Author Topic: Problem - Please Help (Read 72089 times)

SCHC · « **Reply #45 on:** March 14, 2010, 04:44:10 PM »

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeGE\CLSID

[REG_SZ] (Standard)
{1AEDB68D-18A7-4CA9-B41B-3CE7E59FAB24}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeGE\CurVer

[REG_SZ] (Standard)
GoogleEarth.TimeGE.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeGE.1

[REG_SZ] (Standard)
TimeGE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeGE.1\CLSID

[REG_SZ] (Standard)
{1AEDB68D-18A7-4CA9-B41B-3CE7E59FAB24}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeIntervalGE

[REG_SZ] (Standard)
TimeIntervalGE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeIntervalGE\CLSID

[REG_SZ] (Standard)
{42DF0D46-7D49-4AE5-8EF6-9CA6E41EFEC1}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeIntervalGE\CurVer

[REG_SZ] (Standard)
GoogleEarth.TimeIntervalGE.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeIntervalGE.1

[REG_SZ] (Standard)
TimeIntervalGE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TimeIntervalGE.1\CLSID

[REG_SZ] (Standard)
{42DF0D46-7D49-4AE5-8EF6-9CA6E41EFEC1}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TourControllerGE

[REG_SZ] (Standard)
TourControllerGE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TourControllerGE\CLSID

[REG_SZ] (Standard)
{77C4C807-E257-43AD-BB3F-7CA88760BD29}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TourControllerGE\CurVer

[REG_SZ] (Standard)
GoogleEarth.TourControllerGE.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TourControllerGE.1

[REG_SZ] (Standard)
TourControllerGE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.TourControllerGE.1\CLSID

[REG_SZ] (Standard)
{77C4C807-E257-43AD-BB3F-7CA88760BD29}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.ViewExtentsGE

[REG_SZ] (Standard)
ViewExtentsGE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.ViewExtentsGE\CLSID

[REG_SZ] (Standard)
{D93BF052-FC68-4DB6-A4F8-A4DC9BEEB1C0}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.ViewExtentsGE\CurVer

[REG_SZ] (Standard)
GoogleEarth.ViewExtentsGE.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.ViewExtentsGE.1

[REG_SZ] (Standard)
ViewExtentsGE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\GoogleEarth.ViewExtentsGE.1\CLSID

[REG_SZ] (Standard)
{D93BF052-FC68-4DB6-A4F8-A4DC9BEEB1C0}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\http

[REG_SZ] (Standard)
   URL:HyperText Transfer Protocol
[.] Found hidden value:
   [REG_DWORD] EditFlags
   00000002
[.] Found hidden value:
   [REG_SZ] FriendlyTypeName
   @ieframe.dll,-903
[.] Found hidden value:
   [REG_SZ] URL Protocol
   00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\http\DefaultIcon

[REG_SZ] (Standard)
C:\Program Files\Mozilla Firefox\firefox.exe,1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\http\shell

[REG_SZ] (Standard)
open

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\http\shell\open
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\http\shell\open\ddeexec

[REG_SZ] (Standard)
   "%1",,0,0,,,,
[.] Found hidden value:
   [REG_SZ] NoActivateHandler
   00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\http\shell\open\ddeexec\Application
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\http\shell\open\ddeexec\Topic

[REG_SZ] (Standard)
WWW_OpenURL

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https

[REG_SZ] (Standard)
   URL:HyperText Transfer Protocol with Privacy
[.] Found hidden value:
   [REG_DWORD] EditFlags
   00000002
[.] Found hidden value:
   [REG_SZ] FriendlyTypeName
   @ieframe.dll,-904
[.] Found hidden value:
   [REG_SZ] URL Protocol
   00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https\DefaultIcon

[REG_SZ] (Standard)
C:\Program Files\Mozilla Firefox\firefox.exe,1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https\shell

[REG_SZ] (Standard)
open

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https\shell\open
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https\shell\open\command

[REG_SZ] (Standard)
"C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https\shell\open\ddeexec

[REG_SZ] (Standard)
   "%1",,0,0,,,,
[.] Found hidden value:
   [REG_SZ] NoActivateHandler
   00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https\shell\open\ddeexec\Application

[REG_SZ] (Standard)
Firefox

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\https\shell\open\ddeexec\Topic

[REG_SZ] (Standard)
WWW_OpenURL

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface

[REG_SZ] (Standard)
00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{07F46615-1857-40CF-9AA9-872C9858E769}

[REG_SZ] (Standard)
IKHFeature

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{07F46615-1857-40CF-9AA9-872C9858E769}\NumMethods

[REG_SZ] (Standard)
10

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{07F46615-1857-40CF-9AA9-872C9858E769}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{08D46BCD-AF56-4175-999E-6DDC3771C64E}

[REG_SZ] (Standard)
ICameraInfoGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{08D46BCD-AF56-4175-999E-6DDC3771C64E}\NumMethods

[REG_SZ] (Standard)
21

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{08D46BCD-AF56-4175-999E-6DDC3771C64E}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{2830837B-D4E8-48C6-B6EE-04633372ABE4}

[REG_SZ] (Standard)
IApplicationGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{2830837B-D4E8-48C6-B6EE-04633372ABE4}\NumMethods

[REG_SZ] (Standard)
42

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{2830837B-D4E8-48C6-B6EE-04633372ABE4}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{45F89E39-7A46-4CA4-97E3-8C5AA252531C}

[REG_SZ] (Standard)
IKHViewInfo

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{45F89E39-7A46-4CA4-97E3-8C5AA252531C}\NumMethods

[REG_SZ] (Standard)
17

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{45F89E39-7A46-4CA4-97E3-8C5AA252531C}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{524E5B0F-D593-45A6-9F87-1BAE7D338373}

[REG_SZ] (Standard)
ISearchControllerGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{524E5B0F-D593-45A6-9F87-1BAE7D338373}\NumMethods

[REG_SZ] (Standard)
11

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{524E5B0F-D593-45A6-9F87-1BAE7D338373}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{80A43F86-E2CD-4671-A7FA-E5627B519711}

[REG_SZ] (Standard)
IKHInterface

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{80A43F86-E2CD-4671-A7FA-E5627B519711}\NumMethods

[REG_SZ] (Standard)
24

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{80A43F86-E2CD-4671-A7FA-E5627B519711}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{851D25E7-785F-4DB7-95F9-A0EF7E836C44}

[REG_SZ] (Standard)
IFeatureCollectionGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{851D25E7-785F-4DB7-95F9-A0EF7E836C44}\NumMethods

[REG_SZ] (Standard)
10

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{851D25E7-785F-4DB7-95F9-A0EF7E836C44}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{865AB2C1-38C5-492B-8B71-AC73F5A7A43D}

[REG_SZ] (Standard)
IViewExtentsGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{865AB2C1-38C5-492B-8B71-AC73F5A7A43D}\NumMethods

[REG_SZ] (Standard)
11

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{865AB2C1-38C5-492B-8B71-AC73F5A7A43D}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{92547B06-0007-4820-B76A-C84E402CA709}

[REG_SZ] (Standard)
IFeatureGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{92547B06-0007-4820-B76A-C84E402CA709}\NumMethods

[REG_SZ] (Standard)
16

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{92547B06-0007-4820-B76A-C84E402CA709}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{969eb9de-7bda-46f9-94ce-bcf4e6558079}

[REG_SZ] (Standard)
IQSP2IECtl

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{969eb9de-7bda-46f9-94ce-bcf4e6558079}\ProxyStubClsid

[REG_SZ] (Standard)
{00020424-0000-0000-C000-000000000046}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{969eb9de-7bda-46f9-94ce-bcf4e6558079}\ProxyStubClsid32

[REG_SZ] (Standard)
{00020424-0000-0000-C000-000000000046}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{969eb9de-7bda-46f9-94ce-bcf4e6558079}\TypeLib

[REG_SZ] (Standard)
   {1BF6EFF2-F87D-4F1A-9F11-3ED2CABE7F3C}
[.] Found hidden value:
   [REG_SZ] Version
   1.0

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{BE5E5F15-8EC4-4DCC-B48D-9957D2DE4D05}

[REG_SZ] (Standard)
IAnimationControllerGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{BE5E5F15-8EC4-4DCC-B48D-9957D2DE4D05}\NumMethods

[REG_SZ] (Standard)
12

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{BE5E5F15-8EC4-4DCC-B48D-9957D2DE4D05}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D05D6E91-72DA-4654-B8A7-BCBD3B87E3B6}

[REG_SZ] (Standard)
IKHViewExtents

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D05D6E91-72DA-4654-B8A7-BCBD3B87E3B6}\NumMethods

[REG_SZ] (Standard)
11

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D05D6E91-72DA-4654-B8A7-BCBD3B87E3B6}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D08577E0-365E-4216-B1A4-19353EAC1602}

[REG_SZ] (Standard)
ITourControllerGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D08577E0-365E-4216-B1A4-19353EAC1602}\NumMethods

[REG_SZ] (Standard)
15

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D08577E0-365E-4216-B1A4-19353EAC1602}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D794FE36-10B1-4E7E-959D-9638794D2A1B}

[REG_SZ] (Standard)
ITimeIntervalGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D794FE36-10B1-4E7E-959D-9638794D2A1B}\NumMethods

[REG_SZ] (Standard)
00000039

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{D794FE36-10B1-4E7E-959D-9638794D2A1B}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{e2fa5b10-540a-4a0b-afd1-55aee24a49cb}

[REG_SZ] (Standard)
IQSP2IECtlEvents

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{e2fa5b10-540a-4a0b-afd1-55aee24a49cb}\ProxyStubClsid

[REG_SZ] (Standard)
{00020420-0000-0000-C000-000000000046}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{e2fa5b10-540a-4a0b-afd1-55aee24a49cb}\ProxyStubClsid32

[REG_SZ] (Standard)
{00020420-0000-0000-C000-000000000046}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{e2fa5b10-540a-4a0b-afd1-55aee24a49cb}\TypeLib

[REG_SZ] (Standard)
   {1BF6EFF2-F87D-4F1A-9F11-3ED2CABE7F3C}
[.] Found hidden value:
   [REG_SZ] Version
   1.0

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{E39391AE-51C0-4FBD-9042-F9C5B6094445}

[REG_SZ] (Standard)
ITimeGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{E39391AE-51C0-4FBD-9042-F9C5B6094445}\NumMethods

[REG_SZ] (Standard)
25

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{E39391AE-51C0-4FBD-9042-F9C5B6094445}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{F4F7B301-7C59-4851-BA97-C51F110B590F}

[REG_SZ] (Standard)
IPointOnTerrainGE

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{F4F7B301-7C59-4851-BA97-C51F110B590F}\NumMethods

[REG_SZ] (Standard)
12

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Interface\{F4F7B301-7C59-4851-BA97-C51F110B590F}\ProxyStubClsid32

[REG_SZ] (Standard)
{F4F7B301-7C59-4851-BA97-C51F110B590F}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\JavaPlugin.160_18
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\JavaPlugin.160_18\CLSID

[REG_SZ] (Standard)
{5852F5ED-8BF4-11D4-A245-0080C6F74284}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHFeature

[REG_SZ] (Standard)
KHFeature Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHFeature\CLSID

[REG_SZ] (Standard)
{B153D707-447A-4538-913E-6146B3FDEE02}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHFeature.1

[REG_SZ] (Standard)
KHFeature Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHFeature.1\CLSID

[REG_SZ] (Standard)
{B153D707-447A-4538-913E-6146B3FDEE02}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHInterface

[REG_SZ] (Standard)
KHInterface Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHInterface\CLSID

[REG_SZ] (Standard)
{AFD07A5E-3E20-4D77-825C-2F6D1A50BE5B}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHInterface\CurVer

[REG_SZ] (Standard)
Keyhole.KHInterface.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHInterface.1

[REG_SZ] (Standard)
KHInterface Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHInterface.1\CLSID

[REG_SZ] (Standard)
{AFD07A5E-3E20-4D77-825C-2F6D1A50BE5B}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewExtents

[REG_SZ] (Standard)
KHViewExtents Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewExtents\CLSID

[REG_SZ] (Standard)
{63E6BE14-A742-4EEA-8AF3-0EC39F10F850}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewExtents.1

[REG_SZ] (Standard)
KHViewExtents Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewExtents.1\CLSID

[REG_SZ] (Standard)
{63E6BE14-A742-4EEA-8AF3-0EC39F10F850}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewInfo

[REG_SZ] (Standard)
KHViewInfo Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewInfo\CLSID

[REG_SZ] (Standard)
{A2D4475B-C9AA-48E2-A029-1DB829DACF7B}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewInfo\CurVer

[REG_SZ] (Standard)
Keyhole.KHViewInfo.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewInfo.1

[REG_SZ] (Standard)
KHViewInfo Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Keyhole.KHViewInfo.1\CLSID

[REG_SZ] (Standard)
{A2D4475B-C9AA-48E2-A029-1DB829DACF7B}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\MIME
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\MIME\Database
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\MIME\Database\Content Type
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\MIME\Database\Content Type\application/vnd.google-earth.kml+xml

[REG_SZ] CLSID
   {407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
[.] Found hidden value:
   [REG_SZ] Extension
   .kml

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\MIME\Database\Content Type\application/vnd.google-earth.kmz

[REG_SZ] CLSID
   {407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
[.] Found hidden value:
   [REG_SZ] Extension
   .kmz

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Network
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE.QSP2IE

[REG_SZ] (Standard)
Quantum Streaming IE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE.QSP2IE\CLSID

[REG_SZ] (Standard)
{fc345d4c-b8f4-4674-bff7-3c37d2e535ee}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE.QSP2IE\CurVer

[REG_SZ] (Standard)
QSP2IE.QSP2IE.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE.QSP2IE.1

[REG_SZ] (Standard)
Quantum Streaming IE Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE.QSP2IE.1\CLSID

[REG_SZ] (Standard)
{fc345d4c-b8f4-4674-bff7-3c37d2e535ee}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE_Dep.QSP2IE_Dep

[REG_SZ] (Standard)
Quantum Streaming IE Class - Depricated

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE_Dep.QSP2IE_Dep\CLSID

[REG_SZ] (Standard)
{e3e02f12-2adb-478c-8742-5f0819f9f0f4}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE_Dep.QSP2IE_Dep\CurVer

[REG_SZ] (Standard)
QSP2IE_Dep.QSP2IE_Dep.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE_Dep.QSP2IE_Dep.1

[REG_SZ] (Standard)
Quantum Streaming IE Class - Depricated

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IE_Dep.QSP2IE_Dep.1\CLSID

[REG_SZ] (Standard)
{e3e02f12-2adb-478c-8742-5f0819f9f0f4}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer.QSP2IEVer

[REG_SZ] (Standard)
Quantum Streaming IE VersionManager Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer.QSP2IEVer\CLSID

[REG_SZ] (Standard)
{fd6484ed-ebe3-4c3d-938a-8238003b41b7}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer.QSP2IEVer\CurVer

[REG_SZ] (Standard)
QSP2IEVer.QSP2IEVer.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer.QSP2IEVer.1

[REG_SZ] (Standard)
Quantum Streaming IE VersionManager Class

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer.QSP2IEVer.1\CLSID

[REG_SZ] (Standard)
{fd6484ed-ebe3-4c3d-938a-8238003b41b7}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer_Dep.QSP2IEVer_Dep

[REG_SZ] (Standard)
Quantum Streaming IE VersionManager Class - Depricated

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer_Dep.QSP2IEVer_Dep\CLSID

[REG_SZ] (Standard)
{e473a65c-8087-49a3-affd-c5bc4a10669b}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer_Dep.QSP2IEVer_Dep\CurVer

[REG_SZ] (Standard)
QSP2IEVer_Dep.QSP2IEVer_Dep.1

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer_Dep.QSP2IEVer_Dep.1

[REG_SZ] (Standard)
Quantum Streaming IE VersionManager Class - Depricated

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\QSP2IEVer_Dep.QSP2IEVer_Dep.1\CLSID

[REG_SZ] (Standard)
{e473a65c-8087-49a3-affd-c5bc4a10669b}

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software\Microsoft
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software\Microsoft\MediaPlayer
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software\Microsoft\MediaPlayer\Preferences

[REG_DWORD] AcceptedPrivacyStatement
00000001

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software\Microsoft\Windows NT
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software\Microsoft\Windows NT\CurrentVersion
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software\Microsoft\Windows NT\CurrentVersion\Network
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib

SCHC · « **Reply #46 on:** March 14, 2010, 04:45:41 PM »

[.] Found hidden value:
[REG_SZ] (Standard)
00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0

[REG_SZ] (Standard)
QSP2IECtl 1.0 Type Library

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0\0
Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0\0\win32

[REG_SZ] (Standard)
C:\Documents and Settings\Me\Application Data\Move Networks\plugins\npqmp071503000010.dll

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0\FLAGS

[REG_SZ] (Standard)
00000030

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}

[REG_SZ] (Standard)
00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}\1.0

[REG_SZ] (Standard)
Google Earth 1.0 Type Library

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}\1.0\0

[REG_SZ] (Standard)
00000000

Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}\1.0\0\win32

[REG_SZ] (Standard)
C:\Program Files\Google\Google Earth\googleearth.exe
DONE.
-------------------------------------------------------------------------------

--------------------[HKEY_USERS\S-1-5-18 ]-------------------
WARNING: Dumping the registry can take quite some time! Be assured
that the app doesn't hang while dumping!
Dumping...OK.
Scanning...[-] Unable to open key: HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18: Access is denied.

DONE.
-------------------------------------------------------------------------------

22:21:47 - Performing check: "Hidden processes":
(01) PID: 0 [00000000] (Idle)
(01) PID: 4 [00000000] (System)
(129) PID: 128 [00000000] (OEM02Mon.exe)
(129) PID: 144 [00000000] (spoolsv.exe)
(129) PID: 152 [00000000] (jqs.exe)
(129) PID: 172 [00000000] (rundll32.exe)
(129) PID: 304 [00000000] (sched.exe)
(129) PID: 336 [00000000] (avguard.exe)
(01) PID: 468 [00000000] (smss.exe)
(129) PID: 504 [00000000] (ZCfgSvc.exe)
(129) PID: 516 [00000000] (nvsvc32.exe)
(129) PID: 524 [00000000] (csrss.exe)
(129) PID: 560 [00000000] (winlogon.exe)
(129) PID: 604 [00000000] (services.exe)
(129) PID: 616 [00000000] (lsass.exe)
(129) PID: 784 [00000000] (svchost.exe)
(129) PID: 844 [00000000] (svchost.exe)
(129) PID: 884 [00000000] (MsMpEng.exe)
(129) PID: 896 [00000000] (svchost.exe)
(129) PID: 924 [00000000] (svchost.exe)
(129) PID: 972 [00000000] (EvtEng.exe)
(129) PID: 1000 [00000000] (iFrmewrk.exe)
(129) PID: 1088 [00000000] (S24EvMon.exe)
(129) PID: 1124 [00000000] (WLKEEPER.exe)
(129) PID: 1212 [00000000] (stsystra.exe)
(129) PID: 1236 [00000000] (explorer.exe)
(129) PID: 1244 [00000000] (svchost.exe)
(129) PID: 1296 [00000000] (svchost.exe)
(129) PID: 1452 [00000000] (oacat.exe)
(129) PID: 1468 [00000000] (oasrv.exe)
(129) PID: 1540 [00000000] (KADxMain.exe)
(129) PID: 1576 [00000000] (RegSrvc.exe)
(129) PID: 1788 [00000000] (PCMService.exe)
(129) PID: 1808 [00000000] (SynTPEnh.exe)
(129) PID: 1896 [00000000] (svchost.exe)
(129) PID: 1944 [00000000] (aawservice.exe)
(129) PID: 1976 [00000000] (rundll32.exe)
(129) PID: 2052 [00000000] (GrooveMonitor.exe)
(129) PID: 2160 [00000000] (Dot1XCfg.exe)
(129) PID: 2796 [00000000] (radixgui.exe)
(129) PID: 2932 [00000000] (iPodService.exe)
(129) PID: 3032 [00000000] (MSASCui.exe)
(129) PID: 3200 [00000000] (iTunesHelper.exe)
(129) PID: 3232 [00000000] (avgnt.exe)
(129) PID: 3316 [00000000] (AppleMobileDeviceService.exe)
(129) PID: 3448 [00000000] (mDNSResponder.exe)
(129) PID: 3476 [00000000] (jusched.exe)
(129) PID: 3584 [00000000] (alg.exe)
(129) PID: 3844 [00000000] (wmiprvse.exe)
(129) PID: 3864 [00000000] (GoogleToolbarNotifier.exe)
(129) PID: 3956 [00000000] (DLG.exe)
(01) PID: 3960 [00000000] (wscntfy.exe)
22:21:53 - Performing check: "Selftest":
Doing a short selftest...
-> Checking IAT

PID 2796 - C:\Documents and Settings\Me\Desktop\radix_installer\radixgui.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)

Patching code of CreateProcessA at 7C80236B

7C80236B: Patching FF -> 8B
7C80236C: Patching 25 -> FF
7C80236D: Patching 1E -> 55
7C80236E: Patching 00 -> 8B
7C80236F: Patching 05 -> EC
7C802370: Patching 5F -> 6A

Wrote patch to process memory.
Patching code of CreateProcessW at 7C802336

7C802336: Patching FF -> 8B
7C802337: Patching 25 -> FF
7C802338: Patching 1E -> 55
7C802339: Patching 00 -> 8B
7C80233A: Patching 0B -> EC
7C80233B: Patching 5F -> 6A

Wrote patch to process memory.
Patching code of FreeLibrary at 7C80AC93

7C80AC93: Patching A5 -> DC
7C80AC94: Patching 53 -> FF
7C80AC95: Patching 2F -> FF
7C80AC96: Patching F5 -> FF

Wrote patch to process memory.

USER32.dll (7E410000 - 7E4A1000)

Patching code of ExitWindowsEx at 7E45A275

7E45A275: Patching FF -> 8B
7E45A276: Patching 25 -> FF
7E45A277: Patching 1E -> 55
7E45A278: Patching 00 -> 8B
7E45A279: Patching 0E -> EC
7E45A27A: Patching 5F -> 83

Wrote patch to process memory.

GDI32.dll (77F10000 - 77F59000)
comdlg32.dll (763B0000 - 763F9000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)

Patching code of CoCreateInstance at 7750057E

7750057E: Patching FF -> 8B
7750057F: Patching 25 -> FF
77500580: Patching 1E -> 55
77500581: Patching 00 -> 8B
77500582: Patching 11 -> EC
77500583: Patching 5F -> 83

Wrote patch to process memory.
Patching code of CoCreateInstanceEx at 77500526

77500526: Patching FF -> 8B
77500527: Patching 25 -> FF
77500528: Patching 1E -> 55
77500529: Patching 00 -> 8B
7750052A: Patching 14 -> EC
7750052B: Patching 5F -> 6A

Wrote patch to process memory.

VERSION.dll (77C00000 - 77C08000)
dbghelp.dll (59A60000 - 59B01000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00A90000 - 00B7B000)
oleaut32.dll (77120000 - 771AB000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
wintrust.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
Selftest complete.

22:21:56 - Performing check: "MBR":
22:21:57 - Performing check: "IRP hooks":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "Patched modules":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "SDT hooks":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "IDT hooks":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "SYSENTER hook":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "IAT hooks":

PID 468 - C:\WINDOWS\System32\smss.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)

PID 524 - C:\WINDOWS\system32\csrss.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
CSRSRV.dll (75B40000 - 75B4B000)
basesrv.dll (75B50000 - 75B60000)
winsrv.dll (75B60000 - 75BAB000)
GDI32.dll (77F10000 - 77F59000)
KERNEL32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
USER32.dll (7E410000 - 7E4A1000)
sxs.dll (7E720000 - 7E7D0000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)

PID 560 - C:\WINDOWS\system32\winlogon.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
AUTHZ.dll (776C0000 - 776D2000)
msvcrt.dll (77C10000 - 77C68000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
NDdeApi.dll (75940000 - 75948000)
PROFMAP.dll (75930000 - 7593A000)
NETAPI32.dll (5B860000 - 5B8B5000)
USERENV.dll (769C0000 - 76A74000)
PSAPI.DLL (76BF0000 - 76BFB000)
REGAPI.dll (76BC0000 - 76BCF000)
SETUPAPI.dll (77920000 - 77A13000)
VERSION.dll (77C00000 - 77C08000)
WINSTA.dll (76360000 - 76370000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
IMM32.DLL (76390000 - 763AD000)
MSGINA.dll (75970000 - 75A68000)
COMCTL32.dll (5D090000 - 5D12A000)
ODBC32.dll (74320000 - 7435D000)
comdlg32.dll (763B0000 - 763F9000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
comctl32.dll (773D0000 - 774D3000)
odbcint.dll (00970000 - 00987000)
SHSVCS.dll (776E0000 - 77703000)
sfc.dll (76BB0000 - 76BB5000)
sfc_os.dll (76C60000 - 76C8A000)
ole32.dll (774E0000 - 7761D000)
Apphelp.dll (77B40000 - 77B62000)
msctfime.ime (755C0000 - 755EE000)
WINSCARD.DLL (723D0000 - 723EC000)
WTSAPI32.dll (76F50000 - 76F58000)
sxs.dll (7E720000 - 7E7D0000)
uxtheme.dll (5AD70000 - 5ADA8000)
WINMM.dll (76B40000 - 76B6D000)
SASWINLO.dll (10000000 - 100CC000)
OLEAUT32.dll (77120000 - 771AB000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00FE0000 - 00FE9000)
iertutil.dll (3DFD0000 - 3E015000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
cscdll.dll (76600000 - 7661D000)
dimsntfy.dll (47020000 - 47028000)
WlNotify.dll (75950000 - 7596A000)
MPR.dll (71B20000 - 71B32000)
WINSPOOL.DRV (73000000 - 73026000)
rsaenh.dll (68000000 - 68036000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)
cscui.dll (77A20000 - 77A74000)
xpsp2res.dll (016B0000 - 01975000)
wdmaud.drv (72D20000 - 72D29000)
msacm32.drv (72D10000 - 72D18000)
MSACM32.dll (77BE0000 - 77BF5000)
midimap.dll (77BD0000 - 77BD7000)
COMRes.dll (77050000 - 77115000)
CLBCATQ.DLL (76FD0000 - 7704F000)

PID 604 - C:\WINDOWS\system32\services.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
NCObjAPI.DLL (5F770000 - 5F77C000)
MSVCP60.dll (76080000 - 760E5000)
SCESRV.dll (7DBD0000 - 7DC21000)
AUTHZ.dll (776C0000 - 776D2000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
USERENV.dll (769C0000 - 76A74000)
umpnpmgr.dll (7DBA0000 - 7DBC1000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
ShimEng.dll (5CB70000 - 5CB96000)
AcAdProc.dll (47260000 - 4726F000)
IMM32.DLL (76390000 - 763AD000)
Apphelp.dll (77B40000 - 77B62000)
VERSION.dll (77C00000 - 77C08000)
eventlog.dll (77B70000 - 77B81000)
PSAPI.DLL (76BF0000 - 76BFB000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)

PID 616 - C:\WINDOWS\system32\lsass.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
LSASRV.dll (75730000 - 757E5000)
MPR.dll (71B20000 - 71B32000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
MSASN1.dll (77B20000 - 77B32000)
msvcrt.dll (77C10000 - 77C68000)
NETAPI32.dll (5B860000 - 5B8B5000)
NTDSAPI.dll (767A0000 - 767B3000)
DNSAPI.dll (76F20000 - 76F47000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
WLDAP32.dll (76F60000 - 76F8C000)
SAMLIB.dll (71BF0000 - 71C03000)
SAMSRV.dll (74440000 - 744AA000)
cryptdll.dll (76790000 - 7679C000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msprivs.dll (4D200000 - 4D20E000)
kerberos.dll (71CF0000 - 71D3C000)
msv1_0.dll (77C70000 - 77C95000)
iphlpapi.dll (76D60000 - 76D79000)
netlogon.dll (744B0000 - 74515000)
w32time.dll (767C0000 - 767EC000)
MSVCP60.dll (76080000 - 760E5000)
schannel.dll (767F0000 - 76818000)
CRYPT32.dll (77A80000 - 77B15000)
wdigest.dll (7DFC0000 - 7DFD1000)
rsaenh.dll (68000000 - 68036000)
setupapi.dll (77920000 - 77A13000)
scecli.dll (74410000 - 7443F000)
ipsecsvc.dll (743E0000 - 7440F000)
AUTHZ.dll (776C0000 - 776D2000)
oakley.DLL (75D90000 - 75E60000)
WINIPSEC.DLL (74370000 - 7437B000)
pstorsvc.dll (743A0000 - 743AB000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
psbase.dll (743C0000 - 743DB000)
wshtcpip.dll (71A90000 - 71A98000)
dssenh.dll (68100000 - 68126000)

PID 784 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
rpcss.dll (76A80000 - 76AE4000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
xpsp2res.dll (006B0000 - 00975000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
termsrv.dll (760F0000 - 76143000)
ICAAPI.dll (74F70000 - 74F76000)
SETUPAPI.dll (77920000 - 77A13000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
AUTHZ.dll (776C0000 - 776D2000)
mstlsapi.dll (75110000 - 7512F000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
NETAPI32.dll (5B860000 - 5B8B5000)
ATL.DLL (76B20000 - 76B31000)
REGAPI.dll (76BC0000 - 76BCF000)
Apphelp.dll (77B40000 - 77B62000)
rsaenh.dll (68000000 - 68036000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)

PID 844 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
rpcss.dll (76A80000 - 76AE4000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
xpsp2res.dll (006B0000 - 00975000)
rsaenh.dll (68000000 - 68036000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
winrnr.dll (76FB0000 - 76FB8000)
WLDAP32.dll (76F60000 - 76F8C000)
mdnsNSP.dll (16080000 - 160A5000)
rasadhlp.dll (76FC0000 - 76FC6000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)

PID 884 - C:\Program Files\Windows Defender\MsMpEng.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
MSVCR80.dll (78130000 - 781CB000)
msvcrt.dll (77C10000 - 77C68000)
MpSvc.dll (5C800000 - 5C844000)
MSVCP80.dll (7C420000 - 7C4A7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
VERSION.dll (77C00000 - 77C08000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
MpClient.dll (5B800000 - 5B84F000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
USERENV.dll (769C0000 - 76A74000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
rsaenh.dll (68000000 - 68036000)
xpsp2res.dll (00AE0000 - 00DA5000)
netapi32.dll (5B860000 - 5B8B5000)
mpengine.dll (5A100000 - 5A641000)
wininet.dll (3D930000 - 3DA01000)
Normaliz.dll (006F0000 - 006F9000)
iertutil.dll (3DFD0000 - 3E015000)
iphlpapi.dll (76D60000 - 76D79000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
mprtplug.dll (5E800000 - 5E80F000)
PSAPI.DLL (76BF0000 - 76BFB000)
uxtheme.dll (5AD70000 - 5ADA8000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
MpAsDesc.dll (60800000 - 6080D000)

PID 924 - C:\WINDOWS\System32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
xpsp2res.dll (00630000 - 008F5000)
shsvcs.dll (776E0000 - 77703000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
rsaenh.dll (68000000 - 68036000)
dhcpcsvc.dll (7D4B0000 - 7D4D2000)
DNSAPI.dll (76F20000 - 76F47000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
iphlpapi.dll (76D60000 - 76D79000)
wzcsvc.dll (7DB10000 - 7DB9C000)
rtutils.dll (76E80000 - 76E8E000)
WMI.dll (76D30000 - 76D34000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
EapolQec.dll (72810000 - 7281B000)
ATL.DLL (76B20000 - 76B31000)
QUtil.dll (726C0000 - 726D6000)
MSVCP60.dll (76080000 - 760E5000)
dot3api.dll (478C0000 - 478CA000)
WTSAPI32.dll (76F50000 - 76F58000)
ESENT.dll (606B0000 - 607BD000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
rastls.dll (76B70000 - 76B97000)
CRYPTUI.dll (754D0000 - 75550000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (01590000 - 01599000)
iertutil.dll (3DFD0000 - 3E015000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
SETUPAPI.dll (77920000 - 77A13000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
SCHANNEL.dll (767F0000 - 76818000)
WinSCard.dll (723D0000 - 723EC000)
PSAPI.DLL (76BF0000 - 76BFB000)
sw2_ttls.dll (10000000 - 1003F000)
sw2_ttls_res.dll (01730000 - 01752000)
WZCSAPI.DLL (73030000 - 73040000)
raschap.dll (76BD0000 - 76BE6000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
schedsvc.dll (77300000 - 77333000)
NTDSAPI.dll (767A0000 - 767B3000)
MSIDLE.DLL (74F50000 - 74F55000)
audiosrv.dll (708B0000 - 708BD000)
wkssvc.dll (76E40000 - 76E63000)
cryptsvc.dll (76CE0000 - 76CF2000)
certcli.dll (77B90000 - 77BC2000)
ersvc.dll (74F80000 - 74F89000)
es.dll (77710000 - 77754000)
pchsvc.dll (74F40000 - 74F4C000)
srvsvc.dll (75090000 - 750AA000)
netman.dll (77D00000 - 77D33000)
netshell.dll (76400000 - 765A5000)
credui.dll (76C00000 - 76C2E000)
dot3dlg.dll (736D0000 - 736D6000)
OneX.DLL (5DCA0000 - 5DCC8000)
eappcfg.dll (745B0000 - 745D2000)
eappprxy.dll (5DCD0000 - 5DCDE000)
seclogon.dll (73D20000 - 73D28000)
sens.dll (722D0000 - 722DD000)
srsvc.dll (751A0000 - 751CE000)
POWRPROF.dll (74AD0000 - 74AD8000)
SXS.DLL (7E720000 - 7E7D0000)
tapisrv.dll (733E0000 - 73420000)
trkwks.dll (75070000 - 75089000)
w32time.dll (767C0000 - 767EC000)
wmisvc.dll (59490000 - 594B8000)
VSSAPI.DLL (753E0000 - 7544D000)
wuauserv.dll (50000000 - 50005000)
wuaueng.dll (50040000 - 50219000)
WINSPOOL.DRV (73000000 - 73026000)
WINHTTP.dll (4D4F0000 - 4D549000)
Cabinet.dll (75150000 - 75163000)
mspatcha.dll (600A0000 - 600AB000)
browser.dll (76DA0000 - 76DB6000)
ipnathlp.dll (66460000 - 664B5000)
AUTHZ.dll (776C0000 - 776D2000)
sfc.dll (76BB0000 - 76BB5000)
sfc_os.dll (76C60000 - 76C8A000)
wscsvc.dll (4C0A0000 - 4C0B7000)
msi.dll (7D1E0000 - 7D49C000)
wbemcomn.dll (75290000 - 752C7000)
wbemcore.dll (762C0000 - 76345000)
esscli.dll (75310000 - 7534F000)
FastProx.dll (75690000 - 75706000)
Apphelp.dll (77B40000 - 77B62000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
WSOCK32.dll (71AD0000 - 71AD9000)
CLUSAPI.DLL (76D10000 - 76D22000)
RESUTILS.DLL (750B0000 - 750C2000)
wbemsvc.dll (74ED0000 - 74EDE000)
wmiutils.dll (75020000 - 7503B000)
repdrvfs.dll (75200000 - 7522F000)
wmiprvsd.dll (3F1E0000 - 3F252000)
NCObjAPI.DLL (5F770000 - 5F77C000)
wbemess.dll (75390000 - 753D6000)
ncprov.dll (5F740000 - 5F74E000)
wups2.dll (50F00000 - 50F0D000)
upnp.dll (76DE0000 - 76E04000)
SSDPAPI.dll (74F00000 - 74F0C000)
qmgr.dll (5B9F0000 - 5BA5B000)
MPR.dll (71B20000 - 71B32000)
SHFOLDER.dll (76780000 - 76789000)
qmgrprxy.dll (5DDC0000 - 5DDC9000)
rasmans.dll (7DF30000 - 7DF62000)
WINIPSEC.DLL (74370000 - 7437B000)
netcfgx.dll (755F0000 - 7568A000)
rastapi.dll (75880000 - 75891000)
unimdm.tsp (57CC0000 - 57CF6000)
uniplat.dll (72000000 - 72007000)
rasadhlp.dll (76FC0000 - 76FC6000)
unimdmat.dll (5B070000 - 5B084000)
modemui.dll (61650000 - 61678000)
kmddsp.tsp (57D40000 - 57D4B000)
ndptsp.tsp (57D20000 - 57D30000)
ipconf.tsp (57D50000 - 57D58000)
h323.tsp (57D70000 - 57DB6000)
hidphone.tsp (57D60000 - 57D6A000)
HID.DLL (688F0000 - 688F9000)
rasppp.dll (72240000 - 72277000)
ntlsapi.dll (724B0000 - 724B6000)
kerberos.dll (71CF0000 - 71D3C000)
RASQEC.DLL (72AE0000 - 72AF3000)
RASDLG.dll (768D0000 - 76974000)
winrnr.dll (76FB0000 - 76FB8000)
mdnsNSP.dll (16080000 - 160A5000)
mlang.dll (75CF0000 - 75D81000)
xmlprovi.dll (4CB90000 - 4CBA0000)

SCHC · « **Reply #47 on:** March 14, 2010, 04:46:37 PM »

PID 972 - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
PfMgrApi.dll (10000000 - 100DF000)
LIBEAY32.dll (004B0000 - 005BF000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
TraceAPI.DLL (00330000 - 00399000)
PsRegApi.dll (005C0000 - 00642000)
SETUPAPI.dll (77920000 - 77A13000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
WINSPOOL.DRV (73000000 - 73026000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
VERSION.dll (77C00000 - 77C08000)
DbEngine.dll (003A0000 - 003F9000)
IntStngs.dll (00650000 - 006A9000)
MurocApi.dll (006B0000 - 0075E000)
S24MUDLL.dll (00760000 - 00779000)
ICMP.dll (74290000 - 74294000)
iphlpapi.dll (76D60000 - 76D79000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
uxtheme.dll (5AD70000 - 5ADA8000)
xpsp2res.dll (00DE0000 - 010A5000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msado15.dll (4DE10000 - 4DE93000)
MSDART.DLL (765B0000 - 765D5000)
oledb32.dll (73160000 - 731D7000)
OLEDB32R.DLL (75350000 - 75361000)
msdasql.dll (01740000 - 0178D000)
MSDATL3.dll (60E30000 - 60E47000)
ODBC32.dll (74320000 - 7435D000)
odbcint.dll (018D0000 - 018E7000)
MSDASQLR.DLL (018F0000 - 018F4000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
NETAPI32.dll (5B860000 - 5B8B5000)
CLUSAPI.DLL (76D10000 - 76D22000)
RESUTILS.DLL (750B0000 - 750C2000)
USERENV.dll (769C0000 - 76A74000)
odbcjt32.dll (4DD40000 - 4DD84000)
msjet40.dll (1B000000 - 1B170000)
mswstr10.dll (1B5D0000 - 1B665000)
odbcji32.dll (5D130000 - 5D13E000)
msjter40.dll (1B2C0000 - 1B2CD000)
MSJINT40.DLL (1B2D0000 - 1B2F6000)
odbccp32.dll (5FE80000 - 5FE9B000)
msadce.dll (74060000 - 740B1000)
msadcer.dll (06CB0000 - 06CB5000)
wbemprox.dll (74EF0000 - 74EF8000)
wbemcomn.dll (75290000 - 752C7000)
wbemsvc.dll (74ED0000 - 74EDE000)
fastprox.dll (75690000 - 75706000)
NTDSAPI.dll (767A0000 - 767B3000)
DNSAPI.dll (76F20000 - 76F47000)
WLDAP32.dll (76F60000 - 76F8C000)
rsaenh.dll (68000000 - 68036000)

PID 1088 - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
LIBEAY32.dll (10000000 - 1010F000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
SETUPAPI.dll (77920000 - 77A13000)
TraceAPI.DLL (00330000 - 00399000)
PsRegApi.dll (00500000 - 00582000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
WINSPOOL.DRV (73000000 - 73026000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
iphlpapi.dll (76D60000 - 76D79000)
NETAPI32.dll (5B860000 - 5B8B5000)
IntStngs.dll (003A0000 - 003F9000)
VERSION.dll (77C00000 - 77C08000)
IWMSPROV.DLL (00590000 - 005AF000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
uxtheme.dll (5AD70000 - 5ADA8000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
netcfgx.dll (755F0000 - 7568A000)
CLUSAPI.dll (76D10000 - 76D22000)
DNSAPI.dll (76F20000 - 76F47000)
msctfime.ime (755C0000 - 755EE000)
msado15.dll (4DE10000 - 4DE93000)
MSDART.DLL (765B0000 - 765D5000)
xpsp2res.dll (014B0000 - 01775000)
oledb32.dll (73160000 - 731D7000)
OLEDB32R.DLL (75350000 - 75361000)
msdasql.dll (01980000 - 019CD000)
MSDATL3.dll (60E30000 - 60E47000)
ODBC32.dll (74320000 - 7435D000)
odbcint.dll (01B10000 - 01B27000)
MSDASQLR.DLL (01B30000 - 01B34000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
RESUTILS.DLL (750B0000 - 750C2000)
USERENV.dll (769C0000 - 76A74000)
odbcjt32.dll (4DD40000 - 4DD84000)
msjet40.dll (1B000000 - 1B170000)
mswstr10.dll (1B5D0000 - 1B665000)
odbcji32.dll (5D130000 - 5D13E000)
msjter40.dll (1B2C0000 - 1B2CD000)
MSJINT40.DLL (1B2D0000 - 1B2F6000)
odbccp32.dll (5FE80000 - 5FE9B000)
msadce.dll (74060000 - 740B1000)
msadcer.dll (06EF0000 - 06EF5000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
netman.dll (77D00000 - 77D33000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
WLDAP32.dll (76F60000 - 76F8C000)
ATL.DLL (76B20000 - 76B31000)
rtutils.dll (76E80000 - 76E8E000)
SAMLIB.dll (71BF0000 - 71C03000)
netshell.dll (76400000 - 765A5000)
credui.dll (76C00000 - 76C2E000)
dot3api.dll (478C0000 - 478CA000)
dot3dlg.dll (736D0000 - 736D6000)
OneX.DLL (5DCA0000 - 5DCC8000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
eappcfg.dll (745B0000 - 745D2000)
eappprxy.dll (5DCD0000 - 5DCDE000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
WINMM.dll (76B40000 - 76B6D000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (01B40000 - 01B49000)
iertutil.dll (3DFD0000 - 3E015000)
WZCSAPI.DLL (73030000 - 73040000)
WZCSvc.DLL (7DB10000 - 7DB9C000)
WMI.dll (76D30000 - 76D34000)
DHCPCSVC.DLL (7D4B0000 - 7D4D2000)
EapolQec.dll (72810000 - 7281B000)
QUtil.dll (726C0000 - 726D6000)
ESENT.dll (606B0000 - 607BD000)

PID 1124 - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
PfMgrApi.dll (10000000 - 100DF000)
LIBEAY32.dll (00450000 - 0055F000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
TraceAPI.DLL (00330000 - 00399000)
PsRegApi.dll (00560000 - 005E2000)
SETUPAPI.dll (77920000 - 77A13000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
WINSPOOL.DRV (73000000 - 73026000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
VERSION.dll (77C00000 - 77C08000)
DbEngine.dll (003A0000 - 003F9000)
IntStngs.dll (005F0000 - 00649000)
MurocApi.dll (00650000 - 006FE000)
S24MUDLL.dll (00700000 - 00719000)
ICMP.dll (74290000 - 74294000)
iphlpapi.dll (76D60000 - 76D79000)
NETAPI32.dll (5B860000 - 5B8B5000)
WinSCard.dll (723D0000 - 723EC000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
USERENV.dll (769C0000 - 76A74000)
C1XStngs.dll (00720000 - 007DF000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
PSAPI.DLL (76BF0000 - 76BFB000)
oledlg.dll (7DF70000 - 7DF92000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
uxtheme.dll (5AD70000 - 5ADA8000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msado15.dll (4DE10000 - 4DE93000)
MSDART.DLL (765B0000 - 765D5000)
xpsp2res.dll (012B0000 - 01575000)
oledb32.dll (73160000 - 731D7000)
OLEDB32R.DLL (75350000 - 75361000)
msdasql.dll (01780000 - 017CD000)
MSDATL3.dll (60E30000 - 60E47000)
ODBC32.dll (74320000 - 7435D000)
odbcint.dll (01910000 - 01927000)
MSDASQLR.DLL (01930000 - 01934000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
CLUSAPI.DLL (76D10000 - 76D22000)
RESUTILS.DLL (750B0000 - 750C2000)
odbcjt32.dll (4DD40000 - 4DD84000)
msjet40.dll (1B000000 - 1B170000)
mswstr10.dll (1B5D0000 - 1B665000)
odbcji32.dll (5D130000 - 5D13E000)
msjter40.dll (1B2C0000 - 1B2CD000)
MSJINT40.DLL (1B2D0000 - 1B2F6000)
odbccp32.dll (5FE80000 - 5FE9B000)
msadce.dll (74060000 - 740B1000)
msadcer.dll (06CF0000 - 06CF5000)
wbemprox.dll (74EF0000 - 74EF8000)
wbemcomn.dll (75290000 - 752C7000)
wbemsvc.dll (74ED0000 - 74EDE000)
fastprox.dll (75690000 - 75706000)
NTDSAPI.dll (767A0000 - 767B3000)
DNSAPI.dll (76F20000 - 76F47000)
WLDAP32.dll (76F60000 - 76F8C000)
msctfime.ime (755C0000 - 755EE000)

PID 1244 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
dnsrslvr.dll (76770000 - 7677D000)
DNSAPI.dll (76F20000 - 76F47000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
iphlpapi.dll (76D60000 - 76D79000)
rsaenh.dll (68000000 - 68036000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)

PID 1296 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
xpsp2res.dll (00630000 - 008F5000)
lmhsvc.dll (74C40000 - 74C46000)
iphlpapi.dll (76D60000 - 76D79000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
ssdpsrv.dll (765E0000 - 765F4000)
hnetcfg.dll (662B0000 - 66308000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
mswsock.dll (71A50000 - 71A8F000)
wshtcpip.dll (71A90000 - 71A98000)

PID 1452 - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
user32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
advapi32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
oleaut32.dll (77120000 - 771AB000)
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)
version.dll (77C00000 - 77C08000)
comctl32.dll (5D090000 - 5D12A000)
shell32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
comdlg32.dll (763B0000 - 763F9000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
netapi32.dll (5B860000 - 5B8B5000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
uxtheme.dll (5AD70000 - 5ADA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
rsaenh.dll (68000000 - 68036000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)

PID 1468 - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
user32.dll (7E410000 - 7E4A1000)
The code of LoadStringA at 7E42C908 (0) got patched. Here is the diff:
Address New-Original
7E42C908: FF - 8B
7E42C909: 25 - FF
7E42C90A: 1E - 55
7E42C90B: 00 - 8B
7E42C90C: 05 - EC
7E42C90D: 5F - 53
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\oasrv.exe+0xC0154

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\oasrv.exe+0xC0154:
Base address:   00400000
Size:      00331000
Flags:      00005000
Load count:   65535
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\oasrv.exe
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadStringW at 7E419E36 (0) got patched. Here is the diff:
Address New-Original
7E419E36: FF - 8B
7E419E37: 25 - FF
7E419E38: 1E - 55
7E419E39: 00 - 8B
7E419E3A: 0B - EC
7E419E3B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\oasrv.exe+0xC0078

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\oasrv.exe+0xC0078:
Base address:   00400000
Size:      00331000
Flags:      00005000
Load count:   65535
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\oasrv.exe
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
advapi32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
oleaut32.dll (77120000 - 771AB000)
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)
version.dll (77C00000 - 77C08000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
shell32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
comctl32.dll (5D090000 - 5D12A000)
wininet.dll (3D930000 - 3DA01000)
Normaliz.dll (00330000 - 00339000)
iertutil.dll (3DFD0000 - 3E015000)
comdlg32.dll (763B0000 - 763F9000)
winmm.dll (76B40000 - 76B6D000)
crypt32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
fltlib.dll (4FFE0000 - 4FFE8000)
shfolder.dll (76780000 - 76789000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
uxtheme.dll (5AD70000 - 5ADA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
userenv.dll (769C0000 - 76A74000)
IPHLPAPI.DLL (76D60000 - 76D79000)
setupapi.dll (77920000 - 77A13000)
dnsapi.dll (76F20000 - 76F47000)
AVICAP32.DLL (73B80000 - 73B92000)
MSVFW32.dll (75A70000 - 75A91000)
rsaenh.dll (68000000 - 68036000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
ATL.DLL (76B20000 - 76B31000)
rtutils.dll (76E80000 - 76E8E000)
PSAPI.dll (76BF0000 - 76BFB000)
OAnetAPI.dll (10000000 - 10013000)
xpsp2res.dll (033D0000 - 03695000)
SXS.DLL (7E720000 - 7E7D0000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
MSVCP60.dll (76080000 - 760E5000)
wbemprox.dll (74EF0000 - 74EF8000)
wbemcomn.dll (75290000 - 752C7000)
msi.dll (7D1E0000 - 7D49C000)
wmiutils.dll (75020000 - 7503B000)
wbemsvc.dll (74ED0000 - 74EDE000)
fastprox.dll (75690000 - 75706000)
NTDSAPI.dll (767A0000 - 767B3000)
qmgrprxy.dll (5DDC0000 - 5DDC9000)
hnetcfg.dll (662B0000 - 66308000)
WinTrust.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)

PID 1944 - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking.
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
CEAPI.dll (10000000 - 100B2000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
PKArchive84cb.dll (004A0000 - 0063B000)
[-] Unable to load module C:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll for checking
SHELL32.dll (7C9C0000 - 7D1D7000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
WLDAP32.dll (76F60000 - 76F8C000)
PSAPI.DLL (76BF0000 - 76BFB000)
VERSION.dll (77C00000 - 77C08000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00350000 - 00359000)
iertutil.dll (3DFD0000 - 3E015000)
Update.dll (00360000 - 003E1000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
USERENV.dll (769C0000 - 76A74000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
rsaenh.dll (68000000 - 68036000)

PID 144 - C:\WINDOWS\system32\spoolsv.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
SPOOLSS.DLL (742E0000 - 742F5000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
rasadhlp.dll (76FC0000 - 76FC6000)
localspl.dll (75BB0000 - 75C07000)
sfc_os.dll (76C60000 - 76C8A000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
winspool.drv (73000000 - 73026000)
netapi32.dll (5B860000 - 5B8B5000)
cnbjmon.dll (742A0000 - 742AE000)
FXSMON.DLL (68F00000 - 68F09000)
FXSEVENT.dll (68F20000 - 68F31000)
pjlmon.dll (74280000 - 74287000)
msonpmon.dll (00980000 - 00989000)
MSVCR80.dll (78130000 - 781CB000)
msi.dll (7D1E0000 - 7D49C000)
tcpmon.dll (72400000 - 7240E000)
usbmon.dll (723F0000 - 723F7000)
msonpppr.dll (00D50000 - 00D59000)
mswsock.dll (71A50000 - 71A8F000)
winrnr.dll (76FB0000 - 76FB8000)
WLDAP32.dll (76F60000 - 76F8C000)
mdnsNSP.dll (16080000 - 160A5000)
win32spl.dll (75C10000 - 75C34000)
NETRAP.dll (71C80000 - 71C87000)
NTDSAPI.dll (767A0000 - 767B3000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
xpsp2res.dll (01010000 - 012D5000)
inetpp.dll (74300000 - 74315000)

PID 304 - C:\Program Files\Avira\AntiVir Desktop\sched.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
IPHLPAPI.DLL (76D60000 - 76D79000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
MSVCR90.dll (78520000 - 785C3000)
MSVCP90.dll (78480000 - 7850E000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
schedr.dll (10000000 - 10004000)
WTSAPI32.DLL (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
rasapi32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
avevtlog.dll (00BC0000 - 00BEE000)
sqlite3.dll (00D00000 - 00D53000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
xpsp2res.dll (01470000 - 01735000)
rsaenh.dll (68000000 - 68036000)
uxtheme.dll (5AD70000 - 5ADA8000)
userenv.dll (769C0000 - 76A74000)
cryptnet.dll (75E60000 - 75E73000)
PSAPI.DLL (76BF0000 - 76BFB000)
SensApi.dll (722B0000 - 722B5000)
WINHTTP.dll (4D4F0000 - 4D549000)
WLDAP32.dll (76F60000 - 76F8C000)

PID 336 - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
MSVCR90.dll (78520000 - 785C3000)
MSVCP90.dll (78480000 - 7850E000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
WTSAPI32.DLL (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
AVEvtLog.dll (10000000 - 1002E000)
guardmsg.dll (00C20000 - 00C28000)
sqlite3.dll (00C30000 - 00C83000)
AVPREF.DLL (00DA0000 - 00DAD000)
SMTPLIB.DLL (00DC0000 - 00DCB000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wintrust.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
AVGIO.DLL (01220000 - 01236000)
FLTLIB.DLL (4FFE0000 - 4FFE8000)
aecore.dll (01350000 - 01380000)
aevdf.dll (01390000 - 013AB000)
aescript.dll (013C0000 - 014BC000)
aescn.dll (014D0000 - 014F0000)
aesbx.dll (01500000 - 0153F000)
aerdl.dll (01550000 - 015C7000)
aepack.dll (015E0000 - 0164D000)
unacev2.dll (01660000 - 016AB000)
aeoffice.dll (016C0000 - 016F2000)
aeheur.dll (01710000 - 01949000)
aehelp.dll (01960000 - 0199C000)
aegen.dll (019B0000 - 01A0C000)
aeemu.dll (01A20000 - 01A81000)
aebb.dll (01AA0000 - 01AAE000)
avipc.dll (01C60000 - 01C72000)

PID 896 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
xpsp2res.dll (00630000 - 008F5000)
webclnt.dll (5A6E0000 - 5A6F5000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00940000 - 00949000)
iertutil.dll (3DFD0000 - 3E015000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)

PID 1236 - C:\WINDOWS\Explorer.EXE
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
Explorer.EXE:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ShimEng.dll:
Base address:   5CB70000
Size:      00026000
Flags:      8000400C
Load count:   1
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5512
Company:   Microsoft Corporation
File Version:   5.1.2600.5512 (xpsp.080413-2105)
Description:   Shim Engine DLL
Location:   C:\WINDOWS\system32\ShimEng.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ShimEng.dll:
Base address:   5CB70000
Size:      00026000
Flags:      8000400C
Load count:   1
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5512
Company:   Microsoft Corporation
File Version:   5.1.2600.5512 (xpsp.080413-2105)
Description:   Shim Engine DLL
Location:   C:\WINDOWS\system32\ShimEng.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RPCRT4.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
Secur32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
BROWSEUI.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
GDI32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
USER32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msvcrt.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ole32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SHLWAPI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
OLEAUT32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SHDOCVW.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CRYPT32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MSASN1.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CRYPTUI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NETAPI32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
VERSION.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WININET.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
iertutil.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINTRUST.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
IMAGEHLP.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WLDAP32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SHELL32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
UxTheme.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINMM.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MSACM32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
USERENV.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
IMM32.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
comctl32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
comctl32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msctfime.ime:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
appHelp.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CLBCATQ.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
GrooveShellExGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
GrooveUtil.DLGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MSVCR80.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ATL80.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
rsaenh.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
cscui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CSCDLL.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
themeui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
actxprxy.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
wmpband.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MPR.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
OAwatch.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WS2_32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WS2HELP.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
wtsapi32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
GrooveSystemSGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msxml3.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ntshrui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ATL.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SETUPAPI.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msi.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
LINKINFO.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ieframe.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
PSAPI.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
urlmon.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MLANG.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NETSHELL.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
credui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
eappcfg.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
iphlpapi.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
oaevent.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
webcheck.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
stobject.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
BatMeter.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
wdmaud.drv :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
mydocs.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
GrooveMisc.dlGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
shlext.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINSPOOL.DRV:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
mbamext.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WZCSAPI.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
fxsst.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
FXSAPI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NTMARTA.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
wzcdlg.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINHTTP.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ntlanman.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NETUI0.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
davclnt.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MPRAPI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ACTIVEDS.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
adsldpc.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
DNSAPI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
DHCPCSVC.DLL:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
PDFShell.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SDHelper.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
comdlg32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
faultrep.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
olepro32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
jsproxy.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SXS.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
DUSER.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MpOAv.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll

SCHC · « **Reply #48 on:** March 14, 2010, 04:47:32 PM »

The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   01780000
Size:      000EB000
Flags:      80284004
Load count:   1
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   01780000
Size:      000EB000
Flags:      80284004
Load count:   1
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
BROWSEUI.dll (75F80000 - 7607D000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   01780000
Size:      000EB000
Flags:      80284004
Load count:   1
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)
SHLWAPI.dll (77F60000 - 77FD6000)
OLEAUT32.dll (77120000 - 771AB000)
SHDOCVW.dll (7E290000 - 7E401000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
CRYPTUI.dll (754D0000 - 75550000)
NETAPI32.dll (5B860000 - 5B8B5000)
VERSION.dll (77C00000 - 77C08000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00400000 - 00409000)
iertutil.dll (3DFD0000 - 3E015000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
WLDAP32.dll (76F60000 - 76F8C000)
SHELL32.dll (7C9C0000 - 7D1D7000)
UxTheme.dll (5AD70000 - 5ADA8000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
WINMM.dll (76B40000 - 76B6D000)
MSACM32.dll (77BE0000 - 77BF5000)
USERENV.dll (769C0000 - 76A74000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
appHelp.dll (77B40000 - 77B62000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
GrooveShellExtensions.dll(661D0000 - 663EF000)
GrooveUtil.DLL (68EF0000 - 68FE2000)
MSVCR80.dll (78130000 - 781CB000)
GrooveNew.DLL (68FF0000 - 68FF7000)
ATL80.DLL (7C630000 - 7C64B000)
rsaenh.dll (68000000 - 68036000)
MSImg32.dll (76380000 - 76385000)
cscui.dll (77A20000 - 77A74000)
CSCDLL.dll (76600000 - 7661D000)
themeui.dll (5BA60000 - 5BAD1000)
xpsp2res.dll (011B0000 - 01475000)
actxprxy.dll (71D40000 - 71D5B000)
wmpband.dll (4C4B0000 - 4C4C8000)
MPR.dll (71B20000 - 71B32000)
OAwatch.dll (01780000 - 0186B000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
GrooveSystemServices.dll(65E50000 - 65E7D000)
msxml3.dll (74980000 - 74AA3000)
ntshrui.dll (76990000 - 769B5000)
ATL.DLL (76B20000 - 76B31000)
SETUPAPI.dll (77920000 - 77A13000)
msi.dll (7D1E0000 - 7D49C000)
LINKINFO.dll (76980000 - 76988000)
ieframe.dll (3E1C0000 - 3E78D000)
PSAPI.DLL (76BF0000 - 76BFB000)
urlmon.dll (01F60000 - 02088000)
MLANG.dll (75CF0000 - 75D81000)
NETSHELL.dll (76400000 - 765A5000)
credui.dll (76C00000 - 76C2E000)
dot3api.dll (478C0000 - 478CA000)
rtutils.dll (76E80000 - 76E8E000)
dot3dlg.dll (736D0000 - 736D6000)
OneX.DLL (5DCA0000 - 5DCC8000)
eappcfg.dll (745B0000 - 745D2000)
MSVCP60.dll (76080000 - 760E5000)
eappprxy.dll (5DCD0000 - 5DCDE000)
iphlpapi.dll (76D60000 - 76D79000)
The code of IcmpSendEcho2 at 76D6B73C (0) got patched. Here is the diff:
Address New-Original
76D6B73C: FF - 8B
76D6B73D: 25 - FF
76D6B73E: 1E - 55
76D6B73F: 00 - 8B
76D6B740: 11 - EC
76D6B741: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50:
Base address:   01780000
Size:      000EB000
Flags:      80284004
Load count:   1
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
MpShHook.dll (5F800000 - 5F816000)
MSVCP80.dll (7C420000 - 7C4A7000)
oaevent.dll (026B0000 - 02799000)
webcheck.dll (42E40000 - 42E7C000)
stobject.dll (76280000 - 762A1000)
BatMeter.dll (74AF0000 - 74AFA000)
POWRPROF.dll (74AD0000 - 74AD8000)
wdmaud.drv (72D20000 - 72D29000)
msacm32.drv (72D10000 - 72D18000)
midimap.dll (77BD0000 - 77BD7000)
mydocs.dll (72410000 - 7242A000)
GrooveMisc.dll (66B50000 - 66CCF000)
shlext.dll (030F0000 - 0313C000)
WINSPOOL.DRV (73000000 - 73026000)
mbamext.dll (03150000 - 03168000)
WZCSAPI.DLL (73030000 - 73040000)
fxsst.dll (68DF0000 - 68E7D000)
FXSAPI.dll (5A980000 - 5A9F2000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
wzcdlg.dll (5DF10000 - 5DF70000)
WINHTTP.dll (4D4F0000 - 4D549000)
xpsp3res.dll (20000000 - 200AA000)
drprov.dll (75F60000 - 75F67000)
ntlanman.dll (71C10000 - 71C1E000)
NETUI0.dll (71CD0000 - 71CE7000)
NETUI1.dll (71C90000 - 71CD0000)
NETRAP.dll (71C80000 - 71C87000)
davclnt.dll (75F70000 - 75F7A000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
DNSAPI.dll (76F20000 - 76F47000)
DHCPCSVC.DLL (7D4B0000 - 7D4D2000)
PDFShell.dll (10000000 - 1001C000)
browselc.dll (71600000 - 71612000)
SDHelper.dll (035E0000 - 03765000)
comdlg32.dll (763B0000 - 763F9000)
faultrep.dll (69450000 - 69466000)
olepro32.dll (5EDD0000 - 5EDE7000)
jsproxy.dll (42B80000 - 42B8A000)
SXS.DLL (7E720000 - 7E7D0000)
DUSER.dll (6C1B0000 - 6C1FD000)
MpOAv.dll (04100000 - 04115000)

PID 1808 - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00A60000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00A60000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
VERSION.dll (77C00000 - 77C08000)
WINMM.dll (76B40000 - 76B6D000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00A60000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00A60000 - 00B4B000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
SynCOM.dll (10000000 - 10028000)
msctfime.ime (755C0000 - 755EE000)
SynTPAPI.dll (63010000 - 63035000)

PID 1976 - C:\WINDOWS\system32\rundll32.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
msvcrt.dll (77C10000 - 77C68000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IMAGEHLP.dll (76C90000 - 76CB8000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
OAwatch.dll (009E0000 - 00ACB000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
nvHotkey.dll (10000000 - 10015000)
msctfime.ime (755C0000 - 755EE000)

PID 172 - C:\WINDOWS\system32\RunDLL32.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
msvcrt.dll (77C10000 - 77C68000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IMAGEHLP.dll (76C90000 - 76CB8000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
OAwatch.dll (009E0000 - 00ACB000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
NvMCTray.dll (10000000 - 10016000)
nvapi.dll (00C50000 - 00CA6000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
msctfime.ime (755C0000 - 755EE000)

PID 128 - C:\WINDOWS\OEM02Mon.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   008F0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   008F0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   008F0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SETUPAPI.dll (77920000 - 77A13000)
ksproxy.ax (5E030000 - 5E053000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
ksuser.dll (73EE0000 - 73EE4000)
IMM32.DLL (76390000 - 763AD000)
OAwatch.dll (008F0000 - 009DB000)
version.dll (77C00000 - 77C08000)
comctl32.dll (5D090000 - 5D12A000)
shell32.dll (7C9C0000 - 7D1D7000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
comctl32.dll (773D0000 - 774D3000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)

PID 504 - C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00EA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00EA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
PfMgrApi.dll (10000000 - 100DF000)
LIBEAY32.dll (004D0000 - 005DF000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00EA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
TraceAPI.DLL (00330000 - 00399000)
PsRegApi.dll (005E0000 - 00662000)
SETUPAPI.dll (77920000 - 77A13000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
WINSPOOL.DRV (73000000 - 73026000)
ole32.dll (774E0000 - 7761D000)
The code of CoCreateInstance at 7750057E (0) got patched. Here is the diff:
Address New-Original
7750057E: FF - 8B
7750057F: 25 - FF
77500580: 1E - 55
77500581: 00 - 8B
77500582: 17 - EC
77500583: 5F - 83
--> JMP DWORD PTR DS:[5F17001E]
--> JMP 5F160F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68:
Base address:   00EA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CoCreateInstanceEx at 77500526 (0) got patched. Here is the diff:
Address New-Original
77500526: FF - 8B
77500527: 25 - FF
77500528: 1E - 55
77500529: 00 - 8B
7750052A: 1A - EC
7750052B: 5F - 6A
--> JMP DWORD PTR DS:[5F1A001E]
--> JMP 5F190F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54:
Base address:   00EA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
OLEAUT32.dll (77120000 - 771AB000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
VERSION.dll (77C00000 - 77C08000)
DbEngine.dll (003A0000 - 003F9000)
IntStngs.dll (00670000 - 006C9000)
MurocApi.dll (006D0000 - 0077E000)
S24MUDLL.dll (00780000 - 00799000)
ICMP.dll (74290000 - 74294000)
iphlpapi.dll (76D60000 - 76D79000)
The code of IcmpSendEcho at 76D64B79 (0) got patched. Here is the diff:
Address New-Original
76D64B79: FF - 8B
76D64B7A: 25 - FF
76D64B7B: 1E - 55
76D64B7C: 00 - 8B
76D64B7D: 11 - EC
76D64B7E: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0B00

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0B00:
Base address:   00EA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of IcmpSendEcho2 at 76D6B73C (0) got patched. Here is the diff:
Address New-Original
76D6B73C: FF - 8B
76D6B73D: 25 - FF
76D6B73E: 1E - 55
76D6B73F: 00 - 8B
76D6B740: 14 - EC
76D6B741: 5F - 83
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50:
Base address:   00EA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
oledlg.dll (7DF70000 - 7DF92000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00EA0000 - 00F8B000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
USERENV.dll (769C0000 - 76A74000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msado15.dll (4DE10000 - 4DE93000)
MSDART.DLL (765B0000 - 765D5000)
xpsp2res.dll (013D0000 - 01695000)
oledb32.dll (73160000 - 731D7000)
OLEDB32R.DLL (75350000 - 75361000)
msdasql.dll (018A0000 - 018ED000)
MSDATL3.dll (60E30000 - 60E47000)
ODBC32.dll (74320000 - 7435D000)
odbcint.dll (01180000 - 01197000)
MSDASQLR.DLL (011A0000 - 011A4000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
CLUSAPI.DLL (76D10000 - 76D22000)
RESUTILS.DLL (750B0000 - 750C2000)
odbcjt32.dll (4DD40000 - 4DD84000)
msjet40.dll (1B000000 - 1B170000)
mswstr10.dll (1B5D0000 - 1B665000)
odbcji32.dll (5D130000 - 5D13E000)
msjter40.dll (1B2C0000 - 1B2CD000)
MSJINT40.DLL (1B2D0000 - 1B2F6000)
odbccp32.dll (5FE80000 - 5FE9B000)
msadce.dll (74060000 - 740B1000)
msadcer.dll (06DE0000 - 06DE5000)
wbemprox.dll (74EF0000 - 74EF8000)
wbemcomn.dll (75290000 - 752C7000)
wbemsvc.dll (74ED0000 - 74EDE000)
fastprox.dll (75690000 - 75706000)
NTDSAPI.dll (767A0000 - 767B3000)
DNSAPI.dll (76F20000 - 76F47000)
WLDAP32.dll (76F60000 - 76F8C000)
rsaenh.dll (68000000 - 68036000)
msi.dll (7D1E0000 - 7D49C000)
SXS.DLL (7E720000 - 7E7D0000)

SCHC · « **Reply #49 on:** March 14, 2010, 04:48:29 PM »

PID 1000 - C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00DC0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00DC0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
PsRegApi.dll (10000000 - 10082000)
SETUPAPI.dll (77920000 - 77A13000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00DC0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
msvcrt.dll (77C10000 - 77C68000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
WINSPOOL.DRV (73000000 - 73026000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
VERSION.dll (77C00000 - 77C08000)
WINMM.dll (76B40000 - 76B6D000)
IntStngs.dll (00330000 - 00389000)
TraceAPI.DLL (00390000 - 003F9000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
MurocApi.dll (00500000 - 005AE000)
S24MUDLL.dll (005B0000 - 005C9000)
LIBEAY32.dll (005D0000 - 006DF000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
ICMP.dll (74290000 - 74294000)
iphlpapi.dll (76D60000 - 76D79000)
The code of IcmpSendEcho at 76D64B79 (0) got patched. Here is the diff:
Address New-Original
76D64B79: FF - 8B
76D64B7A: 25 - FF
76D64B7B: 1E - 55
76D64B7C: 00 - 8B
76D64B7D: 11 - EC
76D64B7E: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0B00

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0B00:
Base address:   00DC0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of IcmpSendEcho2 at 76D6B73C (0) got patched. Here is the diff:
Address New-Original
76D6B73C: FF - 8B
76D6B73D: 25 - FF
76D6B73E: 1E - 55
76D6B73F: 00 - 8B
76D6B740: 14 - EC
76D6B741: 5F - 83
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50:
Base address:   00DC0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
oledlg.dll (7DF70000 - 7DF92000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00DC0000 - 00EAB000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
rsaenh.dll (68000000 - 68036000)
msctfime.ime (755C0000 - 755EE000)
ConnMgr.dll (010F0000 - 0124B000)
PfMgrApi.dll (01250000 - 0132F000)
DbEngine.dll (01020000 - 01079000)
imagehlp.dll (76C90000 - 76CB8000)
USERENV.dll (769C0000 - 76A74000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msado15.dll (4DE10000 - 4DE93000)
MSDART.DLL (765B0000 - 765D5000)
xpsp2res.dll (016B0000 - 01975000)
oledb32.dll (73160000 - 731D7000)
OLEDB32R.DLL (75350000 - 75361000)
msdasql.dll (01B80000 - 01BCD000)
MSDATL3.dll (60E30000 - 60E47000)
ODBC32.dll (74320000 - 7435D000)
odbcint.dll (010B0000 - 010C7000)
MSDASQLR.DLL (01D10000 - 01D14000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
CLUSAPI.DLL (76D10000 - 76D22000)
RESUTILS.DLL (750B0000 - 750C2000)
odbcjt32.dll (4DD40000 - 4DD84000)
msjet40.dll (1B000000 - 1B170000)
mswstr10.dll (1B5D0000 - 1B665000)
odbcji32.dll (5D130000 - 5D13E000)
msjter40.dll (1B2C0000 - 1B2CD000)
MSJINT40.DLL (1B2D0000 - 1B2F6000)
odbccp32.dll (5FE80000 - 5FE9B000)
msadce.dll (74060000 - 740B1000)
msadcer.dll (070D0000 - 070D5000)
wbemprox.dll (74EF0000 - 74EF8000)
wbemcomn.dll (75290000 - 752C7000)
wbemsvc.dll (74ED0000 - 74EDE000)
fastprox.dll (75690000 - 75706000)
NTDSAPI.dll (767A0000 - 767B3000)
DNSAPI.dll (76F20000 - 76F47000)
WLDAP32.dll (76F60000 - 76F8C000)
netman.dll (77D00000 - 77D33000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
ATL.DLL (76B20000 - 76B31000)
rtutils.dll (76E80000 - 76E8E000)
SAMLIB.dll (71BF0000 - 71C03000)
netshell.dll (76400000 - 765A5000)
credui.dll (76C00000 - 76C2E000)
dot3api.dll (478C0000 - 478CA000)
dot3dlg.dll (736D0000 - 736D6000)
OneX.DLL (5DCA0000 - 5DCC8000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
eappcfg.dll (745B0000 - 745D2000)
eappprxy.dll (5DCD0000 - 5DCDE000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (06F50000 - 06F59000)
iertutil.dll (3DFD0000 - 3E015000)
WZCSAPI.DLL (73030000 - 73040000)
WZCSvc.DLL (7DB10000 - 7DB9C000)
WMI.dll (76D30000 - 76D34000)
DHCPCSVC.DLL (7D4B0000 - 7D4D2000)
EapolQec.dll (72810000 - 7281B000)
QUtil.dll (726C0000 - 726D6000)
ESENT.dll (606B0000 - 607BD000)

PID 1212 - C:\WINDOWS\stsystra.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00A20000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00A20000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
STLang.dll (10000000 - 10189000)
MFC42u.DLL (5F800000 - 5F8F2000)
msvcrt.dll (77C10000 - 77C68000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00A20000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SHLWAPI.dll (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHELL32.dll (7C9C0000 - 7D1D7000)
COMCTL32.dll (5D090000 - 5D12A000)
ole32.dll (774E0000 - 7761D000)
The code of CoCreateInstance at 7750057E (0) got patched. Here is the diff:
Address New-Original
7750057E: FF - 8B
7750057F: 25 - FF
77500580: 1E - 55
77500581: 00 - 8B
77500582: 11 - EC
77500583: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68:
Base address:   00A20000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CoCreateInstanceEx at 77500526 (0) got patched. Here is the diff:
Address New-Original
77500526: FF - 8B
77500527: 25 - FF
77500528: 1E - 55
77500529: 00 - 8B
7750052A: 14 - EC
7750052B: 5F - 6A
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54:
Base address:   00A20000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00A20000 - 00B0B000)
oleaut32.dll (77120000 - 771AB000)
version.dll (77C00000 - 77C08000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
xpsp2res.dll (00F20000 - 011E5000)
stacapi.dll (015F0000 - 01634000)
SETUPAPI.dll (77920000 - 77A13000)
WINMM.dll (76B40000 - 76B6D000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
wdmaud.drv (72D20000 - 72D29000)
msacm32.drv (72D10000 - 72D18000)
MSACM32.dll (77BE0000 - 77BF5000)
midimap.dll (77BD0000 - 77BD7000)

PID 1540 - C:\WINDOWS\system32\KADxMain.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
KADxCtl.dll (10000000 - 1002D000)
SHLWAPI.dll (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
msvcrt.dll (77C10000 - 77C68000)
SETUPAPI.dll (77920000 - 77A13000)
WINMM.dll (76B40000 - 76B6D000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ole32.dll (774E0000 - 7761D000)
The code of CoCreateInstance at 7750057E (0) got patched. Here is the diff:
Address New-Original
7750057E: FF - 8B
7750057F: 25 - FF
77500580: 1E - 55
77500581: 00 - 8B
77500582: 11 - EC
77500583: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CoCreateInstanceEx at 77500526 (0) got patched. Here is the diff:
Address New-Original
77500526: FF - 8B
77500527: 25 - FF
77500528: 1E - 55
77500529: 00 - 8B
7750052A: 14 - EC
7750052B: 5F - 6A
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
OLEAUT32.dll (77120000 - 771AB000)
WINSPOOL.DRV (73000000 - 73026000)
oledlg.dll (7DF70000 - 7DF92000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (009E0000 - 00ACB000)
version.dll (77C00000 - 77C08000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
wdmaud.drv (72D20000 - 72D29000)
msacm32.drv (72D10000 - 72D18000)
MSACM32.dll (77BE0000 - 77BF5000)
midimap.dll (77BD0000 - 77BD7000)
xpsp2res.dll (00F20000 - 011E5000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)

PID 1788 - C:\Program Files\Dell\MediaDirect\PCMService.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
WININET.dll (3D930000 - 3DA01000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Normaliz.dll (00330000 - 00339000)
iertutil.dll (3DFD0000 - 3E015000)
DDRAW.dll (73760000 - 737AB000)
DCIMAN32.dll (73BC0000 - 73BC6000)
d3d9.dll (4FDD0000 - 4FF76000)
d3d8thk.dll (6D990000 - 6D996000)
VERSION.dll (77C00000 - 77C08000)
WINMM.dll (76B40000 - 76B6D000)
MFC71.DLL (7C140000 - 7C243000)
MSVCR71.dll (7C340000 - 7C396000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ole32.dll (774E0000 - 7761D000)
The code of CoCreateInstance at 7750057E (0) got patched. Here is the diff:
Address New-Original
7750057E: FF - 8B
7750057F: 25 - FF
77500580: 1E - 55
77500581: 00 - 8B
77500582: 11 - EC
77500583: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CoCreateInstanceEx at 77500526 (0) got patched. Here is the diff:
Address New-Original
77500526: FF - 8B
77500527: 25 - FF
77500528: 1E - 55
77500529: 00 - 8B
7750052A: 14 - EC
7750052B: 5F - 6A
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
OLEAUT32.dll (77120000 - 771AB000)
MSVCP71.dll (7C3A0000 - 7C41B000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
OAwatch.dll (00BA0000 - 00C8B000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
xpsp2res.dll (00F10000 - 011D5000)
wab32.dll (470D0000 - 47151000)
MSOERT2.dll (76880000 - 768A2000)
wab32res.dll (35F40000 - 35F7F000)
msctfime.ime (755C0000 - 755EE000)
msident.dll (608A0000 - 608AF000)
msidntld.dll (60890000 - 60896000)
PSTOREC.DLL (5E0C0000 - 5E0CD000)
ATL.DLL (76B20000 - 76B31000)
CLRCEngine3.dll (10000000 - 10011000)
msxml3.dll (74980000 - 74AA3000)
urlmon.dll (78130000 - 78258000)
MSOXMLMF.DLL (38A70000 - 38A7C000)
MSVCR80.dll (01C30000 - 01CCB000)
mlang.dll (75CF0000 - 75D81000)

SCHC · « **Reply #50 on:** March 14, 2010, 04:49:26 PM »

PID 2052 - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00BA0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
GrooveUtil.DLL (68EF0000 - 68FE2000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00350000 - 00359000)
iertutil.dll (3DFD0000 - 3E015000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
OLEAUT32.dll (77120000 - 771AB000)
MSVCR80.dll (78130000 - 781CB000)
GrooveNew.DLL (68FF0000 - 68FF7000)
VERSION.dll (77C00000 - 77C08000)
ATL80.DLL (7C630000 - 7C64B000)
COMCTL32.dll (5D090000 - 5D12A000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
rsaenh.dll (68000000 - 68036000)
OAwatch.dll (00BA0000 - 00C8B000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
USERENV.dll (769C0000 - 76A74000)
SETUPAPI.dll (77920000 - 77A13000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
GrooveShellExtensions.dll(661D0000 - 663EF000)
MSImg32.dll (76380000 - 76385000)
GrooveSystemServices.dll(65E50000 - 65E7D000)
LINKINFO.dll (76980000 - 76988000)
ntshrui.dll (76990000 - 769B5000)
ATL.DLL (76B20000 - 76B31000)
msxml3.dll (74980000 - 74AA3000)

PID 3032 - C:\Program Files\Windows Defender\MSASCui.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00C60000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00C60000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
MSVCR80.dll (78130000 - 781CB000)
msvcrt.dll (77C10000 - 77C68000)
MSVCP80.dll (7C420000 - 7C4A7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00C60000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
MpClient.dll (5B800000 - 5B84F000)
USERENV.dll (769C0000 - 76A74000)
gdiplus.dll (4EC50000 - 4EDFB000)
COMCTL32.dll (773D0000 - 774D3000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
MsMpRes.dll (61800000 - 6189A000)
MpRtMon.DLL (5D800000 - 5D8AC000)
NETAPI32.dll (5B860000 - 5B8B5000)
WINHTTP.dll (4D4F0000 - 4D549000)
urlmon.dll (002B0000 - 003D8000)
iertutil.dll (3DFD0000 - 3E015000)
VERSION.dll (77C00000 - 77C08000)
IMM32.DLL (76390000 - 763AD000)
OAwatch.dll (00C60000 - 00D4B000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
uxtheme.dll (5AD70000 - 5ADA8000)
MSFTEDIT.DLL (4B400000 - 4B486000)
msctfime.ime (755C0000 - 755EE000)
rsaenh.dll (68000000 - 68036000)
MpAsDesc.dll (60800000 - 6080D000)

PID 3200 - C:\Program Files\iTunes\iTunesHelper.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00910000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00910000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00910000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
COMCTL32.dll (5D090000 - 5D12A000)
SHLWAPI.dll (77F60000 - 77FD6000)
msvcrt.dll (77C10000 - 77C68000)
IMM32.DLL (76390000 - 763AD000)
OAwatch.dll (00910000 - 009FB000)
oleaut32.dll (77120000 - 771AB000)
ole32.dll (774E0000 - 7761D000)
version.dll (77C00000 - 77C08000)
shell32.dll (7C9C0000 - 7D1D7000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
comctl32.dll (773D0000 - 774D3000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
iTunesHelper.dll (10000000 - 10037000)
CoreFoundation.dll (00B50000 - 00C1A000)
MSVCR80.dll (78130000 - 781CB000)
pthreadVC2.dll (003C0000 - 003D0000)
objc.dll (00C20000 - 00C3C000)
MSVCP80.dll (7C420000 - 7C4A7000)
icuin40.dll (00C70000 - 00D6D000)
icuuc40.dll (00D80000 - 00E61000)
icudt40.dll (4AD00000 - 4BA5B000)
ASL.dll (00E80000 - 00E8D000)
SETUPAPI.dll (77920000 - 77A13000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00EA0000 - 00EA9000)
iertutil.dll (3DFD0000 - 3E015000)
uxtheme.dll (5AD70000 - 5ADA8000)
iTunesHelperLocalized.DLL(014A0000 - 014AE000)
iTunesHelper.DLL (014D0000 - 014DE000)
msctfime.ime (755C0000 - 755EE000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
QuickTime.qts (66800000 - 673AB000)
QTCF.dll (68A40000 - 68A6E000)
WINMM.dll (76B40000 - 76B6D000)
comdlg32.dll (763B0000 - 763F9000)
gdiplus.dll (4EC50000 - 4EDFB000)
DSOUND.dll (73F10000 - 73F6C000)
CFNetwork.dll (01740000 - 017D3000)
SQLite3.dll (017F0000 - 01853000)
zlib1.dll (01870000 - 01883000)
iphlpapi.dll (76D60000 - 76D79000)
The code of IcmpSendEcho2 at 76D6B73C (0) got patched. Here is the diff:
Address New-Original
76D6B73C: FF - 8B
76D6B73D: 25 - FF
76D6B73E: 1E - 55
76D6B73F: 00 - 8B
76D6B740: 11 - EC
76D6B741: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50:
Base address:   00910000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ddraw.dll (73760000 - 737AB000)
DCIMAN32.dll (73BC0000 - 73BC6000)
iTunesMobileDevice.dll(01D90000 - 01EDF000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
xpsp2res.dll (02250000 - 02515000)
msi.dll (7D1E0000 - 7D49C000)
SXS.DLL (7E720000 - 7E7D0000)

PID 3232 - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00AB0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00AB0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
mfc90u.dll (789E0000 - 78D81000)
MSVCR90.dll (78520000 - 785C3000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00AB0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
SHLWAPI.dll (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
COMCTL32.dll (773D0000 - 774D3000)
MSIMG32.dll (76380000 - 76385000)
SHELL32.dll (7C9C0000 - 7D1D7000)
cclib.dll (10000000 - 10038000)
VERSION.dll (77C00000 - 77C08000)
MSVCP90.dll (78480000 - 7850E000)
IMM32.DLL (76390000 - 763AD000)
UxTheme.dll (5AD70000 - 5ADA8000)
MFC90ENU.DLL (5D360000 - 5D36D000)
OAwatch.dll (00AB0000 - 00B9B000)
oleaut32.dll (77120000 - 771AB000)
ole32.dll (774E0000 - 7761D000)
The code of CoCreateInstance at 7750057E (0) got patched. Here is the diff:
Address New-Original
7750057E: FF - 8B
7750057F: 25 - FF
77500580: 1E - 55
77500581: 00 - 8B
77500582: 11 - EC
77500583: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68:
Base address:   00AB0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CoCreateInstanceEx at 77500526 (0) got patched. Here is the diff:
Address New-Original
77500526: FF - 8B
77500527: 25 - FF
77500528: 1E - 55
77500529: 00 - 8B
7750052A: 14 - EC
7750052B: 5F - 6A
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54:
Base address:   00AB0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
msctfime.ime (755C0000 - 755EE000)
ccgen.dll (00D70000 - 00DE0000)
ccgenrc.dll (00E20000 - 00E29000)
ccguard.dll (00E30000 - 00E6A000)
ccgrdrc.dll (00E90000 - 00E97000)
avipc.dll (00EA0000 - 00EB2000)
ccupdate.dll (00ED0000 - 00EFC000)
ccupdrc.dll (00F20000 - 00F25000)
cclic.dll (00F30000 - 00F41000)
cclicrc.dll (01070000 - 01073000)
ccmsg.dll (01080000 - 010AD000)

PID 3316 - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
SETUPAPI.dll (77920000 - 77A13000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
USERENV.dll (769C0000 - 76A74000)
IMM32.DLL (76390000 - 763AD000)
NTMARTA.DLL (77690000 - 776B1000)
ole32.dll (774E0000 - 7761D000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)

PID 3448 - C:\Program Files\Bonjour\mDNSResponder.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
IPHLPAPI.DLL (76D60000 - 76D79000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
rsaenh.dll (68000000 - 68036000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
NETAPI32.dll (5B860000 - 5B8B5000)
WLDAP32.dll (76F60000 - 76F8C000)
ATL.DLL (76B20000 - 76B31000)
rtutils.dll (76E80000 - 76E8E000)
SAMLIB.dll (71BF0000 - 71C03000)
SETUPAPI.dll (77920000 - 77A13000)

PID 3476 - C:\Program Files\Common Files\Java\Java Update\jusched.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00B30000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00B30000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

SCHC · « **Reply #51 on:** March 14, 2010, 04:50:20 PM »

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00B30000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WININET.dll (3D930000 - 3DA01000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
Normaliz.dll (00340000 - 00349000)
iertutil.dll (3DFD0000 - 3E015000)
ole32.dll (774E0000 - 7761D000)
SHELL32.dll (7C9C0000 - 7D1D7000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
OAwatch.dll (00B30000 - 00C1B000)
version.dll (77C00000 - 77C08000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)

PID 3864 - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00420000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00420000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
OAwatch.dll (00420000 - 0050B000)
user32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00420000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
oleaut32.dll (77120000 - 771AB000)
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)
version.dll (77C00000 - 77C08000)
comctl32.dll (773D0000 - 774D3000)
SHLWAPI.dll (77F60000 - 77FD6000)
shell32.dll (7C9C0000 - 7D1D7000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
IMM32.DLL (76390000 - 763AD000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
gtn.dll (10000000 - 10027000)
IPHLPAPI.DLL (76D60000 - 76D79000)
The code of IcmpSendEcho2 at 76D6B73C (0) got patched. Here is the diff:
Address New-Original
76D6B73C: FF - 8B
76D6B73D: 25 - FF
76D6B73E: 1E - 55
76D6B73F: 00 - 8B
76D6B740: 11 - EC
76D6B741: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50:
Base address:   00420000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PSAPI.DLL (76BF0000 - 76BFB000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00350000 - 00359000)
iertutil.dll (3DFD0000 - 3E015000)
uxtheme.dll (5AD70000 - 5ADA8000)
USERENV.dll (769C0000 - 76A74000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
swg.dll (00E90000 - 00F5A000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
SETUPAPI.dll (77920000 - 77A13000)
msctfime.ime (755C0000 - 755EE000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
rsaenh.dll (68000000 - 68036000)
xpsp2res.dll (01180000 - 01445000)
msi.dll (7D1E0000 - 7D49C000)
SXS.DLL (7E720000 - 7E7D0000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
WLDAP32.dll (76F60000 - 76F8C000)
ATL.DLL (76B20000 - 76B31000)
SAMLIB.dll (71BF0000 - 71C03000)

PID 3956 - C:\Program Files\Digital Line Detect\DLG.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   009E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
BVRPDIAG.dll (10000000 - 10006000)
SHFOLDER.dll (76780000 - 76789000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
MdmXSdk.dll (00900000 - 0093C000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
OAwatch.dll (009E0000 - 00ACB000)
oleaut32.dll (77120000 - 771AB000)
ole32.dll (774E0000 - 7761D000)
version.dll (77C00000 - 77C08000)
wsock32.dll (71AD0000 - 71AD9000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)

PID 152 - C:\Program Files\Java\jre6\bin\jqs.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
ole32.dll (774E0000 - 7761D000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
MSVCR71.dll (7C340000 - 7C396000)
IMM32.DLL (76390000 - 763AD000)
psapi.dll (76BF0000 - 76BFB000)
pdh.dll (74000000 - 74056000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
ODBC32.dll (74320000 - 7435D000)
odbcbcp.dll (711A0000 - 711A6000)
VERSION.dll (77C00000 - 77C08000)
OLEAUT32.dll (77120000 - 771AB000)
comctl32.dll (773D0000 - 774D3000)
odbcint.dll (007F0000 - 00807000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
perfos.dll (5E760000 - 5E76A000)
perfdisk.dll (5E790000 - 5E799000)

PID 516 - C:\WINDOWS\system32\nvsvc32.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
USERENV.dll (769C0000 - 76A74000)
msvcrt.dll (77C10000 - 77C68000)
POWRPROF.dll (74AD0000 - 74AD8000)
IMM32.DLL (76390000 - 763AD000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
COMCTL32.dll (5D090000 - 5D12A000)
OLEAUT32.dll (77120000 - 771AB000)
comctl32.dll (773D0000 - 774D3000)
nvapi.dll (007F0000 - 00846000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
Apphelp.dll (77B40000 - 77B62000)
VERSION.dll (77C00000 - 77C08000)

PID 1576 - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
SETUPAPI.dll (77920000 - 77A13000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
WINSPOOL.DRV (73000000 - 73026000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
uxtheme.dll (5AD70000 - 5ADA8000)
xpsp2res.dll (00870000 - 00B35000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
VERSION.dll (77C00000 - 77C08000)

PID 1896 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
wiaservc.dll (75AA0000 - 75AF5000)
CFGMGR32.dll (74AE0000 - 74AE7000)
setupapi.DLL (77920000 - 77A13000)
mscms.dll (73B30000 - 73B45000)
WINSPOOL.DRV (73000000 - 73026000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
xpsp2res.dll (00680000 - 00945000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
wiavusd.dll (5A4B0000 - 5A4D6000)
gdiplus.dll (4EC50000 - 4EDFB000)
SHFOLDER.dll (76780000 - 76789000)
actxprxy.dll (71D40000 - 71D5B000)

PID 2932 - C:\Program Files\iPod\bin\iPodService.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
CFGMGR32.dll (74AE0000 - 74AE7000)
setupapi.dll (77920000 - 77A13000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
VERSION.dll (77C00000 - 77C08000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
iPodServiceLocalized.DLL(10000000 - 1000E000)
iPodService.DLL (008A0000 - 008AE000)
xpsp2res.dll (00CD0000 - 00F95000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msi.dll (7D1E0000 - 7D49C000)
SXS.DLL (7E720000 - 7E7D0000)
uxtheme.dll (5AD70000 - 5ADA8000)
Wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)

PID 3584 - C:\WINDOWS\System32\alg.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
msvcrt.dll (77C10000 - 77C68000)
ATL.DLL (76B20000 - 76B31000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
MSWSOCK.DLL (71A50000 - 71A8F000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
WINMM.dll (76B40000 - 76B6D000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
xpsp2res.dll (00740000 - 00A05000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)

PID 2160 - C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00CE0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00CE0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
acAuth.dll (10000000 - 10123000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00CE0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
SETUPAPI.dll (77920000 - 77A13000)
iphlpapi.dll (76D60000 - 76D79000)
The code of IcmpSendEcho at 76D64B79 (0) got patched. Here is the diff:
Address New-Original
76D64B79: FF - 8B
76D64B7A: 25 - FF
76D64B7B: 1E - 55
76D64B7C: 00 - 8B
76D64B7D: 11 - EC
76D64B7E: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0B00

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0B00:
Base address:   00CE0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of IcmpSendEcho2 at 76D6B73C (0) got patched. Here is the diff:
Address New-Original
76D6B73C: FF - 8B
76D6B73D: 25 - FF
76D6B73E: 1E - 55
76D6B73F: 00 - 8B
76D6B740: 14 - EC
76D6B741: 5F - 83
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50:
Base address:   00CE0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ole32.dll (774E0000 - 7761D000)
The code of CoCreateInstance at 7750057E (0) got patched. Here is the diff:
Address New-Original
7750057E: FF - 8B
7750057F: 25 - FF
77500580: 1E - 55
77500581: 00 - 8B
77500582: 17 - EC
77500583: 5F - 83
--> JMP DWORD PTR DS:[5F17001E]
--> JMP 5F160F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68:
Base address:   00CE0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CoCreateInstanceEx at 77500526 (0) got patched. Here is the diff:
Address New-Original
77500526: FF - 8B
77500527: 25 - FF
77500528: 1E - 55
77500529: 00 - 8B
7750052A: 1A - EC
7750052B: 5F - 6A
--> JMP DWORD PTR DS:[5F1A001E]
--> JMP 5F190F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54:
Base address:   00CE0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
C1XStngs.dll (00330000 - 003EF000)
PsRegApi.dll (00490000 - 00512000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
WINSPOOL.DRV (73000000 - 73026000)
OLEAUT32.dll (77120000 - 771AB000)
PSAPI.DLL (76BF0000 - 76BFB000)
IntStngs.dll (00520000 - 00579000)
TraceAPI.DLL (00580000 - 005E9000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
WinSCard.dll (723D0000 - 723EC000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
oledlg.dll (7DF70000 - 7DF92000)
IWMSPROV.DLL (005F0000 - 0060F000)
USERENV.dll (769C0000 - 76A74000)
ICMP.dll (74290000 - 74294000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00CE0000 - 00DCB000)
version.dll (77C00000 - 77C08000)
wsock32.dll (71AD0000 - 71AD9000)
uxtheme.dll (5AD70000 - 5ADA8000)
LSAWRAPI.dll (23000000 - 2300D000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msado15.dll (4DE10000 - 4DE93000)
MSDART.DLL (765B0000 - 765D5000)
xpsp2res.dll (01210000 - 014D5000)
oledb32.dll (73160000 - 731D7000)
OLEDB32R.DLL (75350000 - 75361000)
msdasql.dll (016E0000 - 0172D000)
MSDATL3.dll (60E30000 - 60E47000)
ODBC32.dll (74320000 - 7435D000)
odbcint.dll (00FC0000 - 00FD7000)
MSDASQLR.DLL (00FE0000 - 00FE4000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
CLUSAPI.DLL (76D10000 - 76D22000)
RESUTILS.DLL (750B0000 - 750C2000)
odbcjt32.dll (4DD40000 - 4DD84000)
msjet40.dll (1B000000 - 1B170000)
mswstr10.dll (1B5D0000 - 1B665000)
odbcji32.dll (5D130000 - 5D13E000)
msjter40.dll (1B2C0000 - 1B2CD000)
MSJINT40.DLL (1B2D0000 - 1B2F6000)
odbccp32.dll (5FE80000 - 5FE9B000)
msadce.dll (74060000 - 740B1000)
msadcer.dll (06C20000 - 06C25000)
msi.dll (7D1E0000 - 7D49C000)
SXS.DLL (7E720000 - 7E7D0000)
msctfime.ime (755C0000 - 755EE000)
rsaenh.dll (68000000 - 68036000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
PfMgrApi.dll (07730000 - 0780F000)
LIBEAY32.dll (07930000 - 07A3F000)
DbEngine.dll (06BC0000 - 06C19000)

PID 3960 - C:\WINDOWS\system32\wscntfy.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   007E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

SCHC · « **Reply #52 on:** March 14, 2010, 04:50:56 PM »

The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   007E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2F - FF
7C80AC96: F5 - FF
msvcrt.dll (77C10000 - 77C68000)
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   007E0000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHLWAPI.dll (77F60000 - 77FD6000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (007E0000 - 008CB000)
oleaut32.dll (77120000 - 771AB000)
ole32.dll (774E0000 - 7761D000)
version.dll (77C00000 - 77C08000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
xpsp2res.dll (00B50000 - 00E15000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)

PID 2796 - C:\Documents and Settings\Me\Desktop\radix_installer\radixgui.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: FF - 8B
7C80236C: 25 - FF
7C80236D: 1E - 55
7C80236E: 00 - 8B
7C80236F: 05 - EC
7C802370: 5F - 6A
--> JMP DWORD PTR DS:[5F05001E]
--> JMP 5F040F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xBFDE0:
Base address:   00A90000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: FF - 8B
7C802337: 25 - FF
7C802338: 1E - 55
7C802339: 00 - 8B
7C80233A: 0B - EC
7C80233B: 5F - 6A
--> JMP DWORD PTR DS:[5F0B001E]
--> JMP 5F0A0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC03AC:
Base address:   00A90000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
USER32.dll (7E410000 - 7E4A1000)
The code of ExitWindowsEx at 7E45A275 (0) got patched. Here is the diff:
Address New-Original
7E45A275: FF - 8B
7E45A276: 25 - FF
7E45A277: 1E - 55
7E45A278: 00 - 8B
7E45A279: 0E - EC
7E45A27A: 5F - 83
--> JMP DWORD PTR DS:[5F0E001E]
--> JMP 5F0D0F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0978:
Base address:   00A90000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GDI32.dll (77F10000 - 77F59000)
comdlg32.dll (763B0000 - 763F9000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
The code of CoCreateInstance at 7750057E (0) got patched. Here is the diff:
Address New-Original
7750057E: FF - 8B
7750057F: 25 - FF
77500580: 1E - 55
77500581: 00 - 8B
77500582: 11 - EC
77500583: 5F - 83
--> JMP DWORD PTR DS:[5F11001E]
--> JMP 5F100F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1D68:
Base address:   00A90000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CoCreateInstanceEx at 77500526 (0) got patched. Here is the diff:
Address New-Original
77500526: FF - 8B
77500527: 25 - FF
77500528: 1E - 55
77500529: 00 - 8B
7750052A: 14 - EC
7750052B: 5F - 6A
--> JMP DWORD PTR DS:[5F14001E]
--> JMP 5F130F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC1F54:
Base address:   00A90000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
VERSION.dll (77C00000 - 77C08000)
dbghelp.dll (59A60000 - 59B01000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00A90000 - 00B7B000)
oleaut32.dll (77120000 - 771AB000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
wintrust.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
xpsp2res.dll (0F600000 - 0F8C5000)
rsaenh.dll (68000000 - 68036000)
userenv.dll (769C0000 - 76A74000)
cryptnet.dll (75E60000 - 75E73000)
PSAPI.DLL (76BF0000 - 76BFB000)
SensApi.dll (722B0000 - 722B5000)
WINHTTP.dll (4D4F0000 - 4D549000)
WLDAP32.dll (76F60000 - 76F8C000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
RASAPI32.DLL (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)
The code of IcmpSendEcho2 at 76D6B73C (0) got patched. Here is the diff:
Address New-Original
76D6B73C: FF - 8B
76D6B73D: 25 - FF
76D6B73E: 1E - 55
76D6B73F: 00 - 8B
76D6B740: 17 - EC
76D6B741: 5F - 83
--> JMP DWORD PTR DS:[5F17001E]
--> JMP 5F160F5A
Patched by C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Tall Emu\Online Armor\OAwatch.dll+0xC0C50:
Base address:   00A90000
Size:      000EB000
Flags:      80284004
Load count:   2
Name:      Online Armor Firewall
Prod. Version:   4.0.0.15
Company:   Tall Emu
File Version:   4.0.0.15
Description:   Online Armor Component
Location:   C:\Program Files\Tall Emu\Online Armor\OAwatch.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DNSAPI.dll (76F20000 - 76F47000)
mdnsNSP.dll (16080000 - 160A5000)
rasadhlp.dll (76FC0000 - 76FC6000)
---- Check ended at 14.3.2010 22:27:14 ----

Dr Jay · « **Reply #53 on:** March 15, 2010, 03:05:48 PM »

The black screen at Startup is probably normal. We can modify that, if you like.

Any other issues? List any...like slowness, instability, etc.

SCHC · « **Reply #54 on:** March 15, 2010, 05:24:27 PM »

Not much. It's still giving two messages at start up about processes not starting (I mentioned them back on page 3 of this thread). Also still getting a message about a program from my firewall when I boot up (also on page 3).

Firefox had been crashing when I visited some websites (didn't seem to be any rhyme or reason to which ones) but that hasn't happened since running MBAM and everything else.

Otherwise, speed, stability, etc. seem normal.

I haven't been trusting my computer so I haven't been visiting any sites that require passwords (excepting this one), but I'd like to know when I can do so again. Thanks so much.

Dr Jay · « **Reply #55 on:** March 15, 2010, 07:34:46 PM »

Are you able to take screen shots of the messages or tell me what they say specifically?

SCHC · « **Reply #56 on:** March 16, 2010, 02:10:31 AM »

Error loading rqrstu.dll
The specified module could not be found.

and

Error loading jkhfde.dll
The specified module could not be found.

Dr Jay · « **Reply #57 on:** March 16, 2010, 11:03:01 AM »

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code: [Select]

:filefind
jkhfde.dll
rqrstu.dll

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SCHC · « **Reply #58 on:** March 16, 2010, 01:30:53 PM »

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:30 on 16/03/2010 by Me (Administrator - Elevation successful)

========== filefind ==========

Searching for "jkhfde.dll"
No files found.

Searching for "rqrstu.dll"
No files found.

-=End Of File=-

Is there a reason I couldn't cut and paste into SystemLook? I ended up having to type in the command since the cut and paste wasn't working.

Dr Jay · « **Reply #59 on:** March 16, 2010, 09:33:20 PM »

Please download OTS by OldTimer and save it to your Desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Double-click on OTS to start the program (if you are running on Vista then right-click the program and
choose Run as Administrator).
At the top, tick on Scan All Users section
At File Age set it to 90 Days
In the Processes, Modules, Services, Drivers, and Registry
section, please set on Safe List.
In the Files Created Within and Files Modified Within section, set it to File Age
At the bottom, tick on all Safe List and Use Company Name WhiteList option
Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - Ext
Reg - IE
Explorer Bar
Reg - NetSvcs
Reg - Safeboot Minimal
Reg - Safeboot Network
File - Lop Check
File - Purity Scan

Do NOT change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Computer Hope Forum

News:

Author Topic: Problem - Please Help (Read 72089 times)

SCHC

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

Dr Jay

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

Dr Jay

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

Dr Jay

Re: Problem - Please Help

SCHC

Re: Problem - Please Help

Dr Jay

Re: Problem - Please Help