsRtlIncrementCcFastMdlReadWait + C 820CAD8E 31 Bytes [00, 41, F0, 0F, C1, 08, C3, ...]
.text ntkrnlpa.exe!FsRtlTruncateMcb + A 820CADAE 91 Bytes [FF, 75, 0C, FF, 75, 08, E8, ...]
.text ntkrnlpa.exe!FsRtlRemoveMcbEntry + F 820CAE0A 9 Bytes [FF, 75, 0C, FF, 75, 08, E8, ...]
.text ntkrnlpa.exe!FsRtlRemoveMcbEntry + 19 820CAE14 6 Bytes [00, 8B, E5, 5D, C2, 0C] {ADD [EBX+0xcc25de5], CL}
.text ntkrnlpa.exe!FsRtlRemoveMcbEntry + 20 820CAE1B 72 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!FsRtlLookupMcbEntry + 3D 820CAE64 39 Bytes [3A, C3, 74, 1C, 8B, 4C, 24, ...]
.text ntkrnlpa.exe!FsRtlLookupMcbEntry + 65 820CAE8C 33 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!FsRtlLookupLastMcbEntry + 18 820CAEAE 31 Bytes [84, C0, 74, 18, 8B, 4D, 0C, ...]
.text ntkrnlpa.exe!FsRtlLookupLastMcbEntry + 38 820CAECE 21 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text ntkrnlpa.exe!FsRtlNumberOfRunsInMcb + B 820CAEE4 39 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!FsRtlGetNextMcbEntry + 1E 820CAF0C 99 Bytes [00, 84, C0, 74, 20, 8B, 4D, ...]
.text ntkrnlpa.exe!FsRtlResetLargeMcb + 9 820CAF70 11 Bytes [74, 0C, 8B, 45, 08, 83, 60, ...]
.text ntkrnlpa.exe!FsRtlResetLargeMcb + 17 820CAF7E 7 Bytes [53, 64, 8B, 1D, 24, 01, 00]
.text ntkrnlpa.exe!FsRtlResetLargeMcb + 1F 820CAF86 11 Bytes [56, 57, 8B, 7D, 08, 8B, 37, ...]
.text ntkrnlpa.exe!FsRtlResetLargeMcb + 2B 820CAF92 1 Byte [00]
.text ntkrnlpa.exe!FsRtlResetLargeMcb + 2B 820CAF92 79 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...]
.text ...
.text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 18 820CB03E 5 Bytes [66, FF, 8F, 82, 00]
.text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 1E 820CB044 7 Bytes [00, 8B, C6, F0, 0F, BA, 30]
.text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 26 820CB04C 41 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 50 820CB076 1 Byte [00]
.text ntkrnlpa.exe!FsRtlRemoveLargeMcbEntry + 50 820CB076 9 Bytes CALL 8204D82B \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 7 820CB0FC 19 Bytes CALL 8204D7E8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 1B 820CB110 5 Bytes [00, 66, FF, 8F, 82]
.text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 21 820CB116 1 Byte [00]
.text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 21 820CB116 20 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...]
.text ntkrnlpa.exe!FsRtlLookupLargeMcbEntry + 36 820CB12B 44 Bytes [FC, 00, FF, 75, 24, FF, 75, ...]
.text ...
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 1B 820CB1F6 5 Bytes [00, 66, FF, 8F, 82]
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 21 820CB1FC 1 Byte [00]
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 21 820CB1FC 51 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...]
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 55 820CB230 11 Bytes CALL 8204D829 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntry + 61 820CB23C 69 Bytes [90, 90, 90, 90, 90, 8B, 5D, ...]
.text ...
.text ntkrnlpa.exe!FsRtlLookupLastBaseMcbEntryAndIndex + 19 820CB2C3 122 Bytes [8B, 41, 0C, 83, 7C, D0, FC, ...]
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 7 820CB33E 19 Bytes CALL 8204D7E8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 1B 820CB352 5 Bytes [00, 66, FF, 8F, 82]
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 21 820CB358 1 Byte [00]
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 21 820CB358 22 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...]
.text ntkrnlpa.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 38 820CB36F 30 Bytes [FF, 75, 14, FF, 75, 10, FF, ...]
.text ...
.text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + D 820CB418 11 Bytes [56, 57, 8B, 7D, 08, 8B, 37, ...]
.text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 19 820CB424 1 Byte [00]
.text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 19 820CB424 27 Bytes [00, 00, 8B, C6, F0, 0F, BA, ...]
.text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 35 820CB440 49 Bytes [33, C9, 41, 8B, C2, F0, 0F, ...]
.text ntkrnlpa.exe!FsRtlNumberOfRunsInLargeMcb + 67 820CB472 5 Bytes [00, 8D, 81, 82, 00]
.text ...
.text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + C 820CB4B6 13 Bytes [00, 56, 57, 8B, 7D, 08, 8B, ...]
.text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 1A 820CB4C4 7 Bytes [00, 8B, C6, F0, 0F, BA, 30]
.text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 22 820CB4CC 89 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 7C 820CB526 3 Bytes [8D, 81, 82]
.text ntkrnlpa.exe!FsRtlGetNextLargeMcbEntry + 80 820CB52A 1 Byte [00]
.text ...
.text ntkrnlpa.exe!FsRtlSplitBaseMcb + 21 820CB578 23 Bytes [00, 8B, 5D, 08, 8B, 46, 0C, ...]
.text ntkrnlpa.exe!FsRtlSplitBaseMcb + 39 820CB590 32 Bytes [00, 85, DB, 75, 04, 33, C9, ...]
.text ntkrnlpa.exe!FsRtlSplitBaseMcb + 5A 820CB5B1 38 Bytes [05, 21, 4D, 08, EB, 07, 8B, ...]
.text ntkrnlpa.exe!FsRtlSplitBaseMcb + 81 820CB5D8 181 Bytes [00, 85, DB, 75, 04, 33, D2, ...]
.text ntkrnlpa.exe!FsRtlSplitBaseMcb + 137 820CB68E 25 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!FsRtlSplitLargeMcb + 10 820CB6A8 11 Bytes [8B, 5D, 08, 8B, 33, 64, 8B, ...]
.text ntkrnlpa.exe!FsRtlSplitLargeMcb + 1C 820CB6B4 5 Bytes [66, FF, 8F, 82, 00]
.text ntkrnlpa.exe!FsRtlSplitLargeMcb + 22 820CB6BA 7 Bytes [00, 8B, C6, F0, 0F, BA, 30]
.text ntkrnlpa.exe!FsRtlSplitLargeMcb + 2A 820CB6C2 13 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlSplitLargeMcb + 38 820CB6D0 33 Bytes [FF, 75, 18, FF, 75, 14, FF, ...]
.text ...
.text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + 1F 820CB8D6 83 Bytes [CC, CC, CC, CC, CC, 90, CC, ...]
.text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + 73 820CB92A 3 Bytes [C6, 45, FF]
.text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + 77 820CB92E 93 Bytes [74, 23, 0F, B6, 47, 25, 50, ...]
.text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + D5 820CB98C 17 Bytes [8B, 0B, 89, 08, 75, 08, 3B, ...]
.text ntkrnlpa.exe!FsRtlFastUnlockAllByKey + E7 820CB99E 3 Bytes [80, 7D, FF]
.text ...
.text ntkrnlpa.exe!FsRtlAllocatePool + 15 820CBA18 6 Bytes [85, C0, 75, 0A, 68, 9A]
.text ntkrnlpa.exe!FsRtlAllocatePool + 1C 820CBA1F 59 Bytes CALL 8204F242 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlAllocatePoolWithQuota + 27 820CBA5B 28 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!FsRtlAllocatePoolWithTag + 13 820CBA78 6 Bytes [85, C0, 75, 0A, 68, 9A]
.text ntkrnlpa.exe!FsRtlAllocatePoolWithTag + 1A 820CBA7F 10 Bytes CALL 8204F242 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlAllocatePoolWithTag + 25 820CBA8A 116 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 6B 820CBAFF 12 Bytes [8B, D8, 89, 1E, 89, 5D, E0, ...]
.text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 79 820CBB0D 4 Bytes [C7, 45, DC, 01]
.text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 7F 820CBB13 8 Bytes [00, 8B, 73, 1C, 64, A1, 24, ...] {ADD [EBX-0x5e9be38d], CL; AND AL, 0x1}
.text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + 89 820CBB1D 26 Bytes [89, 45, E4, 8B, C6, F0, 0F, ...]
.text ntkrnlpa.exe!FsRtlAllocatePoolWithQuotaTag + A4 820CBB38 9 Bytes [F6, 43, 18, 11, 0F, 84, A2, ...]
.text ...
.text ntkrnlpa.exe!FsRtlOplockBreakToNone + 10 820CC055 16 Bytes [33, C0, EB, 26, 8B, 45, 0C, ...]
.text ntkrnlpa.exe!FsRtlOplockBreakToNone + 21 820CC066 28 Bytes [74, 03, 33, D2, 42, FF, 75, ...]
.text ntkrnlpa.exe!FsRtlOplockBreakToNone + 3E 820CC083 78 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!FsRtlOplockBreakToNone + 8E 820CC0D3 10 Bytes [00, 8B, CE, B2, 01, 1B, C0, ...]
.text ntkrnlpa.exe!FsRtlOplockBreakToNone + 99 820CC0DE 40 Bytes JMP 7C25FF5B
.text ...
.text ntkrnlpa.exe!FsRtlCreateSectionForDataScan + 5C 820CC694 23 Bytes [00, 64, 8B, 0D, 24, 01, 00, ...]
.text ntkrnlpa.exe!FsRtlCreateSectionForDataScan + 74 820CC6AC 217 Bytes [8B, D8, 3B, DF, 7D, 40, 64, ...]
.text ntkrnlpa.exe!FsRtlCreateSectionForDataScan + 14E 820CC786 249 Bytes [64, 8B, 0D, 24, 01, 00, 00, ...]
.text ntkrnlpa.exe!FsRtlInsertPerFileContext + 41 820CC880 5 Bytes [00, C0, E9, B0, 00]
.text ntkrnlpa.exe!FsRtlInsertPerFileContext + 47 820CC886 13 Bytes [00, 8B, 55, 08, 8D, 46, 04, ...]
.text ntkrnlpa.exe!FsRtlInsertPerFileContext + 55 820CC894 27 Bytes [8B, CE, 33, C0, F0, 0F, B1, ...]
.text ntkrnlpa.exe!FsRtlInsertPerFileContext + 71 820CC8B0 5 Bytes [00, 66, FF, 88, 80]
.text ntkrnlpa.exe!FsRtlInsertPerFileContext + 77 820CC8B6 1 Byte [00]
.text ...
.text ntkrnlpa.exe!FsRtlLookupPerFileContext + 12 820CC95A 1 Byte [00]
.text ntkrnlpa.exe!FsRtlLookupPerFileContext + 12 820CC95A 11 Bytes [00, 00, 8D, 77, 04, 39, 36, ...]
.text ntkrnlpa.exe!FsRtlLookupPerFileContext + 1E 820CC966 5 Bytes [00, 64, A1, 24, 01]
.text ntkrnlpa.exe!FsRtlLookupPerFileContext + 24 820CC96C 153 Bytes [00, 66, FF, 88, 80, 00, 00, ...]
.text ntkrnlpa.exe!FsRtlLookupPerFileContext + BE 820CCA06 5 Bytes [00, 8D, 81, 80, 00]
.text ...
.text ntkrnlpa.exe!FsRtlRemovePerFileContext + 1B 820CCA60 9 Bytes [00, 8D, 73, 04, 39, 36, 0F, ...]
.text ntkrnlpa.exe!FsRtlRemovePerFileContext + 25 820CCA6A 1 Byte [00]
.text ntkrnlpa.exe!FsRtlRemovePerFileContext + 25 820CCA6A 7 Bytes [00, 00, 64, A1, 24, 01, 00]
.text ntkrnlpa.exe!FsRtlRemovePerFileContext + 2D 820CCA72 5 Bytes [66, FF, 88, 80, 00]
.text ntkrnlpa.exe!FsRtlRemovePerFileContext + 33 820CCA78 7 Bytes [00, 8B, C3, F0, 0F, BA, 28]
.text ...
.text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 1 820CCB5E 77 Bytes [FF, 55, 8B, EC, 57, 8B, 7D, ...]
.text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 4F 820CCBAC 10 Bytes [00, 82, 8A, D8, 8B, C6, F0, ...]
.text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 5A 820CCBB7 18 Bytes CALL 82048392 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlRemovePerStreamContext + 6D 820CCBCA 71 Bytes [89, 46, 1C, 8B, 55, 10, 33, ...]
.text ntkrnlpa.exe!FsRtlRemovePerStreamContext + B5 820CCC12 8 Bytes [74, 25, EB, F3, EB, 21, 8B, ...] {JZ 0x27; JMP 0xfffffffffffffff7; JMP 0x27; MOV ECX, EAX}
.text ...
.text ntkrnlpa.exe!FsRtlPostStackOverflow + 8 820CCD1D 63 Bytes [75, 10, FF, 75, 0C, FF, 75, ...]
.text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + 25 820CCD5D 30 Bytes [55, 8B, EC, 53, 68, 46, 53, ...]
.text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + 45 820CCD7D 24 Bytes CALL 8204F243 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + 5E 820CCD96 82 Bytes [8B, 4D, 08, 89, 48, 14, 8B, ...]
.text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + B2 820CCDEA 39 Bytes [57, 33, FF, 47, 89, B8, 34, ...]
.text ntkrnlpa.exe!FsRtlPostPagingFileStackOverflow + DA 820CCE12 6 Bytes [0C, 39, 3D, 44, C1, 13]
.text ...
.text ntkrnlpa.exe!PsWrapApcWow64Thread + 59 820CD20C 27 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text ntkrnlpa.exe!HvlQueryConnection + 12 820CD229 6 Bytes [C0, EB, 07, 8B, 4D, 08] {SHR BL, 0x7; MOV ECX, [EBP+0x8]}
.text ntkrnlpa.exe!HvlQueryConnection + 19 820CD230 6 Bytes [01, 33, C0, 5D, C2, 04] {ADD [EBX], ESI; RCR BYTE [EBP-0x3e], 0x4}
.text ntkrnlpa.exe!HvlQueryConnection + 20 820CD237 55 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!HvlQueryConnection + 58 820CD26F 12 Bytes [00, 40, C7, 45, D4, 03, 00, ...] {ADD [EAX-0x39], AL; INC EBP; AAM 0x3; ADD [EAX], AL; INC EAX; JZ 0x54; DEC EAX}
.text ntkrnlpa.exe!HvlQueryConnection + 65 820CD27C 2 Bytes [85, D5] {TEST EBP, EDX}
.text ...
.text ntkrnlpa.exe!InbvIsBootDriverInstalled + D 820CD814 13 Bytes [CC, CC, 90, 90, 90, 90, 90, ...]
.text ntkrnlpa.exe!InbvResetDisplay + 7 820CD822 8 Bytes [74, 13, 83, 3D, 90, 6E, 10, ...]
.text ntkrnlpa.exe!InbvResetDisplay + 11 820CD82C 197 Bytes CALL 820F168A \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!InbvSetTextColor + 34 820CD8F2 11 Bytes [C9, C2, 04, 00, CC, CC, CC, ...] {LEAVE ; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP }
.text ntkrnlpa.exe!InbvSetTextColor + 40 820CD8FE 33 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...]
.text ntkrnlpa.exe!InbvInstallDisplayStringFilter + 1F 820CD920 13 Bytes [90, C7, 05, FC, C0, 13, 82, ...]
.text ntkrnlpa.exe!InbvInstallDisplayStringFilter + 2D 820CD92E 287 Bytes [C1, 13, 82, 1A, 01, 00, 00, ...]
.text ntkrnlpa.exe!IoAllocateController + 37 820CDA4E 8 Bytes [75, 08, FF, 75, 08, E8, 27, ...]
.text ntkrnlpa.exe!IoAllocateController + 41 820CDA58 34 Bytes [5F, 5E, 5B, 5D, C2, 10, 00, ...]
.text ntkrnlpa.exe!IoAllocateController + 64 820CDA7B 69 Bytes CALL 82015053 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!IoFreeErrorLogEntry + 2F 820CDAC1 1 Byte [F0]
.text ntkrnlpa.exe!IoFreeErrorLogEntry + 2F 820CDAC1 5 Bytes [F0, 0F, C1, 01, 6A]
.text ntkrnlpa.exe!IoFreeErrorLogEntry + 35 820CDAC7 5 Bytes [56, E8, 38, 65, 02]
.text ntkrnlpa.exe!IoFreeErrorLogEntry + 3B 820CDACD 25 Bytes [5E, 5D, C2, 04, 00, 90, 90, ...]
.text ntkrnlpa.exe!IoFreeErrorLogEntry + 56 820CDAE8 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ...
.text ntkrnlpa.exe!IoAttachDeviceByPointer 820CDAFB 349 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
.text ntkrnlpa.exe!IoRaiseHardError + 1A 820CDC59 15 Bytes [00, F6, C2, 20, 74, 19, F6, ...]
.text ntkrnlpa.exe!IoRaiseHardError + 2A 820CDC69 61 Bytes [B2, 01, 8B, CF, FF, 15, 7C, ...]
.text ntkrnlpa.exe!IoRaiseHardError + 68 820CDCA7 7 Bytes [D8, 85, DB, 74, BD, 57, 6A]
.text ntkrnlpa.exe!IoRaiseHardError + 70 820CDCAF 4 Bytes [68, AE, 23, 27]
.text ntkrnlpa.exe!IoRaiseHardError + 75 820CDCB4 101 Bytes [68, 74, 1B, 27, 82, 68, FB, ...]
.text ...
.text ntkrnlpa.exe!IoRaiseInformationalHardError + 16 820CDE21 5 Bytes [00, EB, 0C, 64, A1]
.text ntkrnlpa.exe!IoRaiseInformationalHardError + 1C 820CDE27 101 Bytes [01, 00, 00, 8B, 80, 60, 02, ...]
.text ntkrnlpa.exe!IoRaiseInformationalHardError + 82 820CDE8D 29 Bytes [45, 08, 89, 43, 08, 74, 4C, ...]
.text ntkrnlpa.exe!IoRaiseInformationalHardError + A0 820CDEAB 24 Bytes [3B, C6, 75, 10, 56, 53, E8, ...]
.text ntkrnlpa.exe!IoRaiseInformationalHardError + B9 820CDEC4 16 Bytes [4B, 0C, 66, 8B, 0F, 66, 89, ...] {DEC EBX; OR AL, 0x66; MOV ECX, [EDI]; MOV [EBX+0xe], CX; MOV [EBX+0x10], EAX; MOVZX ECX, [EDI]; PUSH ECX}
.text ...
.text ntkrnlpa.exe!IoSetDeviceToVerify + 62 820CE0AE 2 Bytes CALL 820D726A \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!IoSetDeviceToVerify + 66 820CE0B2 41 Bytes [3B, C3, 74, 30, 39, 5D, 08, ...]
.text ntkrnlpa.exe!IoSetDeviceToVerify + 91 820CE0DD 56 Bytes [08, 57, 56, FF, 50, 30, 5F, ...]
.text ntkrnlpa.exe!IoStartNextPacketByKey + 1 820CE116 11 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
.text ntkrnlpa.exe!IoStartNextPacketByKey + D 820CE122 7 Bytes [00, 00, 66, F7, 40, 24, 00]
.text ntkrnlpa.exe!IoStartNextPacketByKey + 15 820CE12A 86 Bytes [74, 1A, 8A, 45, 0C, 8B, 4D, ...]
.text ntkrnlpa.exe!IoStopTimer + 13 820CE181 6 Bytes [CF, FF, 15, 84, 81, 00]
.text ntkrnlpa.exe!IoStopTimer + 1A 820CE188 17 Bytes [66, 83, 7E, 02, 00, 74, 0B, ...]
.text ntkrnlpa.exe!IoStopTimer + 2C 820CE19A 252 Bytes [8A, D0, 8B, CF, FF, 15, 80, ...]
.text ntkrnlpa.exe!IoIsFileOriginRemote + 14 820CE297 176 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!IoSetIoPriorityHintIntoFileObject + 11 820CE348 89 Bytes [00, C0, EB, 17, 8D, 45, 0C, ...]
.text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + 30 820CE3A2 20 Bytes [F0, 0B, CF, 8B, DA, F0, 0F, ...]
.text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + 45 820CE3B7 93 Bytes [00, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + A3 820CE415 42 Bytes [3F, 8B, CF, EB, 0A, 8B, 55, ...]
.text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + CE 820CE440 10 Bytes [5B, 5F, 5E, C9, C2, 10, 00, ...]
.text ntkrnlpa.exe!IoSetIoPriorityHintIntoThread + D9 820CE44B 7 Bytes [74, 1A, 8B, 4D, 10, 83, 21]
.text ...
.text ntkrnlpa.exe!IoAllocateSfioStreamIdentifier + 10 820CE4CD 169 Bytes [C0, EB, 30, 83, 7D, 0C, 00, ...]
.text ntkrnlpa.exe!IoFreeSfioStreamIdentifier + 30 820CE577 82 Bytes [06, EB, 0A, 8B, 48, 0C, 3B, ...]
.text ntkrnlpa.exe!IoClearIrpExtraCreateParameter + B 820CE5CA 6 Bytes [80, 74, 04, 83, 60, 3C]
.text ntkrnlpa.exe!IoClearIrpExtraCreateParameter + 12 820CE5D1 62 Bytes [5D, C2, 04, 00, 90, 90, 90, ...]
.text ntkrnlpa.exe!IoClearIrpExtraCreateParameter + 51 820CE610 206 Bytes [F0, 74, 04, 32, C0, EB, 02, ...]
.text ntkrnlpa.exe!IoCallDriverStackSafe + A7 820CE6DF 20 Bytes [25, 48, 81, 00, 82, 83, 61, ...]
.text ntkrnlpa.exe!IoCallDriverStackSafe + BD 820CE6F5 21 Bytes [76, 04, 89, 36, 8A, 41, 23, ...]
.text ntkrnlpa.exe!IoCallDriverStackSafe + D3 820CE70B 1 Byte [70]
.text ntkrnlpa.exe!IoCallDriverStackSafe + D3 820CE70B 25 Bytes [70, 14, EB, 02, 33, F6, 6A, ...]
.text ntkrnlpa.exe!IoCallDriverStackSafe + ED 820CE725 6 Bytes [19, 6A, 30, 56, E8, EA]
.text ...
.text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 1F 820CF3C6 54 Bytes [C0, EB, 30, 39, 4D, 0C, 74, ...]
.text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 56 820CF3FD 53 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 8C 820CF433 1 Byte [B7]
.text ntkrnlpa.exe!KeInitializeCrashDumpHeader + 8C 820CF433 22 Bytes [B7, 4E, 2C, 8B, 46, 30, E8, ...]
.text ntkrnlpa.exe!KeInitializeCrashDumpHeader + A3 820CF44A 5 Bytes [36, 8D, 5C, 03, 09]
.text ...
.text ntkrnlpa.exe!KeCapturePersistentThreadState + 16 820D01DC 11 Bytes [00, 83, 7D, 0C, 00, 75, 09, ...]
.text ntkrnlpa.exe!KeCapturePersistentThreadState + 22 820D01E8 7 Bytes [00, 89, 45, 0C, 56, 57, BF]
.text ntkrnlpa.exe!KeCapturePersistentThreadState + 2A 820D01F0 156 Bytes [00, 02, 00, 57, 6A, 00, 53, ...]
.text ntkrnlpa.exe!KeCapturePersistentThreadState + C8 820D028E 16 Bytes CALL 0A0E2698
.text ntkrnlpa.exe!KeCapturePersistentThreadState + D9 820D029F 4 Bytes [89, 83, E0, 07]
.text ...
.text ntkrnlpa.exe!IoReleaseRemoveLockAndWaitEx + 2 820D15DA 154 Bytes [55, 8B, EC, 53, 8B, 5D, 08, ...]
.text ntkrnlpa.exe!IoRequestDeviceEjectEx + 1D 820D1675 30 Bytes [40, 14, 3B, C3, 0F, 84, A6, ...]
.text ntkrnlpa.exe!IoRequestDeviceEjectEx + 3C 820D1694 103 Bytes [68, B4, 05, 00, 00, 53, E8, ...]
.text ntkrnlpa.exe!IoRequestDeviceEjectEx + A4 820D16FC 44 Bytes [10, 6A, 01, 50, 89, 7E, 08, ...]
.text ntkrnlpa.exe!IoRequestDeviceEjectEx + D1 820D1729 24 Bytes CALL 8200A956 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!IoRequestDeviceEjectEx + EA 820D1742 130 Bytes [47, 08, 83, C0, 1C, 66, 39, ...]
.text ...
.text ntkrnlpa.exe!IoRequestDeviceEject + AF 820D18E0 65 Bytes [85, F6, 76, 13, 66, F7, 45, ...]
.text ntkrnlpa.exe!IoRequestDeviceEject + F1 820D1922 30 Bytes [8B, 70, 14, EB, 02, 33, F6, ...]
.text ntkrnlpa.exe!IoRequestDeviceEject + 110 820D1941 93 Bytes [A9, 00, 20, 74, 25, 8D, 96, ...]
.text ntkrnlpa.exe!IoTranslateBusAddress + 4 820D199F 23 Bytes [EC, 83, E4, F8, 83, EC, 34, ...]
.text ntkrnlpa.exe!IoTranslateBusAddress + 1C 820D19B7 88 Bytes [45, 1C, 89, 08, 8B, 4D, 14, ...]
.text ntkrnlpa.exe!IoTranslateBusAddress + 75 820D1A10 23 Bytes CALL 821B5D78 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!IoTranslateBusAddress + 8D 820D1A28 52 Bytes [00, 8A, 4C, 24, 20, 8D, 44, ...]
.text ntkrnlpa.exe!IoTranslateBusAddress + C2 820D1A5D 59 Bytes [74, 24, 18, EB, 0B, 8B, 44, ...]
.text ...
.text ntkrnlpa.exe!ZwReplacePartitionUnit + 8B 820D3462 40 Bytes [C5, 7F, 1E, 00, CC, 8D, 4A, ...]
.text ntkrnlpa.exe!ZwReplacePartitionUnit + B4 820D348B 2 Bytes [F0, 77]
.text ntkrnlpa.exe!ZwReplacePartitionUnit + B7 820D348E 19 Bytes [3B, F1, 73, 03, C6, 00, 00, ...]
.text ntkrnlpa.exe!ZwReplacePartitionUnit + CB 820D34A2 13 Bytes [89, 45, CC, 8B, 49, 04, 89, ...]
.text ntkrnlpa.exe!ZwReplacePartitionUnit + D9 820D34B0 8 Bytes [FF, FF, 66, 3B, C7, 0F, 84, ...]
.text ...
.text ntkrnlpa.exe!KdChangeOption + 38 820D3750 19 Bytes [80, 74, 07, B8, 22, 00, 00, ...]
.text ntkrnlpa.exe!KdChangeOption + 4C 820D3764 15 Bytes [33, C0, 8B, 4D, 1C, 3B, CA, ...]
.text ntkrnlpa.exe!KdChangeOption + 5C 820D3774 43 Bytes [00, C0, 5D, C2, 18, 00, 90, ...]
.text ntkrnlpa.exe!KdChangeOption + 88 820D37A0 3 Bytes JMP 820D3857 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KdChangeOption + 8C 820D37A4 7 Bytes [00, 00, 38, 1D, 84, 93, 13]
.text ...
.text ntkrnlpa.exe!KdDisableDebugger + 49 820D38C8 2 Bytes [00, 38] {ADD [EAX], BH}
.text ntkrnlpa.exe!KdDisableDebugger + 4C 820D38CB 32 Bytes [08, BE, 80, F3, 13, 82, 74, ...]
.text ntkrnlpa.exe!KdDisableDebugger + 6D 820D38EC 23 Bytes [75, 26, 38, 5D, 08, 74, 18, ...]
.text ntkrnlpa.exe!KdDisableDebugger + 85 820D3904 3 Bytes [B8, 0D, 00]
.text ntkrnlpa.exe!KdDisableDebugger + 89 820D3908 35 Bytes [C0, EB, 4A, 53, 53, E8, D3, ...]
.text ...
.text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 11 820D3990 47 Bytes [74, 04, B0, 01, EB, 3A, B8, ...]
.text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 41 820D39C0 55 Bytes [FF, 75, FC, 8A, 1D, 89, 93, ...]
.text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 79 820D39F8 15 Bytes [00, 89, 45, FC, 76, 07, 66, ...]
.text ntkrnlpa.exe!KdRefreshDebuggerNotPresent + 89 820D3A08 79 Bytes [66, 89, 45, F8, 38, 0D, 89, ...]
.text ntkrnlpa.exe!KdPowerTransition + 1B 820D3A58 247 Bytes [EB, 0C, BE, EF, 00, 00, C0, ...]
.text ntkrnlpa.exe!KdPowerTransition + 113 820D3B50 107 Bytes [EB, 09, FF, 75, 14, 56, E8, ...]
.text ntkrnlpa.exe!KdPowerTransition + 17F 820D3BBC 71 Bytes [75, 15, 33, F6, A2, E8, 2F, ...]
.text ntkrnlpa.exe!KdPowerTransition + 1C7 820D3C04 19 Bytes CALL 822E523D \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KdPowerTransition + 1DB 820D3C18 7 Bytes [73, 69, 3B, 05, 98, 26, 32]
.text ...
.text ntkrnlpa.exe!KeQueryRuntimeThread + 1 820D4134 11 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text ntkrnlpa.exe!KeQueryRuntimeThread + E 820D4141 97 Bytes [8B, 55, 0C, 89, 0A, 8B, 80, ...]
.text ntkrnlpa.exe!KeQueryRuntimeThread + 70 820D41A3 134 Bytes [00, 83, 7D, 08, 00, 74, 07, ...]
.text ntkrnlpa.exe!KeQueryRuntimeThread + F7 820D422A 133 Bytes [FE, FF, FF, 8D, 55, E4, E8, ...]
.text ntkrnlpa.exe!KeQueryRuntimeThread + 17E 820D42B1 6 Bytes [75, 16, 8D, 41, 38, 39]
.text ...
.text ntkrnlpa.exe!KeIsAttachedProcess + 25 820D441C 25 Bytes [90, 8B, FF, 55, 8B, EC, 51, ...]
.text ntkrnlpa.exe!KeIsAttachedProcess + 3F 820D4436 134 Bytes [FF, 56, 04, 08, 45, FC, 8B, ...]
.text ntkrnlpa.exe!KeDeregisterNmiCallback + 2 820D44BD 12 Bytes [55, 8B, EC, 51, 51, 83, 65, ...]
.text ntkrnlpa.exe!KeDeregisterNmiCallback + F 820D44CA 62 Bytes [53, 56, 57, BF, DC, 92, 13, ...]
.text ntkrnlpa.exe!KeDeregisterNmiCallback + 4E 820D4509 33 Bytes [CF, FF, 15, 80, 81, 00, 82, ...]
.text ntkrnlpa.exe!KeDeregisterNmiCallback + 70 820D452B 80 Bytes CALL 82032E1F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeDeregisterNmiCallback + C1 820D457C 104 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ...
.text ntkrnlpa.exe!KeBugCheckEx + A 820D4B79 121 Bytes [FF, 75, 18, FF, 75, 14, FF, ...]
.text ntkrnlpa.exe!KeBugCheckEx + 84 820D4BF3 5 Bytes [45, DC, 2B, F2, 89]
.text ntkrnlpa.exe!KeBugCheckEx + 8A 820D4BF9 79 Bytes [E0, 39, 5D, E0, 74, 0D, 0F, ...]
.text ntkrnlpa.exe!KeBugCheckEx + DA 820D4C49 4 Bytes [68, 00, 5E, 05]
.text ntkrnlpa.exe!KeBugCheckEx + DF 820D4C4E 62 Bytes CALL 8200DBA3 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntkrnlpa.exe!KeDeregisterBugCheckCallback + 16 820D5C03 118 Bytes CALL 820AD9DC \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeDeregisterBugCheckCallback + 8E 820D5C7B 22 Bytes [00, 89, 45, E4, 89, 5D, E0, ...]
.text ntkrnlpa.exe!KeDeregisterBugCheckCallback + A5 820D5C92 4 Bytes CALL 82085598 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeDeregisterBugCheckCallback + AB 820D5C98 169 Bytes [74, 64, 46, 47, 83, FF, 20, ...]
.text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + 34 820D5D42 82 Bytes [89, 41, 04, FE, C3, 8B, CE, ...]
.text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + 87 820D5D95 26 Bytes [82, 00, 0F, 84, CB, 00, 00, ...]
.text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + A2 820D5DB0 23 Bytes [C6, 45, E7, 00, F6, C3, 03, ...]
.text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + BB 820D5DC9 81 Bytes [81, C6, 1B, 10, 00, 00, C1, ...]
.text ntkrnlpa.exe!KeDeregisterBugCheckReasonCallback + 10D 820D5E1B 170 Bytes [E7, 01, 8B, 45, E0, 89, 45, ...]
.text ...
.text ntkrnlpa.exe!KeAcquireSpinLockForDpc + 6 820D637C 47 Bytes [8A, 80, 1B, 1A, 00, 00, 84, ...]
.text ntkrnlpa.exe!KeReleaseSpinLockForDpc + 5 820D63AC 87 Bytes [00, 8A, 80, 1B, 1A, 00, 00, ...]
.text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + C 820D6405 1 Byte [84]
.text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + C 820D6405 48 Bytes JMP 25FFFFFD
.text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + 3D 820D6436 111 Bytes [90, 90, 90, 90, 8B, FF, 0F, ...]
.text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + AD 820D64A6 33 Bytes [47, 68, 89, 45, D8, FF, 15, ...]
.text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockForDpc + CF 820D64C8 9 Bytes [8D, 4D, D8, 8B, C7, E8, 83, ...]
.text ...
.text ntkrnlpa.exe!Ke386SetIoAccessMap + 9D 820D68C1 13 Bytes [5F, 5E, 5D, C2, 10, 00, 90, ...] {POP EDI; POP ESI; POP EBP; RET 0x10; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ntkrnlpa.exe!Ke386SetIoAccessMap + AB 820D68CF 30 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
.text ntkrnlpa.exe!Ke386QueryIoAccessMap + 1B 820D68EE 39 Bytes [68, FF, 00, 00, 00, FF, 75, ...]
.text ntkrnlpa.exe!Ke386QueryIoAccessMap + 43 820D6916 95 Bytes [00, 8B, 40, 40, 68, 00, 20, ...]
.text ntkrnlpa.exe!Ke386IoSetAccessProcess + 2A 820D6976 52 Bytes [0F, B7, C0, 8B, 4D, 08, 66, ...]
.text ntkrnlpa.exe!Ke386IoSetAccessProcess + 60 820D69AC 58 Bytes [8B, 48, 20, 8B, 49, 04, 8B, ...]
.text ntkrnlpa.exe!Ke386IoSetAccessProcess + 9B 820D69E7 89 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text ntkrnlpa.exe!Ke386IoSetAccessProcess + F5 820D6A41 195 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!KeReadStateTimer + B8 820D6B06 34 Bytes [72, 99, 64, 8B, 0D, 20, 00, ...]
.text ntkrnlpa.exe!KeReadStateTimer + DB 820D6B29 6 Bytes [6A, 00, 68, C7, 00, 00]
.text ntkrnlpa.exe!KeReadStateTimer + E2 820D6B30 8 Bytes CALL 820D4B6F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeReadStateTimer + EB 820D6B39 226 Bytes [6A, 01, EB, EE, 57, 56, 50, ...]
.text ntkrnlpa.exe!KeReadStateTimer + 1CE 820D6C1C 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ...
.text ntkrnlpa.exe!KeFlushEntireTb + 4D 820D6C74 159 Bytes CALL 820CD6FD \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 2 820D6D14 1 Byte [55]
.text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 2 820D6D14 5 Bytes [55, 8B, EC, 8B, 45]
.text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 8 820D6D1A 10 Bytes [83, C9, FF, F0, 0F, C1, 08, ...]
.text ntkrnlpa.exe!ExReleaseSpinLockSharedFromDpcLevel + 13 820D6D25 85 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!KeI386GetLid + 4 820D6D7B 104 Bytes [EC, 83, EC, 10, 33, C0, 40, ...]
.text ntkrnlpa.exe!KeI386GetLid + 6D 820D6DE4 68 Bytes CALL 8204D240 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeI386GetLid + B2 820D6E29 131 Bytes CALL 820D6D36 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeI386GetLid + 136 820D6EAD 63 Bytes [0A, 66, 85, D2, 74, 05, BB, ...]
.text ntkrnlpa.exe!KeI386ReleaseLid + 12 820D6EED 156 Bytes [C0, EB, 47, 56, 57, BF, CC, ...]
.text ntkrnlpa.exe!KeI386AbiosCall + 43 820D6F8A 56 Bytes [07, B8, 12, 01, 00, C0, EB, ...]
.text ntkrnlpa.exe!KeI386AbiosCall + 7C 820D6FC3 45 Bytes CALL 8204BFE1 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeI386AllocateGdtSelectors + 12 820D6FF1 87 Bytes [56, BE, D0, 5D, 13, 82, 8B, ...]
.text ntkrnlpa.exe!KeI386AllocateGdtSelectors + 6A 820D7049 16 Bytes [C0, 5F, 5D, C2, 08, 00, 90, ...] {RCR BYTE [EDI+0x5d], 0xc2; OR [EAX], AL; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP }
.text ntkrnlpa.exe!KeI386ReleaseGdtSelectors 820D705B 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text ntkrnlpa.exe!KeI386ReleaseGdtSelectors + 4 820D705F 17 Bytes [EC, 51, 53, 57, BF, D0, 5D, ...] {IN AL, DX ; PUSH ECX; PUSH EBX; PUSH EDI; MOV EDI, 0x82135dd0; MOV ECX, EDI; CALL [0x82008184]}
.text ntkrnlpa.exe!KeI386ReleaseGdtSelectors + 16 820D7071 69 Bytes [5D, 0C, 66, 01, 1D, 10, 72, ...]
.text ntkrnlpa.exe!KeI386ReleaseGdtSelectors + 5C 820D70B7 56 Bytes [5F, 33, C0, 5B, C9, C2, 08, ...]
.text ntkrnlpa.exe!KeI386FlatToGdtSelector + 25 820D70F0 4 Bytes JMP 820D717B \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeI386FlatToGdtSelector + 2B 820D70F6 40 Bytes [53, 56, 57, BF, D0, 5D, 13, ...]
.text ntkrnlpa.exe!KeI386FlatToGdtSelector + 54 820D711F 52 Bytes [66, 89, 59, 02, C1, EB, 10, ...]
.text ntkrnlpa.exe!KeI386FlatToGdtSelector + 89 820D7154 43 Bytes [04, 85, E0, 5D, 13, 82, FF, ...]
.text ntkrnlpa.exe!KeI386FlatToGdtSelector + B5 820D7180 215 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!KeInsertByKeyDeviceQueue + 9F 820D7258 61 Bytes [CC, CC, CC, CC, CC, 90, CC, ...]
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueue + 2D 820D7296 18 Bytes CALL 820ADB40 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueue + 40 820D72A9 75 Bytes [50, 04, 8B, 4D, 0C, 39, 4A, ...]
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueue + 8C 820D72F5 26 Bytes [00, CC, CC, CC, CC, CC, 90, ...]
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 10 820D7310 5 Bytes [00, 83, EC, 0C, 56]
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 16 820D7316 38 Bytes [75, 08, 57, 33, FF, 84, C0, ...]
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 3D 820D733D 23 Bytes [75, 06, C6, 46, 10, 00, EB, ...]
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 55 820D7355 20 Bytes [3B, C8, 75, F0, 3B, C8, 74, ...]
.text ntkrnlpa.exe!KeRemoveByKeyDeviceQueueIfBusy + 6A 820D736A 128 Bytes [10, 8B, 0A, 89, 08, 89, 41, ...]
.text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 40 820D73EB 72 Bytes [00, CC, CC, CC, CC, CC, 90, ...]
.text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 89 820D7434 99 Bytes [75, 10, 0F, B6, C3, 8B, 34, ...]
.text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + ED 820D7498 58 Bytes JMP 82055888 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 128 820D74D3 17 Bytes [88, 0C, 02, 00, 00, 89, 0E, ...]
.text ntkrnlpa.exe!KeRemoveEntryDeviceQueue + 13A 820D74E5 3 Bytes [0D, 20, 00]
.text ...
.text ntkrnlpa.exe!KeRundownQueue + 15 820D755D 104 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!KeRaiseUserException + 13 820D75C6 24 Bytes [B0, 20, 01, 00, 00, 85, F6, ...]
.text ntkrnlpa.exe!KeRaiseUserException + 2C 820D75DF 115 Bytes [8B, 5D, 08, 89, 98, A4, 01, ...]
.text ntkrnlpa.exe!KeRaiseUserException + A0 820D7653 226 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!KeRaiseUserException + 183 820D7736 92 Bytes CALL 820D7D7C \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!KeRaiseUserException + 1E0 820D7793 6 Bytes [0F, 8B, C1, 83, E0, FB] {JNP 0xfffffffffbe083c7}
.text ...
.text ntkrnlpa.exe!KeSaveStateForHibernate + 4A 820D78E1 46 Bytes [DD, 40, C6, 00, 31, 40, C6, ...]
.text ntkrnlpa.exe!KeSaveStateForHibernate + 79 820D7910 90 Bytes [FF, 55, 8B, EC, 51, 8A, 45, ...]
.text ntkrnlpa.exe!KeSaveStateForHibernate + D4 820D796B 173 Bytes [F4, 13, 82, 75, 1B, 39, 3D, ...]
.text ntkrnlpa.exe!KeSaveStateForHibernate + 182 820D7A19 24 Bytes [89, 86, BC, 1A, 00, 00, 33, ...]
.text ntkrnlpa.exe!KeSaveStateForHibernate + 19B 820D7A32 11 Bytes [00, 00, C6, 86, C4, 05, 00, ...] {ADD [EAX], AL; MOV BYTE [ESI+0x5c4], 0x1; JZ 0x82}
.text ...
.text ntkrnlpa.exe!ZwGetWriteWatch + 5 820D8D31 16 Bytes [68, C8, D9, 05, 82, E8, AD, ...]
.text ntkrnlpa.exe!ZwGetWriteWatch + 16 820D8D42 4 Bytes [C7, 85, 04, FF]
.text ntkrnlpa.exe!ZwGetWriteWatch + 1B 820D8D47 21 Bytes [FF, 21, 00, 00, 00, 6A, FE, ...]
.text ntkrnlpa.exe!ZwGetWriteWatch + 31 820D8D5D 25 Bytes [00, 64, A1, 24, 01, 00, 00, ...]
.text ntkrnlpa.exe!ZwGetWriteWatch + 4B 820D8D77 47 Bytes [8B, 75, 10, 84, C0, 0F, 84, ...]
.text ...
.text ntkrnlpa.exe!ZwResetWriteWatch + E 820D94A5 77 Bytes CALL E69116BD
.text ntkrnlpa.exe!ZwResetWriteWatch + 5C 820D94F3 71 Bytes [00, 8B, 47, 48, 89, 7C, 24, ...]
.text ntkrnlpa.exe!ZwResetWriteWatch + A4 820D953B 36 Bytes [00, 83, 64, 24, 24, 00, 8D, ...]
.text ntkrnlpa.exe!ZwResetWriteWatch + C9 820D9560 56 Bytes [19, 8D, 84, 24, D8, 00, 00, ...]
.text ntkrnlpa.exe!ZwResetWriteWatch + 102 820D9599 10 Bytes [40, 23, D1, 23, D9, 2B, D0, ...]
.text ...
.text ntkrnlpa.exe!ObDereferenceObject + 2 820DE540 25 Bytes [55, 8B, EC, 8B, 4D, 08, E8, ...]
.text ntkrnlpa.exe!ObIsKernelHandle + 1 820DE55A 21 Bytes [FF, 55, 8B, EC, 8B, 4D, 08, ...]
.text ntkrnlpa.exe!ObIsKernelHandle + 17 820DE570 7 Bytes [74, 0A, 83, 7D, 08, FF, 74]
.text ntkrnlpa.exe!ObIsKernelHandle + 1F 820DE578 125 Bytes [B0, 01, EB, 02, 32, C0, 5D, ...]
.text ntkrnlpa.exe!ObIsKernelHandle + 9D 820DE5F6 28 Bytes CALL 8204D7E8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!ObIsKernelHandle + BB 820DE614 78 Bytes [00, 8D, 45, E0, 50, 6A, 54, ...]
.text ...
.text ntkrnlpa.exe!PoRegisterDeviceNotify + 21 820DF316 2 Bytes [8A, 00] {MOV AL, [EAX]}
.text ntkrnlpa.exe!PoRegisterDeviceNotify + 25 820DF31A 88 Bytes [39, 45, 18, 0F, 84, 81, 00, ...]
.text ntkrnlpa.exe!PoRegisterDeviceNotify + 7E 820DF373 37 Bytes [75, 17, 6A, 00, 56, 53, E8, ...]
.text ntkrnlpa.exe!PoRegisterDeviceNotify + A4 820DF399 22 Bytes CALL 820DF46F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!PoRegisterDeviceNotify + BB 820DF3B0 81 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!PoCancelDeviceNotify + 48 820DF402 1 Byte [71]
.text ntkrnlpa.exe!PoCancelDeviceNotify + 4B 820DF405 1 Byte [16]
.text ntkrnlpa.exe!PoCancelDeviceNotify + 4B 820DF405 3 Bytes [16, 89, 72]
.text ntkrnlpa.exe!PoCancelDeviceNotify + 4F 820DF409 6 Bytes [83, 48, 04, FF, 33, D2] {OR DWORD [EAX+0x4], -0x1; XOR EDX, EDX}
.text ntkrnlpa.exe!PoCancelDeviceNotify + 57 820DF411 4 Bytes [4E, 4F, 4E, 4F] {DEC ESI; DEC EDI; DEC ESI; DEC EDI}
.text ...
.text ntkrnlpa.exe!PoSetDeviceBusyEx + C7 820DFBD9 46 Bytes [74, 17, BA, 00, 01, 00, 00, ...]
.text ntkrnlpa.exe!PoSetDeviceBusyEx + F6 820DFC08 141 Bytes [81, C1, 18, 04, 00, 00, E8, ...]
.text ntkrnlpa.exe!PoSetDeviceBusyEx + 184 820DFC96 1 Byte [55]
.text ntkrnlpa.exe!PoSetDeviceBusyEx + 184 820DFC96 98 Bytes [55, 8B, EC, 83, E4, F8, 83, ...]
.text ntkrnlpa.exe!PoSetDeviceBusyEx + 1E7 820DFCF9 123 Bytes CALL F7900E51
.text ...
.text ntkrnlpa.exe!PsChargeProcessCpuCycles + 2 820E2AA1 1 Byte [55]
.text ntkrnlpa.exe!PsChargeProcessCpuCycles + 2 820E2AA1 68 Bytes [55, 8B, EC, 83, E4, F8, 8B, ...]
.text ntkrnlpa.exe!PsChargeProcessCpuCycles + 47 820E2AE6 12 Bytes [0F, B1, 13, 3B, C1, 74, 05, ...] {CMPXCHG [EBX], EDX; CMP EAX, ECX; JZ 0xc; CALL 0xfffffffffff4d1ff}
.text ntkrnlpa.exe!PsChargeProcessCpuCycles + 54 820E2AF3 1 Byte [07]
.text ntkrnlpa.exe!PsChargeProcessCpuCycles + 54 820E2AF3 12 Bytes [07, 8B, 57, 04, 8B, 4F, 08, ...] {POP ES; MOV EDX, [EDI+0x4]; MOV ECX, [EDI+0x8]; MOV ESI, [EDI+0xc]; MOV EBX, EAX}
.text ...
.text ntkrnlpa.exe!PsGetJobSessionId + C 820E2C3C 55 Bytes [00, 00, 5D, C2, 04, 00, CC, ...]
.text ntkrnlpa.exe!PsGetProcessExitStatus + B 820E2C74 84 Bytes [02, 00, 00, 5D, C2, 04, 00, ...]
.text ntkrnlpa.exe!PsGetProcessPriorityClass + E 820E2CC9 13 Bytes [5D, C2, 04, 00, 90, 90, 90, ...] {POP EBP; RET 0x4; NOP ; NOP ; NOP ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ntkrnlpa.exe!PsGetProcessPriorityClass + 1D 820E2CD8 260 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text ntkrnlpa.exe!PsSetProcessPriorityClass + 72 820E2DDD 20 Bytes [47, 48, 8B, B0, 1C, 01, 00, ...]
.text ntkrnlpa.exe!PsSetProcessPriorityClass + 87 820E2DF2 39 Bytes [1E, FF, 15, 60, 81, 00, 82, ...]
.text ntkrnlpa.exe!PsSetProcessPriorityClass + AF 820E2E1A 39 Bytes [00, EB, 04, 8B, 7C, 24, 14, ...]
.text ntkrnlpa.exe!PsSetProcessPriorityClass + D7 820E2E42 107 Bytes [00, 01, 00, 33, FB, 81, E7, ...]
.text ntkrnlpa.exe!PsSetProcessPriorityClass + 143 820E2EAE 4 Bytes [8B, 8F, 10, 02]
.text ...
.text ntkrnlpa.exe!RtlTimeToSecondsSince1980 + 10 820E392D 313 Bytes [FF, 35, 38, 88, 0A, 82, FF, ...]
.text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + F8 820E3A67 10 Bytes [00, C0, EB, 3C, 80, 7D, 08, ...]
.text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 103 820E3A72 27 Bytes [8C, 00, 00, 00, 8B, 75, 0C, ...]
.text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 11F 820E3A8E 11 Bytes [F7, D8, 1B, C0, 25, F3, FF, ...]
.text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 12B 820E3A9A 6 Bytes [00, C0, EB, 09, 8B, 45]
.text ntkrnlpa.exe!RtlTimeToSecondsSince1970 + 132 820E3AA1 32 Bytes [03, D7, 89, 10, 33, C0, 5E, ...]
.text ...
.text ntkrnlpa.exe!DbgPrompt + DF 820E3C8C 9 Bytes [0D, 64, E1, 0F, 82, 8D, 47, ...]
.text ntkrnlpa.exe!DbgPrompt + E9 820E3C96 200 Bytes [60, E1, 0F, 82, 89, 48, 04, ...]
.text ntkrnlpa.exe!DbgPrompt + 1B2 820E3D5F 68 Bytes [F0, 0F, C1, 08, 8D, 4F, 04, ...]
.text ntkrnlpa.exe!DbgPrompt + 1F7 820E3DA4 10 Bytes [75, 11, F6, 05, 90, EB, 13, ...]
.text ntkrnlpa.exe!DbgPrompt + 202 820E3DAF 69 Bytes CALL 820CD6FE \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntkrnlpa.exe!RtlSizeHeap + 2 820E3F69 149 Bytes [55, 8B, EC, 8B, 4D, 10, 53, ...]
.text ntkrnlpa.exe!RtlSizeHeap + 98 820E3FFF 39 Bytes [33, C8, EB, 3B, F6, C1, 40, ...]
.text ntkrnlpa.exe!RtlSizeHeap + C0 820E4027 72 Bytes [85, 4E, 4C, 74, 03, 33, 4E, ...]
.text ntkrnlpa.exe!RtlSizeHeap + 109 820E4070 187 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!RtlSizeHeap + 1C5 820E412C 6 Bytes CALL 820B4E28 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ...
.text ntkrnlpa.exe!RtlTestBit + 23 820E434E 24 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ntkrnlpa.exe!RtlTestBit + 3D 820E4368 112 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text ntkrnlpa.exe!RtlFindLongestRunClear + E 820E43D9 103 Bytes CALL 8201EDA8 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!RtlFindLongestRunClear + 76 820E4441 6 Bytes [EC, 8B, 52, 04, 56, 57] {IN AL, DX ; MOV EDX, [EDX+0x4]; PUSH ESI; PUSH EDI}
.text ntkrnlpa.exe!RtlFindLongestRunClear + 7D 820E4448 38 Bytes [7D, 08, 8B, CF, C1, E9, 05, ...]
.text ntkrnlpa.exe!RtlFindLongestRunClear + A4 820E446F 245 Bytes [C8, D3, E2, 8B, CF, 4A, D3, ...]
.text ntkrnlpa.exe!RtlAssert + 74 820E4565 78 Bytes [FF, 50, 68, 30, 71, 05, 82, ...]
.text ntkrnlpa.exe!RtlAssert + C3 820E45B4 196 Bytes [FF, FF, 8D, 85, 30, FD, FF, ...]
.text ntkrnlpa.exe!RtlFindClosestEncodableLength + 2F 820E4679 59 Bytes [00, 3B, D7, 77, 31, BB, 00, ...]
.text ntkrnlpa.exe!RtlFindClosestEncodableLength + 6B 820E46B5 5 Bytes [D3, 77, 31, BF, 00]
.text ntkrnlpa.exe!RtlFindClosestEncodableLength + 71 820E46BB 109 Bytes [FF, FF, 72, 04, 3B, F7, 77, ...]
.text ntkrnlpa.exe!RtlFindClosestEncodableLength + DF 820E4729 54 Bytes [00, C0, 5F, 5B, 5E, 5D, C2, ...]
.text ntkrnlpa.exe!RtlFindClosestEncodableLength + 117 820E4761 229 Bytes [00, 5E, C3, CC, CC, CC, CC, ...]
.text ...
.text ntkrnlpa.exe!RtlSubtreeSuccessor + 14 820E488E 45 Bytes [C1, 8B, 48, 04, 85, C9, 74, ...]
.text ntkrnlpa.exe!RtlRealPredecessor + 9 820E48BC 12 Bytes [41, 04, 85, C0, 75, 06, EB, ...]
.text ntkrnlpa.exe!RtlRealPredecessor + 16 820E48C9 19 Bytes [48, 08, 85, C9, 74, 1C, EB, ...] {DEC EAX; OR [EBP-0x14e38b37], AL; CMC ; JMP 0x22; MOV ECX, EAX; MOV EAX, [ECX]; CMP [EAX+0x4], ECX; JZ 0xa}
.text ntkrnlpa.exe!RtlRealPredecessor + 2A 820E48DD 119 Bytes [D0, 8B, 42, 08, 2B, C1, F7, ...]
.text ntkrnlpa.exe!RtlEnumerateGenericTable + 2C 820E4955 74 Bytes [89, 07, 8B, C6, 83, C6, 18, ...]
.text ntkrnlpa.exe!RtlGetElementGenericTable + 2 820E49A0 97 Bytes [55, 8B, EC, 8B, 4D, 08, 8B, ...]
.text ntkrnlpa.exe!RtlGetElementGenericTable + 64 820E4A02 58 Bytes [74, 16, 4F, 8B, 00, 74, 11, ...]
.text ntkrnlpa.exe!RtlNumberGenericTableElements + 4 820E4A3D 21 Bytes [EC, 8B, 45, 08, 8B, 40, 14, ...]
.text ntkrnlpa.exe!RtlEnumerateGenericTableWithoutSplaying + 1 820E4A53 164 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 7 820E4AF8 1 Byte [5D]
.text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 7 820E4AF8 74 Bytes [5D, 0C, 83, FB, FF, 56, 8B, ...]
.text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 52 820E4B43 9 Bytes JMP 1472DA3B
.text ntkrnlpa.exe!RtlGetElementGenericTableAvl + 5C 820E4B4D 95 Bytes [D1, 74, 6A, 8B, C8, E8, FF, ...]
.text ntkrnlpa.exe!RtlGetElementGenericTableAvl + BC 820E4BAD 23 Bytes [D2, 74, 0A, 8B, C8, E8, 9F, ...]
.text ...
.text ntkrnlpa.exe!RtlIsNtDdiVersionAvailable + 27 820E4C3E 113 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 68 820E4CB0 31 Bytes [00, C0, EB, 34, B8, 05, 00, ...]
.text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 88 820E4CD0 3 Bytes [00, 85, C0]
.text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 8C 820E4CD4 44 Bytes [4D, 08, 8D, 0C, 4E, 7D, 07, ...]
.text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + B9 820E4D01 93 Bytes [8B, 5D, 0C, 56, 8B, F0, 57, ...]
.text ntkrnlpa.exe!RtlIsServicePackVersionInstalled + 117 820E4D5F 82 Bytes [B7, C2, 05, 00, 28, 00, 00, ...]
.text ...
.text ntkrnlpa.exe!RtlIpv6AddressToStringExA + C8 820E4F81 54 Bytes [C0, 8B, 4D, FC, 5F, 5E, 33, ...]
.text ntkrnlpa.exe!RtlIpv4AddressToStringA + 19 820E4FB8 34 Bytes [51, 50, 68, 90, 72, 05, 82, ...]
.text ntkrnlpa.exe!RtlIpv4AddressToStringA + 3F 820E4FDE 85 Bytes [90, 8B, FF, 55, 8B, EC, 83, ...]
.text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 55 820E5034 24 Bytes CALL 8201BC0F \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!RtlIpv4AddressToStringExA + 6E 820E504D 319 Bytes [3E, B8, 0D, 00, 00, C0, 8B, ...]
.text ntkrnlpa.exe!RtlIpv4AddressToStringW + 1 820E518D 120 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text ntkrnlpa.exe!RtlIpv4AddressToStringExW + 39 820E5206 38 Bytes [83, 7D, 0C, 00, 8B, F0, 74, ...]
.text ntkrnlpa.exe!RtlIpv4AddressToStringExW + 60 820E522D 45 Bytes [83, C4, 10, 8D, 34, 46, 8D, ...]
.text ntkrnlpa.exe!RtlIpv4AddressToStringExW + 8E 820E525B 117 Bytes [8D, 45, D0, 50, 53, E8, BB, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressA + 59 820E52D1 144 Bytes [00, 85, C0, 59, 74, 13, 57, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressA + EA 820E5362 17 Bytes [45, FC, 83, 65, F4, 00, E9, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressA + FE 820E5376 48 Bytes [80, 7D, 0B, 00, 0F, 85, 36, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressA + 12F 820E53A7 23 Bytes [39, 55, FC, 0F, 87, 06, 01, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressA + 147 820E53BF 55 Bytes [75, 10, FF, 45, F0, 6A, 02, ...]
.text ...
.text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 84 820E561E 10 Bytes [85, C0, 59, 74, E1, 53, E8, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 8F 820E5629 38 Bytes [85, C0, 59, 74, D6, 8B, 45, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExA + B6 820E5650 87 Bytes [77, B2, 8B, 45, F8, 6B, C0, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 10F 820E56A9 20 Bytes [00, C7, 45, 0C, 10, 00, 00, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExA + 124 820E56BE 77 Bytes [00, 85, C0, 59, 74, 49, 56, ...]
.text ...
.text ntkrnlpa.exe!RtlIpv4StringToAddressA + 1D 820E5800 61 Bytes [C7, 45, FC, 0A, 00, 00, 00, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressA + 5B 820E583E 32 Bytes [08, C7, 45, FC, 10, 00, 00, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressA + 7C 820E585F 55 Bytes [00, 00, 0F, BE, F8, 57, E8, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressA + B4 820E5897 3 Bytes CALL 820F0205 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!RtlIpv4StringToAddressA + B8 820E589B 148 Bytes [85, C0, 59, 74, 4B, 57, E8, ...]
.text ...
.text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 1C 820E5A1F 7 Bytes [39, 75, 14, 0F, 84, 4F, 01]
.text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 24 820E5A27 38 Bytes [00, FF, 75, 10, 8D, 45, 10, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 4B 820E5A4E 8 Bytes [00, 47, 80, 3F, 30, C6, 45, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 54 820E5A57 23 Bytes [89, 75, 08, C7, 45, 0C, 0A, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressExA + 6C 820E5A6F 18 Bytes [74, 04, 3C, 58, 75, 08, C7, ...] {JZ 0x6; CMP AL, 0x58; JNZ 0xe; MOV DWORD [EBP+0xc], 0x10; INC EDI; MOV AL, [EDI]; TEST AL, AL}
.text ...
.text ntkrnlpa.exe!RtlIpv6StringToAddressW + 34 820E5BDA 46 Bytes [48, 74, 0F, 48, 0F, 84, 0E, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressW + 63 820E5C09 28 Bytes [68, 80, 00, 00, 00, 56, E8, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressW + 80 820E5C26 2 Bytes [00, C6] {ADD DH, AL}
.text ntkrnlpa.exe!RtlIpv6StringToAddressW + 83 820E5C29 7 Bytes JMP 820E5DB4 \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
.text ntkrnlpa.exe!RtlIpv6StringToAddressW + 8C 820E5C32 115 Bytes [FE, 3A, 75, 52, 33, D2, 39, ...]
.text ...
.text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 1 820E5EA6 29 Bytes [FF, 55, 8B, EC, 51, 51, 8B, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 1F 820E5EC4 40 Bytes [00, 39, 5D, 10, 0F, 84, 28, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 48 820E5EED 29 Bytes [75, 0C, 8D, 4D, 0C, 51, 50, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 66 820E5F0B 160 Bytes [00, 00, 00, 47, 47, 0F, B7, ...]
.text ntkrnlpa.exe!RtlIpv6StringToAddressExW + 107 820E5FAC 42 Bytes [0F, 84, 44, 01, 00, 00, 6A, ...]
.text ...
.text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 40 820E6153 29 Bytes [5D, 10, 0F, B7, 03, 66, 83, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 5F 820E6172 5 Bytes [00, 75, 21, 43, 43] {ADD [EBP+0x21], DH; INC EBX; INC EBX}
.text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 65 820E6178 27 Bytes [B7, 03, 66, 83, F8, 78, C7, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 82 820E6195 218 Bytes [43, 0F, B7, 03, 66, 3B, C7, ...]
.text ntkrnlpa.exe!RtlIpv4StringToAddressExW + 15D 820E6270 25 Bytes [C0, 5F, 5E, 5B, 5D, C2, 10, ...]
.text ...
.text ntkrnlpa.exe!RtlLargeIntegerDivide + 28 820E69DB 5 Bytes [45, 08, 8B, 55, 0C]
.text ntkrnlpa.exe!RtlLargeIntegerDivide + 2E 820E69E1 31 Bytes [8B, D9, C1, EB, 1F, 03, F6, ...]
? System32\Drivers\sphg.sys Das System kann den angegebenen Pfad nicht finden. !
PAGE ataport.SYS!DllUnload 82683B2E 5 Bytes JMP 84B971D8
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E605000, 0x20BE32, 0xE8000020]
.text USBPORT.SYS!DllUnload 8EBE241B 5 Bytes JMP 867981D8
.text abwatj55.SYS 8E2D8000 22 Bytes [82, 73, 3C, 82, 6C, 72, 3C, ...]
.text abwatj55.SYS 8E2D8017 135 Bytes [00, 32, 37, 79, 80, 3D, 35, ...]
.text abwatj55.SYS 8E2D809F 45 Bytes [82, 20, 00, 0B, 82, 64, F6, ...]
.text abwatj55.SYS 8E2D80CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text abwatj55.SYS 8E2D80DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806976D6] \SystemRoot\System32\Drivers\sphg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80697042] \SystemRoot\System32\Drivers\sphg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80697800] \SystemRoot\System32\Drivers\sphg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806970C0] \SystemRoot\System32\Drivers\sphg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069713E] \SystemRoot\System32\Drivers\sphg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A6B90] \SystemRoot\System32\Drivers\sphg.sys
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortWritePortUchar] 838E2FEF
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\Daemon Tools\Engine.dll (Helper library/DT Soft Ltd)
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F8E2FC0
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\abwatj55.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8552C1F8
Device \FileSystem\fastfat \FatCdrom 9A2431F8
Device \Driver\volmgr \Device\VolMgrControl 855281F8
Device \Driver\netbt \Device\NetBT_Tcpip_{90D9B5B7-886D-48AE-BE89-09837EA98B64} 87258500
Device \Driver\usbuhci \Device\USBPDO-0 8681C1F8
Device \Driver\usbuhci \Device\USBPDO-1 8681C1F8
Device \Driver\usbuhci \Device\USBPDO-2 8681C1F8
Device \Driver\usbehci \Device\USBPDO-3 868291F8
Device \Driver\usbuhci \Device\USBPDO-4 8681C1F8
Device \Driver\sptd \Device\4045423479 sphg.sys
Device \Driver\usbuhci \Device\USBPDO-5 8681C1F8
Device \Driver\usbuhci \Device\USBPDO-6 8681C1F8
Device \Driver\PCI_PNP5466 \Device\00000057 sphg.sys
Device \Driver\volmgr \Device\HarddiskVolume1 855281F8
Device \Driver\usbehci \Device\USBPDO-7 868291F8
Device \Driver\volmgr \Device\HarddiskVolume2 855281F8
Device \Driver\cdrom \Device\CdRom0 868C31F8
Device \Driver\volmgr \Device\HarddiskVolume3 855281F8
Device \Driver\cdrom \Device\CdRom1 868C31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8552A1F8
Device \Driver\atapi \Device\Ide\IdePort0 8552A1F8
Device \Driver\atapi \Device\Ide\IdePort1 8552A1F8
Device \Driver\atapi \Device\Ide\IdePort2 8552A1F8
Device \Driver\atapi \Device\Ide\IdePort3 8552A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 8552A1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 8552B1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 8552B1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 8552B1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 8552B1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{74CD83F9-ED35-43AC-9693-B650142B3A08} 87258500
Device \Driver\netbt \Device\NetBt_Wins_Export 87258500
Device \Driver\Smb \Device\NetbiosSmb 8724C500
Device \Driver\iScsiPrt \Device\RaidPort0 869601F8
Device \Driver\usbuhci \Device\USBFDO-0 8681C1F8
Device \Driver\usbuhci \Device\USBFDO-1 8681C1F8
Device \Driver\usbuhci \Device\USBFDO-2 8681C1F8
Device \Driver\usbehci \Device\USBFDO-3 868291F8
Device \Driver\usbuhci \Device\USBFDO-4 8681C1F8
Device \Driver\usbuhci \Device\USBFDO-5 8681C1F8
Device \Driver\usbuhci \Device\USBFDO-6 8681C1F8
Device \Driver\usbehci \Device\USBFDO-7 868291F8
Device \Driver\abwatj55 \Device\Scsi\abwatj551Port5Path0Target0Lun0 8692B1F8
Device \Driver\abwatj55 \Device\Scsi\abwatj551 8692B1F8
Device \FileSystem\fastfat \Fat 9A2431F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 9935B1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\00242bfad7a5
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\Daemon Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCE 0xD9 0x67 0x22 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x6D 0x34 0xAA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xF5 0xB7 0x5F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCE 0x48 0x84 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xCE 0x48 0x84 0x7F ...
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\00242bfad7a5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\Daemon Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCE 0xD9 0x67 0x22 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x6D 0x34 0xAA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x70 0xF5 0xB7 0x5F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCE 0x48 0x84 0x7F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xCE 0x48 0x84 0x7F ...

---- EOF - GMER 1.0.15 ----
Seitenanfang Seitenende
08.04.2010, 13:23
Member

Beiträge: 3716
#4 1. downloade:
http://www.duplexsecure.com/download/SPTDinst-v162-x86.exe
klicke uninstall, starte den pc neu.
2. deinstaliere falls vorhanden:
Daemon Tools and Daemon Tools Lite
Alcohol 120% and 52%
AstroBurn
das kann sonst behindern. starte neu.
dann weiter mit combofix, log posten.
Seitenanfang Seitenende
08.04.2010, 13:26
Member

Beiträge: 3716
#5 hast du noch das bild, das angebliche?
Seitenanfang Seitenende
08.04.2010, 14:09
Member

Themenstarter

Beiträge: 28
#6 das bild habe ich nicht mehr, weil ich es ja nur geöffnet hatte, nicht gespeichert.

das log file von combofix habe ich angefügt.

Anhang: Log.txt
Seitenanfang Seitenende
08.04.2010, 14:20
Member

Beiträge: 3716
#7 nutzt du solch einen server?
http://www.ip-adress.com/whois/216.218.211.57
bitte deinstaliere mal spybot, das kann stören. hast du die oben genannten schritte alle ausgeführt, was die instalationen betrifft?
Seitenanfang Seitenende
08.04.2010, 14:26
Member

Themenstarter

Beiträge: 28
#8 okay. spybot habe ich deinstalliert. daemon tools, alcohol und astroburn habe ich auf meinem pc nicht gefunden. SPTD habe vorhin ich runtergeladen, ausgeführt und pc neugestartet (wenn ich SPTD neu ausführe würde er es wieder installieren.)

soll ich nun combfix nochmals aktivieren?
Seitenanfang Seitenende
08.04.2010, 14:28
Member

Beiträge: 3716
#9 erst sag mir ob du in amerika wohnst oder einen server dort nutzt
http://www.ip-adress.com/whois/216.218.211.57
Seitenanfang Seitenende
08.04.2010, 14:32
Member

Themenstarter

Beiträge: 28
#10 nein, ich wohne in deutschland, das war ein proxi, hatte ich bei chrome drinne.. hab ich rausgemacht. (ist es hilfreich für die ipadress-anfrage, dass ich dir meine ip zusende?)
Dieser Beitrag wurde am 08.04.2010 um 14:40 Uhr von surfer30 editiert.
Seitenanfang Seitenende
08.04.2010, 14:39
Member

Beiträge: 3716
#11 radix:
http://www.chip.de/downloads/Radix-Antirootkit_33955330.html
bitte downloade das programm. schalte alles wie avira guard, sonstige laufende software ab. öffne das programm, hake auf 1-klick wartung alles an, trenne die internetverbindung, in dem du das wlan ausschaltest, bzw das lankabel ziehst, starte den scan, evtl. meldungen mit yes bestätigen, aufschreiben und dann hier posten,
hänge das log als datei an, ist groß.
Seitenanfang Seitenende
08.04.2010, 15:07
Member

Themenstarter

Beiträge: 28
#12 okay. habe radix durchgeführt. das log ist angehängt! Vielen Dank!
("Fix Selected" habe ich noch nicht gedrückt.)

Seitenanfang Seitenende
08.04.2010, 15:09
Member

Beiträge: 3716
#13 misst, kleiner fehler die radix.exe rechtsklicken, als admin ausführen, das ganze noch mal
Seitenanfang Seitenende
08.04.2010, 15:13
Member

Themenstarter

Beiträge: 28
#14 oh.. okay.. sorry.. daran hätte ich auch denken sollen... noch eine frage: radix fragte mich etwas bezüglich "kernel", und ob dieser auchdurchgeführt werden soll... habe nein angeklickt, weil die änderungen erst bei einem neustart eingetreten wären. Soll ich das vor dem erneuten check gleich auch noch aktivieren?
Seitenanfang Seitenende
08.04.2010, 15:30
Member

Beiträge: 3716
#15 bitte ja :-)
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: