Author Topic: Can't run programs or connect to internet (Read 72996 times)

Xerinous · « **Reply #75 on:** August 08, 2010, 09:29:46 PM »

PID 1152 - C:\WINDOWS\system32\services.exe
-------------------------------------------------------------------------------
ntdll.dll    (7C900000 - 7C9B2000)
The code of NtCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address   New-Original
7C90D0AE: E9 - B8
7C90D0AF: 32 - 25
7C90D0B0: 3F - 00
7C90D0B1: 74 - 00
7C90D0B2: 83 - 00
--> JMP DWORD PTR DS:[00050FE5]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 323F7483 JMP 00050FE5
Disassembly of hooker:
00050FE5: 68 25B8E9C4 PUSH C4E9B825
00050FEA: E8 CFCF8B7C CALL 7C90DFBE
00050FEF: 58    POP EAX
00050FF0: C2 2C00 RET 002C
00050FF3: C3    RET ; Pop IP
00050FF4: 0400    ADD AL, 00
00050FF6: 0000    ADD BYTE PTR DS:[EAX],AL
00050FF8: 0000    ADD BYTE PTR DS:[EAX],AL
00050FFA: 0000    ADD BYTE PTR DS:[EAX],AL
00050FFC: 0000    ADD BYTE PTR DS:[EAX],AL
00050FFE: 0000    ADD BYTE PTR DS:[EAX],AL
00051000: 0000    ADD BYTE PTR DS:[EAX],AL
00051002: 0000    ADD BYTE PTR DS:[EAX],AL
00051004: 0000    ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address   New-Original
7C90D14E: E9 - B8
7C90D14F: 81 - 2F
7C90D150: 3E - 00
7C90D151: 74 - 00
7C90D152: 83 - 00
--> JMP DWORD PTR DS:[00050FD4]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 813E7483 JMP 00050FD4
Disassembly of hooker:
00050FD4: 68 25B8E9C4 PUSH C4E9B825
00050FD9: E8 E0CF8B7C CALL 7C90DFBE
00050FDE: 58    POP EAX
00050FDF: C2 2000 RET 0020
00050FE2: C3    RET ; Pop IP
00050FE3: 06    PUSH ES ; Push ES register to the stack
00050FE4: 006825    ADD BYTE PTR DS:[EAX+25H],CH
00050FE7: B8 E9C4E8CF MOV EAX, CFE8C4E9
00050FEC: CF    IRETD
00050FED: 8B7C58C2    MOV EDI,DWORD PTR DS:[EBX*2+EAX-3EH]
00050FF1: 2C00    SUB AL, 00
00050FF3: C3    RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address   New-Original
7C90D6EE: E9 - B8
7C90D6EF: 0D - 89
7C90D6F0: 29 - 00
7C90D6F1: 74 - 00
7C90D6F2: 83 - 00
--> JMP DWORD PTR DS:[00050000]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Disassembly new code:
7C90D6EE: E9 0D297483 JMP 00050000
Disassembly of hooker:
00050000: 68 25B8E9C4 PUSH C4E9B825
00050005: E8 B4DF8B7C CALL 7C90DFBE
0005000A: 58    POP EAX
0005000B: C2 1400 RET 0014
0005000E: C3    RET ; Pop IP
0005000F: 05 00B88900 ADD EAX, 0089B800
00050014: 0000    ADD BYTE PTR DS:[EAX],AL
00050016: E9 D8D68B7C JMP 7C90D6F3
0005001B: B8 2F000000 MOV EAX, 0000002F
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address   New-Original
7C90D0AE: E9 - B8
7C90D0AF: 32 - 25
7C90D0B0: 3F - 00
7C90D0B1: 74 - 00
7C90D0B2: 83 - 00
--> JMP DWORD PTR DS:[00050FE5]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 323F7483 JMP 00050FE5
Disassembly of hooker:
00050FE5: 68 25B8E9C4 PUSH C4E9B825
00050FEA: E8 CFCF8B7C CALL 7C90DFBE
00050FEF: 58    POP EAX
00050FF0: C2 2C00 RET 002C
00050FF3: C3    RET ; Pop IP
00050FF4: 0400    ADD AL, 00
00050FF6: 0000    ADD BYTE PTR DS:[EAX],AL
00050FF8: 0000    ADD BYTE PTR DS:[EAX],AL
00050FFA: 0000    ADD BYTE PTR DS:[EAX],AL
00050FFC: 0000    ADD BYTE PTR DS:[EAX],AL
00050FFE: 0000    ADD BYTE PTR DS:[EAX],AL
00051000: 0000    ADD BYTE PTR DS:[EAX],AL
00051002: 0000    ADD BYTE PTR DS:[EAX],AL
00051004: 0000    ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address   New-Original
7C90D14E: E9 - B8
7C90D14F: 81 - 2F
7C90D150: 3E - 00
7C90D151: 74 - 00
7C90D152: 83 - 00
--> JMP DWORD PTR DS:[00050FD4]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 813E7483 JMP 00050FD4
Disassembly of hooker:
00050FD4: 68 25B8E9C4 PUSH C4E9B825
00050FD9: E8 E0CF8B7C CALL 7C90DFBE
00050FDE: 58    POP EAX
00050FDF: C2 2000 RET 0020
00050FE2: C3    RET ; Pop IP
00050FE3: 06    PUSH ES ; Push ES register to the stack
00050FE4: 006825    ADD BYTE PTR DS:[EAX+25H],CH
00050FE7: B8 E9C4E8CF MOV EAX, CFE8C4E9
00050FEC: CF    IRETD
00050FED: 8B7C58C2    MOV EDI,DWORD PTR DS:[EBX*2+EAX-3EH]
00050FF1: 2C00    SUB AL, 00
00050FF3: C3    RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address   New-Original
7C90D6EE: E9 - B8
7C90D6EF: 0D - 89
7C90D6F0: 29 - 00
7C90D6F1: 74 - 00
7C90D6F2: 83 - 00
--> JMP DWORD PTR DS:[00050000]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Disassembly new code:
7C90D6EE: E9 0D297483 JMP 00050000
Disassembly of hooker:
00050000: 68 25B8E9C4 PUSH C4E9B825
00050005: E8 B4DF8B7C CALL 7C90DFBE
0005000A: 58    POP EAX
0005000B: C2 1400 RET 0014
0005000E: C3    RET ; Pop IP
0005000F: 05 00B88900 ADD EAX, 0089B800
00050014: 0000    ADD BYTE PTR DS:[EAX],AL
00050016: E9 D8D68B7C JMP 7C90D6F3
0005001B: B8 2F000000 MOV EAX, 0000002F
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
kernel32.dll (7C800000 - 7C8F6000)
services.exe:LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\CA\PPRT\bin\CACheck.dll:
Base address:   10000000
Size:      00021000
Flags:      800C4004
Load count:   1
Name:      eTrust PestPatrol Realtime Protection
Prod. Version:   1.1.0.24
Company:   CA, Inc.
File Version:   1.1.0.24
Description:   API interceptors
Location:   C:\Program Files\CA\PPRT\bin\CACheck.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
services.exe:CreateProcessW    --[HOOKED]-- @10010160 by C:\Program Files\CA\PPRT\bin\CACheck.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\CA\PPRT\bin\CACheck.dll:
Base address:   10000000
Size:      00021000
Flags:      800C4004
Load count:   1
Name:      eTrust PestPatrol Realtime Protection
Prod. Version:   1.1.0.24
Company:   CA, Inc.
File Version:   1.1.0.24
Description:   API interceptors
Location:   C:\Program Files\CA\PPRT\bin\CACheck.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
services.exe:GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\CA\PPRT\bin\CACheck.dll:
Base address:   10000000
Size:      00021000
Flags:      800C4004
Load count:   1
Name:      eTrust PestPatrol Realtime Protection
Prod. Version:   1.1.0.24
Company:   CA, Inc.
File Version:   1.1.0.24
Description:   API interceptors
Location:   C:\Program Files\CA\PPRT\bin\CACheck.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
services.exe:LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\CA\PPRT\bin\CACheck.dll:
Base address:   10000000
Size:      00021000
Flags:      800C4004
Load count:   1
Name:      eTrust PestPatrol Realtime Protection
Prod. Version:   1.1.0.24
Company:   CA, Inc.
File Version:   1.1.0.24
Description:   API interceptors
Location:   C:\Program Files\CA\PPRT\bin\CACheck.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll:LoadLibraryExW    --[HOOKED]-- @1000F6C0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
ADVAPI32.dll:LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
ADVAPI32.dll:LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
ADVAPI32.dll:GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
RPCRT4.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
RPCRT4.dll :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
RPCRT4.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
Secur32.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
Secur32.dll :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
Secur32.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
msvcrt.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
msvcrt.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
msvcrt.dll :CreateProcessA    --[HOOKED]-- @1000FF90 by C:\Program Files\CA\PPRT\bin\CACheck.dll
msvcrt.dll :CreateProcessW    --[HOOKED]-- @10010160 by C:\Program Files\CA\PPRT\bin\CACheck.dll
SCESRV.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
SCESRV.dll :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
SCESRV.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
SCESRV.dll :LoadLibraryExA    --[HOOKED]-- @1000F4B0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
AUTHZ.dll   :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
AUTHZ.dll   :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USER32.dll :LoadLibraryExW    --[HOOKED]-- @1000F6C0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USER32.dll :CreateProcessW    --[HOOKED]-- @10010160 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USER32.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USER32.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USER32.dll :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
GDI32.dll   :LoadLibraryExW    --[HOOKED]-- @1000F6C0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
GDI32.dll   :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
GDI32.dll   :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
GDI32.dll   :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USERENV.dll :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USERENV.dll :LoadLibraryExA    --[HOOKED]-- @1000F4B0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USERENV.dll :CreateProcessW    --[HOOKED]-- @10010160 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USERENV.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
USERENV.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
umpnpmgr.dll:GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
umpnpmgr.dll:LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
NETAPI32.dll:LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
NETAPI32.dll:LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
NETAPI32.dll:GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
ShimEng.dll :CreateProcessW    --[HOOKED]-- @10010160 by C:\Program Files\CA\PPRT\bin\CACheck.dll
AcAdProc.dll:LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
AcAdProc.dll:GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
IMM32.DLL   :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
IMM32.DLL   :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
eventlog.dll:LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
eventlog.dll:LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
eventlog.dll:GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
eventlog.dll:LoadLibraryExW    --[HOOKED]-- @1000F6C0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
PSAPI.DLL   :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
PSAPI.DLL   :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
WS2_32.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
WS2_32.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
WS2HELP.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
WS2HELP.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
wtsapi32.dll:LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
wtsapi32.dll:GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
Apphelp.dll :CreateProcessW    --[HOOKED]-- @10010160 by C:\Program Files\CA\PPRT\bin\CACheck.dll
Apphelp.dll :LoadLibraryW    --[HOOKED]-- @1000FA50 by C:\Program Files\CA\PPRT\bin\CACheck.dll
Apphelp.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
Apphelp.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
MSVCR71.dll :GetProcAddress    --[HOOKED]-- @1000F330 by C:\Program Files\CA\PPRT\bin\CACheck.dll
MSVCR71.dll :LoadLibraryA    --[HOOKED]-- @1000F8D0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
MSVCR71.dll :CreateProcessA    --[HOOKED]-- @1000FF90 by C:\Program Files\CA\PPRT\bin\CACheck.dll
MSVCR71.dll :CreateProcessW    --[HOOKED]-- @10010160 by C:\Program Files\CA\PPRT\bin\CACheck.dll
The code of CreateFileA at 7C801A28 (0) got patched. Here is the diff:
Address   New-Original
7C801A28: E9 - 8B
7C801A29: C2 - FF
7C801A2A: F5 - 55
7C801A2B: 83 - 8B
7C801A2C: 83 - EC
--> JMP DWORD PTR DS:[00040FEF]
Disassembly old code:
7C801A28: 8BFF    MOV EDI, EDI
7C801A2A: 55    PUSH EBP
7C801A2B: 8BEC    MOV EBP, ESP

Disassembly new code:
7C801A28: E9 C2F58383 JMP 00040FEF
Disassembly of hooker:
00040FEF: 68 25B8E9C4 PUSH C4E9B825
00040FF4: E8 C5CF8C7C CALL 7C90DFBE
00040FF9: 58    POP EAX
00040FFA: C2 1C00 RET 001C
00040FFD: C3    RET ; Pop IP
00040FFE: 0100    ADD DWORD PTR DS:[EAX],EAX
00041000: 0000    ADD BYTE PTR DS:[EAX],AL
00041002: 0000    ADD BYTE PTR DS:[EAX],AL
00041004: 0000    ADD BYTE PTR DS:[EAX],AL
00041006: 0000    ADD BYTE PTR DS:[EAX],AL
00041008: 0000    ADD BYTE PTR DS:[EAX],AL
0004100A: 0000    ADD BYTE PTR DS:[EAX],AL
0004100C: 0000    ADD BYTE PTR DS:[EAX],AL
0004100E: 0000    ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateFileW at 7C810800 (0) got patched. Here is the diff:
Address   New-Original
7C810800: E9 - 8B
7C810801: FB - FF
7C810802: F7 - 55
7C810803: 82 - 8B
7C810804: 83 - EC
--> JMP DWORD PTR DS:[00040000]
Disassembly old code:
7C810800: 8BFF    MOV EDI, EDI
7C810802: 55    PUSH EBP
7C810803: 8BEC    MOV EBP, ESP

Disassembly new code:
7C810800: E9 FBF78283 JMP 00040000
Disassembly of hooker:
00040000: 68 25B8E9C4 PUSH C4E9B825
00040005: E8 B4DF8C7C CALL 7C90DFBE
0004000A: 58    POP EAX
0004000B: C2 1C00 RET 001C
0004000E: C3    RET ; Pop IP
0004000F: 0200    ADD AL,BYTE PTR DS:[EAX]
00040011: 8BFF    MOV EDI, EDI
00040013: 55    PUSH EBP
00040014: 8BEC    MOV EBP, ESP
00040016: E9 EA077D7C JMP 7C810805
0004001B: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeA at 7C860CDC (0) got patched. Here is the diff:
Address   New-Original
7C860CDC: E9 - 8B
7C860CDD: F3 - FF
7C860CDE: 02 - 55
7C860CDF: 7E - 8B
7C860CE0: 83 - EC
--> JMP DWORD PTR DS:[00040FD4]
Disassembly old code:
7C860CDC: 8BFF    MOV EDI, EDI
7C860CDE: 55    PUSH EBP
7C860CDF: 8BEC    MOV EBP, ESP

Disassembly new code:
7C860CDC: E9 F3027E83 JMP 00040FD4
Disassembly of hooker:
00040FD4: 68 25B8E9C4 PUSH C4E9B825
00040FD9: E8 E0CF8C7C CALL 7C90DFBE
00040FDE: 58    POP EAX
00040FDF: C2 2000 RET 0020
00040FE2: C3    RET ; Pop IP
00040FE3: 0300    ADD EAX,DWORD PTR DS:[EAX]
00040FE5: 8BFF    MOV EDI, EDI
00040FE7: 55    PUSH EBP
00040FE8: 8BEC    MOV EBP, ESP
00040FEA: E9 3E0A7C7C JMP 7C801A2D
00040FEF: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeW at 7C82F0DD (0) got patched. Here is the diff:
Address   New-Original
7C82F0DD: E9 - 8B
7C82F0DE: CD - FF
7C82F0DF: 1E - 55
7C82F0E0: 81 - 8B
7C82F0E1: 83 - EC
--> JMP DWORD PTR DS:[00040FAF]
Disassembly old code:
7C82F0DD: 8BFF    MOV EDI, EDI
7C82F0DF: 55    PUSH EBP
7C82F0E0: 8BEC    MOV EBP, ESP

Disassembly new code:
7C82F0DD: E9 CD1E8183 JMP 00040FAF
Disassembly of hooker:
00040FAF: 68 25B8E9C4 PUSH C4E9B825
00040FB4: E8 05D08C7C CALL 7C90DFBE
00040FB9: 58    POP EAX
00040FBA: C2 2000 RET 0020
00040FBD: C3    RET ; Pop IP
00040FBE: 16    PUSH SS ; Push SS register to the stack
00040FBF: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
00040FC5: E9 18E17E7C JMP 7C82F0E2
00040FCA: 8BFF    MOV EDI, EDI
00040FCC: 55    PUSH EBP
00040FCD: 8BEC    MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreatePipe at 7C81D83F (0) got patched. Here is the diff:
Address   New-Original
7C81D83F: E9 - 8B
7C81D840: 1E - FF
7C81D841: 28 - 55
7C81D842: 82 - 8B
7C81D843: 83 - EC
--> JMP DWORD PTR DS:[00040062]
Disassembly old code:
7C81D83F: 8BFF    MOV EDI, EDI
7C81D841: 55    PUSH EBP
7C81D842: 8BEC    MOV EBP, ESP

Disassembly new code:
7C81D83F: E9 1E288283 JMP 00040062
Disassembly of hooker:
00040062: 68 25B8E9C4 PUSH C4E9B825
00040067: E8 52DF8C7C CALL 7C90DFBE
0004006C: 58    POP EAX
0004006D: C2 1000 RET 0010
00040070: C3    RET ; Pop IP
00040071: 1D 008BFF55 SBB EAX, 55FF8B00
00040076: 8BEC    MOV EBP, ESP
00040078: E9 C7D77D7C JMP 7C81D844
0004007D: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address   New-Original
7C80236B: E9 - 8B
7C80236C: 56 - FF
7C80236D: DD - 55
7C80236E: 83 - 8B
7C80236F: 83 - EC
--> JMP DWORD PTR DS:[000400C6]
Disassembly old code:
7C80236B: 8BFF    MOV EDI, EDI
7C80236D: 55    PUSH EBP
7C80236E: 8BEC    MOV EBP, ESP

Disassembly new code:
7C80236B: E9 56DD8383 JMP 000400C6
Disassembly of hooker:
000400C6: 68 25B8E9C4 PUSH C4E9B825
000400CB: E8 EEDE8C7C CALL 7C90DFBE
000400D0: 58    POP EAX
000400D1: C2 2800 RET 0028
000400D4: C3    RET ; Pop IP
000400D5: 2100    AND DWORD PTR DS:[EAX],EAX
000400D7: 8BFF    MOV EDI, EDI
000400D9: 55    PUSH EBP
000400DA: 8BEC    MOV EBP, ESP
000400DC: E9 5A227C7C JMP 7C80233B
000400E1: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address   New-Original
7C802336: E9 - 8B
7C802337: A6 - FF
7C802338: DD - 55
7C802339: 83 - 8B
7C80233A: 83 - EC
--> JMP DWORD PTR DS:[000400E1]
Disassembly old code:
7C802336: 8BFF    MOV EDI, EDI
7C802338: 55    PUSH EBP
7C802339: 8BEC    MOV EBP, ESP

Disassembly new code:
7C802336: E9 A6DD8383 JMP 000400E1
Disassembly of hooker:
000400E1: 68 25B8E9C4 PUSH C4E9B825
000400E6: E8 D3DE8C7C CALL 7C90DFBE
000400EB: 58    POP EAX
000400EC: C2 2800 RET 0028
000400EF: C3    RET ; Pop IP
000400F0: 2200    AND AL,BYTE PTR DS:[EAX]
000400F2: 68 25B8E9C4 PUSH C4E9B825
000400F7: E8 C2DE8C7C CALL 7C90DFBE
000400FC: 58    POP EAX
000400FD: C2 0800 RET 0008
00040100: C3    RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetProcAddress at 7C80AE40 (0) got patched. Here is the diff:
Address   New-Original
7C80AE40: E9 - 8B
7C80AE41: AD - FF
7C80AE42: 52 - 55
7C80AE43: 83 - 8B
7C80AE44: 83 - EC
--> JMP DWORD PTR DS:[000400F2]
Disassembly old code:
7C80AE40: 8BFF    MOV EDI, EDI
7C80AE42: 55    PUSH EBP
7C80AE43: 8BEC    MOV EBP, ESP

Disassembly new code:
7C80AE40: E9 AD528383 JMP 000400F2
Disassembly of hooker:
000400F2: 68 25B8E9C4 PUSH C4E9B825
000400F7: E8 C2DE8C7C CALL 7C90DFBE
000400FC: 58    POP EAX
000400FD: C2 0800 RET 0008
00040100: C3    RET ; Pop IP
00040101: 2300    AND EAX,DWORD PTR DS:[EAX]
00040103: 8BFF    MOV EDI, EDI
00040105: 55    PUSH EBP
00040106: 8BEC    MOV EBP, ESP
00040108: E9 38AD7C7C JMP 7C80AE45
0004010D: 0000    ADD BYTE PTR DS:[EAX],AL
0004010F: 0000    ADD BYTE PTR DS:[EAX],AL
00040111: 0000    ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoA at 7C801EF2 (0) got patched. Here is the diff:
Address   New-Original
7C801EF2: E9 - 6A
7C801EF3: 86 - 18
7C801EF4: E1 - 68
--> JMP DWORD PTR DS:[0004007D]
Disassembly old code:
7C801EF2: 6A18    PUSH 18

Disassembly new code:
7C801EF2: E9 86E18383 JMP 0004007D
Disassembly of hooker:
0004007D: 68 25B8E9C4 PUSH C4E9B825
00040082: E8 37DF8C7C CALL 7C90DFBE
00040087: 58    POP EAX
00040088: C2 0400 RET 0004
0004008B: C3    RET ; Pop IP
0004008C: 1E    PUSH DS ; Push DS register to the stack
0004008D: 006A18    ADD BYTE PTR DS:[EDX+18H],CH
00040090: 68 C82F817C PUSH 7C812FC8
00040095: E9 5F1E7C7C JMP 7C801EF9
0004009A: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoW at 7C801E54 (0) got patched. Here is the diff:
Address   New-Original
7C801E54: E9 - 8B
7C801E55: 41 - FF
7C801E56: E2 - 55
7C801E57: 83 - 8B
7C801E58: 83 - EC
--> JMP DWORD PTR DS:[0004009A]
Disassembly old code:
7C801E54: 8BFF    MOV EDI, EDI
7C801E56: 55    PUSH EBP
7C801E57: 8BEC    MOV EBP, ESP

Disassembly new code:
7C801E54: E9 41E28383 JMP 0004009A
Disassembly of hooker:
0004009A: 68 25B8E9C4 PUSH C4E9B825
0004009F: E8 1ADF8C7C CALL 7C90DFBE
000400A4: 58    POP EAX
000400A5: C2 0400 RET 0004
000400A8: C3    RET ; Pop IP
000400A9: 1F    POP DS ; Pop top stack to DS
000400AA: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
000400B0: E9 A41D7C7C JMP 7C801E59
000400B5: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryA at 7C801D7B (0) got patched. Here is the diff:
Address   New-Original
7C801D7B: E9 - 8B
7C801D7C: 9B - FF
7C801D7D: E2 - 55
7C801D7E: 83 - 8B
7C801D7F: 83 - EC
--> JMP DWORD PTR DS:[0004001B]
Disassembly old code:
7C801D7B: 8BFF    MOV EDI, EDI
7C801D7D: 55    PUSH EBP
7C801D7E: 8BEC    MOV EBP, ESP

Disassembly new code:
7C801D7B: E9 9BE28383 JMP 0004001B
Disassembly of hooker:
0004001B: 68 25B8E9C4 PUSH C4E9B825
00040020: E8 99DF8C7C CALL 7C90DFBE
00040025: 58    POP EAX
00040026: C2 0400 RET 0004
00040029: C3    RET ; Pop IP
0004002A: 17    POP SS ; Pop top stack to SS
0004002B: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
00040031: E9 BAAE7C7C JMP 7C80AEF0
00040036: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryExA at 7C801D53 (0) got patched. Here is the diff:
Address   New-Original
7C801D53: E9 - 8B
7C801D54: 2B - FF
7C801D55: F2 - 55
7C801D56: 83 - 8B
7C801D57: 83 - EC
--> JMP DWORD PTR DS:[00040F83]
Disassembly old code:
7C801D53: 8BFF    MOV EDI, EDI
7C801D55: 55    PUSH EBP
7C801D56: 8BEC    MOV EBP, ESP

Disassembly new code:
7C801D53: E9 2BF28383 JMP 00040F83
Disassembly of hooker:
00040F83: 68 25B8E9C4 PUSH C4E9B825
00040F88: E8 31D08C7C CALL 7C90DFBE
00040F8D: 58    POP EAX
00040F8E: C2 0C00 RET 000C
00040F91: C3    RET ; Pop IP
00040F92: 1900    SBB DWORD PTR DS:[EAX],EAX
00040F94: 68 25B8E9C4 PUSH C4E9B825
00040F99: E8 20D08C7C CALL 7C90DFBE
00040F9E: 58    POP EAX
00040F9F: C2 0400 RET 0004
00040FA2: C3    RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryExW at 7C801AF5 (0) got patched. Here is the diff:
Address   New-Original
7C801AF5: E9 - 6A
7C801AF6: 62 - 34
7C801AF7: F4 - 68
--> JMP DWORD PTR DS:[00040F5C]
Disassembly old code:
7C801AF5: 6A34    PUSH 34

Disassembly new code:
7C801AF5: E9 62F48383 JMP 00040F5C
Disassembly of hooker:
00040F5C: 68 25B8E9C4 PUSH C4E9B825
00040F61: E8 58D08C7C CALL 7C90DFBE
00040F66: 58    POP EAX
00040F67: C2 0C00 RET 000C
00040F6A: C3    RET ; Pop IP
00040F6B: 1A00    SBB AL,BYTE PTR DS:[EAX]
00040F6D: 6A34    PUSH 34
00040F6F: 68 F8E0807C PUSH 7C80E0F8
00040F74: E9 830B7C7C JMP 7C801AFC
00040F79: 8BFF    MOV EDI, EDI
00040F7B: 55    PUSH EBP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryW at 7C80AEEB (0) got patched. Here is the diff:
Address   New-Original
7C80AEEB: E9 - 8B
7C80AEEC: A4 - FF
7C80AEED: 60 - 55
7C80AEEE: 83 - 8B
7C80AEEF: 83 - EC
--> JMP DWORD PTR DS:[00040F94]
Disassembly old code:
7C80AEEB: 8BFF    MOV EDI, EDI
7C80AEED: 55    PUSH EBP
7C80AEEE: 8BEC    MOV EBP, ESP

Disassembly new code:
7C80AEEB: E9 A4608383 JMP 00040F94
Disassembly of hooker:
00040F94: 68 25B8E9C4 PUSH C4E9B825
00040F99: E8 20D08C7C CALL 7C90DFBE
00040F9E: 58    POP EAX
00040F9F: C2 0400 RET 0004
00040FA2: C3    RET ; Pop IP
00040FA3: 1800    SBB BYTE PTR DS:[EAX],AL
00040FA5: 8BFF    MOV EDI, EDI
00040FA7: 55    PUSH EBP
00040FA8: 8BEC    MOV EBP, ESP
00040FAA: E9 D10D7C7C JMP 7C801D80
00040FAF: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtect at 7C801AD4 (0) got patched. Here is the diff:
Address   New-Original
7C801AD4: E9 - 8B
7C801AD5: 5D - FF
7C801AD6: E5 - 55
7C801AD7: 83 - 8B
7C801AD8: 83 - EC
--> JMP DWORD PTR DS:[00040036]
Disassembly old code:
7C801AD4: 8BFF    MOV EDI, EDI
7C801AD6: 55    PUSH EBP
7C801AD7: 8BEC    MOV EBP, ESP

Disassembly new code:
7C801AD4: E9 5DE58383 JMP 00040036
Disassembly of hooker:
00040036: 68 25B8E9C4 PUSH C4E9B825
0004003B: E8 7EDF8C7C CALL 7C90DFBE
00040040: 58    POP EAX
00040041: C2 1000 RET 0010
00040044: C3    RET ; Pop IP
00040045: 1B00    SBB EAX,DWORD PTR DS:[EAX]
00040047: 8BFF    MOV EDI, EDI
00040049: 55    PUSH EBP
0004004A: 8BEC    MOV EBP, ESP
0004004C: E9 151A7C7C JMP 7C801A66
00040051: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtectEx at 7C801A61 (0) got patched. Here is the diff:
Address   New-Original
7C801A61: E9 - 8B
7C801A62: EB - FF
7C801A63: E5 - 55
7C801A64: 83 - 8B
7C801A65: 83 - EC
--> JMP DWORD PTR DS:[00040051]
Disassembly old code:
7C801A61: 8BFF    MOV EDI, EDI
7C801A63: 55    PUSH EBP
7C801A64: 8BEC    MOV EBP, ESP

Disassembly new code:
7C801A61: E9 EBE58383 JMP 00040051
Disassembly of hooker:
00040051: 68 25B8E9C4 PUSH C4E9B825
00040056: E8 63DF8C7C CALL 7C90DFBE
0004005B: 58    POP EAX
0004005C: C2 1400 RET 0014
0004005F: C3    RET ; Pop IP
00040060: 1C00    SBB AL, 00
00040062: 68 25B8E9C4 PUSH C4E9B825
00040067: E8 52DF8C7C CALL 7C90DFBE
0004006C: 58    POP EAX
0004006D: C2 1000 RET 0010
00040070: C3    RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of WinExec at 7C86250D (0) got patched. Here is the diff:
Address   New-Original
7C86250D: E9 - 8B
7C86250E: A3 - FF
7C86250F: DB - 55
7C862510: 7D - 8B
7C862511: 83 - EC
--> JMP DWORD PTR DS:[000400B5]
Disassembly old code:
7C86250D: 8BFF    MOV EDI, EDI
7C86250F: 55    PUSH EBP
7C862510: 8BEC    MOV EBP, ESP

Disassembly new code:
7C86250D: E9 A3DB7D83 JMP 000400B5
Disassembly of hooker:
000400B5: 68 25B8E9C4 PUSH C4E9B825
000400BA: E8 FFDE8C7C CALL 7C90DFBE
000400BF: 58    POP EAX
000400C0: C2 0800 RET 0008
000400C3: C3    RET ; Pop IP
000400C4: 2000    AND BYTE PTR DS:[EAX],AL
000400C6: 68 25B8E9C4 PUSH C4E9B825
000400CB: E8 EEDE8C7C CALL 7C90DFBE
000400D0: 58    POP EAX
000400D1: C2 2800 RET 0028
000400D4: C3    RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll (77DD0000 - 77E6B000)
services.exe:CreateProcessAsUserW    --[HOOKED]-- @1000FDB0 by C:\Program Files\CA\PPRT\bin\CACheck.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\CA\PPRT\bin\CACheck.dll:
Base address:   10000000
Size:      00021000
Flags:      800C4004
Load count:   1
Name:      eTrust PestPatrol Realtime Protection
Prod. Version:   1.1.0.24
Company:   CA, Inc.
File Version:   1.1.0.24
Description:   API interceptors
Location:   C:\Program Files\CA\PPRT\bin\CACheck.dll
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
USERENV.dll :CreateProcessAsUserW    --[HOOKED]-- @1000FDB0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
umpnpmgr.dll:CreateProcessAsUserW    --[HOOKED]-- @1000FDB0 by C:\Program Files\CA\PPRT\bin\CACheck.dll
The code of RegCreateKeyA at 77DFBCF3 (0) got patched. Here is the diff:
Address   New-Original
77DFBCF3: E9 - 8B
77DFBCF4: 3E - FF
77DFBCF5: 43 - 55
77DFBCF6: EA - 8B
77DFBCF7: 88 - EC
--> JMP DWORD PTR DS:[00CA0036]
Disassembly old code:
77DFBCF3: 8BFF    MOV EDI, EDI
77DFBCF5: 55    PUSH EBP
77DFBCF6: 8BEC    MOV EBP, ESP

Disassembly new code:
77DFBCF3: E9 3E43EA88 JMP 00CA0036
Disassembly of hooker:
00CA0036: 68 25B8E9C4 PUSH C4E9B825
00CA003B: E8 7EDFC67B CALL 7C90DFBE
00CA0040: 58    POP EAX
00CA0041: C2 0C00 RET 000C
00CA0044: C3    RET ; Pop IP
00CA0045: 1200    ADC AL,BYTE PTR DS:[EAX]
00CA0047: 68 25B8E9C4 PUSH C4E9B825
00CA004C: E8 6DDFC67B CALL 7C90DFBE
00CA0051: 58    POP EAX
00CA0052: C2 2400 RET 0024
00CA0055: C3    RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExA at 77DDE9F4 (0) got patched. Here is the diff:
Address   New-Original
77DDE9F4: E9 - 8B
77DDE9F5: 4E - FF
77DDE9F6: 16 - 55
77DDE9F7: EC - 8B
77DDE9F8: 88 - EC
--> JMP DWORD PTR DS:[00CA0047]
Disassembly old code:
77DDE9F4: 8BFF    MOV EDI, EDI
77DDE9F6: 55    PUSH EBP
77DDE9F7: 8BEC    MOV EBP, ESP

Disassembly new code:
77DDE9F4: E9 4E16EC88 JMP 00CA0047
Disassembly of hooker:
00CA0047: 68 25B8E9C4 PUSH C4E9B825
00CA004C: E8 6DDFC67B CALL 7C90DFBE
00CA0051: 58    POP EAX
00CA0052: C2 2400 RET 0024
00CA0055: C3    RET ; Pop IP
00CA0056: 1400    ADC AL, 00
00CA0058: 8BFF    MOV EDI, EDI
00CA005A: 55    PUSH EBP
00CA005B: 8BEC    MOV EBP, ESP
00CA005D: E9 0F771377 JMP 77DD7771
00CA0062: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExW at 77DD776C (0) got patched. Here is the diff:
Address   New-Original
77DD776C: E9 - 8B
77DD776D: F1 - FF
77DD776E: 88 - 55
77DD776F: EC - 8B
77DD7770: 88 - EC
--> JMP DWORD PTR DS:[00CA0062]
Disassembly old code:
77DD776C: 8BFF    MOV EDI, EDI
77DD776E: 55    PUSH EBP
77DD776F: 8BEC    MOV EBP, ESP

Disassembly new code:
77DD776C: E9 F188EC88 JMP 00CA0062
Disassembly of hooker:
00CA0062: 68 25B8E9C4 PUSH C4E9B825
00CA0067: E8 52DFC67B CALL 7C90DFBE
00CA006C: 58    POP EAX
00CA006D: C2 2400 RET 0024
00CA0070: C3    RET ; Pop IP
00CA0071: 15 00000000 ADC EAX, 00000000
00CA0076: 0000    ADD BYTE PTR DS:[EAX],AL
00CA0078: 0000    ADD BYTE PTR DS:[EAX],AL
00CA007A: 0000    ADD BYTE PTR DS:[EAX],AL
00CA007C: 0000    ADD BYTE PTR DS:[EAX],AL
00CA007E: 0000    ADD BYTE PTR DS:[EAX],AL
00CA0080: 0000    ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:

Xerinous · « **Reply #76 on:** August 08, 2010, 09:31:48 PM »

Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyA at 77DDEFC8 (0) got patched. Here is the diff:
Address New-Original
77DDEFC8: E9 - 8B
77DDEFC9: 18 - FF
77DDEFCA: 20 - 55
77DDEFCB: EC - 8B
77DDEFCC: 88 - EC
--> JMP DWORD PTR DS:[00CA0FE5]
Disassembly old code:
77DDEFC8: 8BFF MOV EDI, EDI
77DDEFCA: 55 PUSH EBP
77DDEFCB: 8BEC MOV EBP, ESP

Disassembly new code:
77DDEFC8: E9 1820EC88 JMP 00CA0FE5
Disassembly of hooker:
00CA0FE5: 68 25B8E9C4 PUSH C4E9B825
00CA0FEA: E8 CFCFC67B CALL 7C90DFBE
00CA0FEF: 58 POP EAX
00CA0FF0: C2 0C00 RET 000C
00CA0FF3: C3 RET ; Pop IP
00CA0FF4: 0E PUSH CS ; Push CS register to the stack
00CA0FF5: 0000 ADD BYTE PTR DS:[EAX],AL
00CA0FF7: 0000 ADD BYTE PTR DS:[EAX],AL
00CA0FF9: 0000 ADD BYTE PTR DS:[EAX],AL
00CA0FFB: 0000 ADD BYTE PTR DS:[EAX],AL
00CA0FFD: 0000 ADD BYTE PTR DS:[EAX],AL
00CA0FFF: 0000 ADD BYTE PTR DS:[EAX],AL
00CA1001: 0000 ADD BYTE PTR DS:[EAX],AL
00CA1003: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExA at 77DD7852 (0) got patched. Here is the diff:
Address New-Original
77DD7852: E9 - 8B
77DD7853: C4 - FF
77DD7854: 87 - 55
77DD7855: EC - 8B
77DD7856: 88 - EC
--> JMP DWORD PTR DS:[00CA001B]
Disassembly old code:
77DD7852: 8BFF MOV EDI, EDI
77DD7854: 55 PUSH EBP
77DD7855: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7852: E9 C487EC88 JMP 00CA001B
Disassembly of hooker:
00CA001B: 68 25B8E9C4 PUSH C4E9B825
00CA0020: E8 99DFC67B CALL 7C90DFBE
00CA0025: 58 POP EAX
00CA0026: C2 1400 RET 0014
00CA0029: C3 RET ; Pop IP
00CA002A: 1000 ADC BYTE PTR DS:[EAX],AL
00CA002C: 8BFF MOV EDI, EDI
00CA002E: 55 PUSH EBP
00CA002F: 8BEC MOV EBP, ESP
00CA0031: E9 7E6A1377 JMP 77DD6AB4
00CA0036: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExW at 77DD6AAF (0) got patched. Here is the diff:
Address New-Original
77DD6AAF: E9 - 8B
77DD6AB0: 16 - FF
77DD6AB1: A5 - 55
77DD6AB2: EC - 8B
77DD6AB3: 88 - EC
--> JMP DWORD PTR DS:[00CA0FCA]
Disassembly old code:
77DD6AAF: 8BFF MOV EDI, EDI
77DD6AB1: 55 PUSH EBP
77DD6AB2: 8BEC MOV EBP, ESP

Disassembly new code:
77DD6AAF: E9 16A5EC88 JMP 00CA0FCA
Disassembly of hooker:
00CA0FCA: 68 25B8E9C4 PUSH C4E9B825
00CA0FCF: E8 EACFC67B CALL 7C90DFBE
00CA0FD4: 58 POP EAX
00CA0FD5: C2 1400 RET 0014
00CA0FD8: C3 RET ; Pop IP
00CA0FD9: 1100 ADC DWORD PTR DS:[EAX],EAX
00CA0FDB: 8BFF MOV EDI, EDI
00CA0FDD: 55 PUSH EBP
00CA0FDE: 8BEC MOV EBP, ESP
00CA0FE0: E9 72681377 JMP 77DD7857
00CA0FE5: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyW at 77DD7946 (0) got patched. Here is the diff:
Address New-Original
77DD7946: E9 - 8B
77DD7947: B5 - FF
77DD7948: 86 - 55
77DD7949: EC - 8B
77DD794A: 88 - EC
--> JMP DWORD PTR DS:[00CA0000]
Disassembly old code:
77DD7946: 8BFF MOV EDI, EDI
77DD7948: 55 PUSH EBP
77DD7949: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7946: E9 B586EC88 JMP 00CA0000
Disassembly of hooker:
00CA0000: 68 25B8E9C4 PUSH C4E9B825
00CA0005: E8 B4DFC67B CALL 7C90DFBE
00CA000A: 58 POP EAX
00CA000B: C2 0C00 RET 000C
00CA000E: C3 RET ; Pop IP
00CA000F: 0F008B FF558BEC STR WORD PTR DS:[EBX+EC8B55FF]
00CA0016: E9 30791377 JMP 77DD794B
00CA001B: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
The code of _creat at 77C2D40F (0) got patched. Here is the diff:
Address New-Original
77C2D40F: E9 - 8B
77C2D410: C3 - FF
77C2D411: 3B - 55
77C2D412: 44 - 8B
77C2D413: 88 - EC
--> JMP DWORD PTR DS:[00070FD7]
Disassembly old code:
77C2D40F: 8BFF MOV EDI, EDI
77C2D411: 55 PUSH EBP
77C2D412: 8BEC MOV EBP, ESP

Disassembly new code:
77C2D40F: E9 C33B4488 JMP 00070FD7
Disassembly of hooker:
00070FD7: 68 25B8E9C4 PUSH C4E9B825
00070FDC: E8 DDCF897C CALL 7C90DFBE
00070FE1: 58 POP EAX
00070FE2: C2 0000 RET 0000
00070FE5: C3 RET ; Pop IP
00070FE6: 0A00 OR AL,BYTE PTR DS:[EAX]
00070FE8: 6A14 PUSH 14
00070FEA: 68 6025C177 PUSH 77C12560
00070FEF: E9 68F0BB77 JMP 77C3005C
00070FF4: 6A14 PUSH 14
00070FF6: 68 00000000 PUSH 00000000
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _open at 77C2F566 (0) got patched. Here is the diff:
Address New-Original
77C2F566: E9 - 6A
77C2F567: 95 - 14
77C2F568: 0A - 68
--> JMP DWORD PTR DS:[00070000]
Disassembly old code:
77C2F566: 6A14 PUSH 14

Disassembly new code:
77C2F566: E9 950A4488 JMP 00070000
Disassembly of hooker:
00070000: 68 25B8E9C4 PUSH C4E9B825
00070005: E8 B4DF897C CALL 7C90DFBE
0007000A: 58 POP EAX
0007000B: C2 0000 RET 0000
0007000E: C3 RET ; Pop IP
0007000F: 0800 OR BYTE PTR DS:[EAX],AL
00070011: 68 25B8E9C4 PUSH C4E9B825
00070016: E8 A3DF897C CALL 7C90DFBE
0007001B: 58 POP EAX
0007001C: C2 0000 RET 0000
0007001F: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wcreat at 77C2FC9B (0) got patched. Here is the diff:
Address New-Original
77C2FC9B: E9 - 8B
77C2FC9C: 82 - FF
77C2FC9D: 03 - 55
77C2FC9E: 44 - 8B
77C2FC9F: 88 - EC
--> JMP DWORD PTR DS:[00070022]
Disassembly old code:
77C2FC9B: 8BFF MOV EDI, EDI
77C2FC9D: 55 PUSH EBP
77C2FC9E: 8BEC MOV EBP, ESP

Disassembly new code:
77C2FC9B: E9 82034488 JMP 00070022
Disassembly of hooker:
00070022: 68 25B8E9C4 PUSH C4E9B825
00070027: E8 92DF897C CALL 7C90DFBE
0007002C: 58 POP EAX
0007002D: C2 0000 RET 0000
00070030: C3 RET ; Pop IP
00070031: 0B00 OR EAX,DWORD PTR DS:[EAX]
00070033: 8BFF MOV EDI, EDI
00070035: 55 PUSH EBP
00070036: 8BEC MOV EBP, ESP
00070038: E9 8F93BB77 JMP 77C293CC
0007003D: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wopen at 77C30055 (0) got patched. Here is the diff:
Address New-Original
77C30055: E9 - 6A
77C30056: B7 - 14
77C30057: FF - 68
--> JMP DWORD PTR DS:[00070011]
Disassembly old code:
77C30055: 6A14 PUSH 14

Disassembly new code:
77C30055: E9 B7FF4388 JMP 00070011
Disassembly of hooker:
00070011: 68 25B8E9C4 PUSH C4E9B825
00070016: E8 A3DF897C CALL 7C90DFBE
0007001B: 58 POP EAX
0007001C: C2 0000 RET 0000
0007001F: C3 RET ; Pop IP
00070020: 0900 OR DWORD PTR DS:[EAX],EAX
00070022: 68 25B8E9C4 PUSH C4E9B825
00070027: E8 92DF897C CALL 7C90DFBE
0007002C: 58 POP EAX
0007002D: C2 0000 RET 0000
00070030: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wsystem at 77C2931E (0) got patched. Here is the diff:
Address New-Original
77C2931E: E9 - 8B
77C2931F: 2B - FF
77C29320: 6D - 55
77C29321: 44 - 8B
77C29322: 88 - EC
--> JMP DWORD PTR DS:[0007004E]
Disassembly old code:
77C2931E: 8BFF MOV EDI, EDI
77C29320: 55 PUSH EBP
77C29321: 8BEC MOV EBP, ESP

Disassembly new code:
77C2931E: E9 2B6D4488 JMP 0007004E
Disassembly of hooker:
0007004E: 68 25B8E9C4 PUSH C4E9B825
00070053: E8 66DF897C CALL 7C90DFBE
00070058: 58 POP EAX
00070059: C2 0000 RET 0000
0007005C: C3 RET ; Pop IP
0007005D: 0D 00000000 OR EAX, 00000000
00070062: 0000 ADD BYTE PTR DS:[EAX],AL
00070064: 0000 ADD BYTE PTR DS:[EAX],AL
00070066: 0000 ADD BYTE PTR DS:[EAX],AL
00070068: 0000 ADD BYTE PTR DS:[EAX],AL
0007006A: 0000 ADD BYTE PTR DS:[EAX],AL
0007006C: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of system at 77C293C7 (0) got patched. Here is the diff:
Address New-Original
77C293C7: E9 - 8B
77C293C8: 71 - FF
77C293C9: 6C - 55
77C293CA: 44 - 8B
77C293CB: 88 - EC
--> JMP DWORD PTR DS:[0007003D]
Disassembly old code:
77C293C7: 8BFF MOV EDI, EDI
77C293C9: 55 PUSH EBP
77C293CA: 8BEC MOV EBP, ESP

Disassembly new code:
77C293C7: E9 716C4488 JMP 0007003D
Disassembly of hooker:
0007003D: 68 25B8E9C4 PUSH C4E9B825
00070042: E8 77DF897C CALL 7C90DFBE
00070047: 58 POP EAX
00070048: C2 0000 RET 0000
0007004B: C3 RET ; Pop IP
0007004C: 0C00 OR AL, 00
0007004E: 68 25B8E9C4 PUSH C4E9B825
00070053: E8 66DF897C CALL 7C90DFBE
00070058: 58 POP EAX
00070059: C2 0000 RET 0000
0007005C: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NCObjAPI.DLL (5F770000 - 5F77C000)
MSVCP60.dll (76080000 - 760E5000)
SCESRV.dll (7DBD0000 - 7DC21000)
AUTHZ.dll (776C0000 - 776D2000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
USERENV.dll (769C0000 - 76A74000)
umpnpmgr.dll (7DBA0000 - 7DBC1000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
ShimEng.dll (5CB70000 - 5CB96000)
AcAdProc.dll (47260000 - 4726F000)
IMM32.DLL (76390000 - 763AD000)
eventlog.dll (77B70000 - 77B81000)
PSAPI.DLL (76BF0000 - 76BFB000)
WS2_32.dll (71AB0000 - 71AC7000)
The code of socket at 71AB4211 (0) got patched. Here is the diff:
Address New-Original
71AB4211: E9 - 8B
71AB4212: EA - FF
71AB4213: BD - 55
71AB4214: 5A - 8B
71AB4215: 8E - EC
--> JMP DWORD PTR DS:[00060000]
Disassembly old code:
71AB4211: 8BFF MOV EDI, EDI
71AB4213: 55 PUSH EBP
71AB4214: 8BEC MOV EBP, ESP

Disassembly new code:
71AB4211: E9 EABD5A8E JMP 00060000
Disassembly of hooker:
00060000: 68 25B8E9C4 PUSH C4E9B825
00060005: E8 B4DF8A7C CALL 7C90DFBE
0006000A: 58 POP EAX
0006000B: C2 0C00 RET 000C
0006000E: C3 RET ; Pop IP
0006000F: 07 POP ES ; Pop top stack to ES
00060010: 0000 ADD BYTE PTR DS:[EAX],AL
00060012: 0000 ADD BYTE PTR DS:[EAX],AL
00060014: 0000 ADD BYTE PTR DS:[EAX],AL
00060016: 0000 ADD BYTE PTR DS:[EAX],AL
00060018: 0000 ADD BYTE PTR DS:[EAX],AL
0006001A: 0000 ADD BYTE PTR DS:[EAX],AL
0006001C: 0000 ADD BYTE PTR DS:[EAX],AL
0006001E: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
Apphelp.dll (77B40000 - 77B62000)
CACheck.dll (10000000 - 10021000)
CAHook.dll (00D10000 - 00D3B000)
CAServer.dll (00DA0000 - 00DC6000)
MSVCP71.dll (7C3A0000 - 7C41B000)
MSVCR71.dll (7C340000 - 7C396000)

PID 1164 - C:\WINDOWS\system32\lsass.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
The code of NtCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address New-Original
7C90D0AE: E9 - B8
7C90D0AF: 3C - 25
7C90D0B0: 3F - 00
7C90D0B1: 3E - 00
7C90D0B2: 84 - 00
--> JMP DWORD PTR DS:[00CF0FEF]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 3C3F3E84 JMP 00CF0FEF
Disassembly of hooker:
00CF0FEF: 68 25B8E9C4 PUSH C4E9B825
00CF0FF4: E8 C5CFC17B CALL 7C90DFBE
00CF0FF9: 58 POP EAX
00CF0FFA: C2 2C00 RET 002C
00CF0FFD: C3 RET ; Pop IP
00CF0FFE: 05 00000000 ADD EAX, 00000000
00CF1003: 0000 ADD BYTE PTR DS:[EAX],AL
00CF1005: 0000 ADD BYTE PTR DS:[EAX],AL
00CF1007: 0000 ADD BYTE PTR DS:[EAX],AL
00CF1009: 0000 ADD BYTE PTR DS:[EAX],AL
00CF100B: 0000 ADD BYTE PTR DS:[EAX],AL
00CF100D: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address New-Original
7C90D14E: E9 - B8
7C90D14F: 5C - 2F
7C90D150: 3E - 00
7C90D151: 3E - 00
7C90D152: 84 - 00
--> JMP DWORD PTR DS:[00CF0FAF]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 5C3E3E84 JMP 00CF0FAF
Disassembly of hooker:
00CF0FAF: 68 25B8E9C4 PUSH C4E9B825
00CF0FB4: E8 05D0C17B CALL 7C90DFBE
00CF0FB9: 58 POP EAX
00CF0FBA: C2 2000 RET 0020
00CF0FBD: C3 RET ; Pop IP
00CF0FBE: 07 POP ES ; Pop top stack to ES
00CF0FBF: 00B8 2F000000 ADD BYTE PTR DS:[EAX+0000002F],BH
00CF0FC5: E9 89C1C17B JMP 7C90D153
00CF0FCA: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address New-Original
7C90D6EE: E9 - B8
7C90D6EF: D7 - 89
7C90D6F0: 38 - 00
7C90D6F1: 3E - 00
7C90D6F2: 84 - 00
--> JMP DWORD PTR DS:[00CF0FCA]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Xerinous · « **Reply #77 on:** August 08, 2010, 09:32:30 PM »

Disassembly new code:
7C90D6EE: E9 D7383E84 JMP 00CF0FCA
Disassembly of hooker:
00CF0FCA: 68 25B8E9C4 PUSH C4E9B825
00CF0FCF: E8 EACFC17B CALL 7C90DFBE
00CF0FD4: 58 POP EAX
00CF0FD5: C2 1400 RET 0014
00CF0FD8: C3 RET ; Pop IP
00CF0FD9: 06 PUSH ES ; Push ES register to the stack
00CF0FDA: 00B8 89000000 ADD BYTE PTR DS:[EAX+00000089],BH
00CF0FE0: E9 0EC7C17B JMP 7C90D6F3
00CF0FE5: B8 25000000 MOV EAX, 00000025
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address New-Original
7C90D0AE: E9 - B8
7C90D0AF: 3C - 25
7C90D0B0: 3F - 00
7C90D0B1: 3E - 00
7C90D0B2: 84 - 00
--> JMP DWORD PTR DS:[00CF0FEF]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 3C3F3E84 JMP 00CF0FEF
Disassembly of hooker:
00CF0FEF: 68 25B8E9C4 PUSH C4E9B825
00CF0FF4: E8 C5CFC17B CALL 7C90DFBE
00CF0FF9: 58 POP EAX
00CF0FFA: C2 2C00 RET 002C
00CF0FFD: C3 RET ; Pop IP
00CF0FFE: 05 00000000 ADD EAX, 00000000
00CF1003: 0000 ADD BYTE PTR DS:[EAX],AL
00CF1005: 0000 ADD BYTE PTR DS:[EAX],AL
00CF1007: 0000 ADD BYTE PTR DS:[EAX],AL
00CF1009: 0000 ADD BYTE PTR DS:[EAX],AL
00CF100B: 0000 ADD BYTE PTR DS:[EAX],AL
00CF100D: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address New-Original
7C90D14E: E9 - B8
7C90D14F: 5C - 2F
7C90D150: 3E - 00
7C90D151: 3E - 00
7C90D152: 84 - 00
--> JMP DWORD PTR DS:[00CF0FAF]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 5C3E3E84 JMP 00CF0FAF
Disassembly of hooker:
00CF0FAF: 68 25B8E9C4 PUSH C4E9B825
00CF0FB4: E8 05D0C17B CALL 7C90DFBE
00CF0FB9: 58 POP EAX
00CF0FBA: C2 2000 RET 0020
00CF0FBD: C3 RET ; Pop IP
00CF0FBE: 07 POP ES ; Pop top stack to ES
00CF0FBF: 00B8 2F000000 ADD BYTE PTR DS:[EAX+0000002F],BH
00CF0FC5: E9 89C1C17B JMP 7C90D153
00CF0FCA: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address New-Original
7C90D6EE: E9 - B8
7C90D6EF: D7 - 89
7C90D6F0: 38 - 00
7C90D6F1: 3E - 00
7C90D6F2: 84 - 00
--> JMP DWORD PTR DS:[00CF0FCA]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Disassembly new code:
7C90D6EE: E9 D7383E84 JMP 00CF0FCA
Disassembly of hooker:
00CF0FCA: 68 25B8E9C4 PUSH C4E9B825
00CF0FCF: E8 EACFC17B CALL 7C90DFBE
00CF0FD4: 58 POP EAX
00CF0FD5: C2 1400 RET 0014
00CF0FD8: C3 RET ; Pop IP
00CF0FD9: 06 PUSH ES ; Push ES register to the stack
00CF0FDA: 00B8 89000000 ADD BYTE PTR DS:[EAX+00000089],BH
00CF0FE0: E9 0EC7C17B JMP 7C90D6F3
00CF0FE5: B8 25000000 MOV EAX, 00000025
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateFileA at 7C801A28 (0) got patched. Here is the diff:
Address New-Original
7C801A28: E9 - 8B
7C801A29: D3 - FF
7C801A2A: E5 - 55
7C801A2B: 3D - 8B
7C801A2C: 84 - EC
--> JMP DWORD PTR DS:[00BE0000]
Disassembly old code:
7C801A28: 8BFF MOV EDI, EDI
7C801A2A: 55 PUSH EBP
7C801A2B: 8BEC MOV EBP, ESP

Disassembly new code:
7C801A28: E9 D3E53D84 JMP 00BE0000
Disassembly of hooker:
00BE0000: 68 25B8E9C4 PUSH C4E9B825
00BE0005: E8 B4DFD27B CALL 7C90DFBE
00BE000A: 58 POP EAX
00BE000B: C2 1C00 RET 001C
00BE000E: C3 RET ; Pop IP
00BE000F: 0100 ADD DWORD PTR DS:[EAX],EAX
00BE0011: 8BFF MOV EDI, EDI
00BE0013: 55 PUSH EBP
00BE0014: 8BEC MOV EBP, ESP
00BE0016: E9 121AC27B JMP 7C801A2D
00BE001B: 8BFF MOV EDI, EDI
00BE001D: 55 PUSH EBP
00BE001E: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateFileW at 7C810800 (0) got patched. Here is the diff:
Address New-Original
7C810800: E9 - 8B
7C810801: EA - FF
7C810802: 07 - 55
7C810803: 3D - 8B
7C810804: 84 - EC
--> JMP DWORD PTR DS:[00BE0FEF]
Disassembly old code:
7C810800: 8BFF MOV EDI, EDI
7C810802: 55 PUSH EBP
7C810803: 8BEC MOV EBP, ESP

Disassembly new code:
7C810800: E9 EA073D84 JMP 00BE0FEF
Disassembly of hooker:
00BE0FEF: 68 25B8E9C4 PUSH C4E9B825
00BE0FF4: E8 C5CFD27B CALL 7C90DFBE
00BE0FF9: 58 POP EAX
00BE0FFA: C2 1C00 RET 001C
00BE0FFD: C3 RET ; Pop IP
00BE0FFE: 0200 ADD AL,BYTE PTR DS:[EAX]
00BE1000: 0000 ADD BYTE PTR DS:[EAX],AL
00BE1002: 0000 ADD BYTE PTR DS:[EAX],AL
00BE1004: 0000 ADD BYTE PTR DS:[EAX],AL
00BE1006: 0000 ADD BYTE PTR DS:[EAX],AL
00BE1008: 0000 ADD BYTE PTR DS:[EAX],AL
00BE100A: 0000 ADD BYTE PTR DS:[EAX],AL
00BE100C: 0000 ADD BYTE PTR DS:[EAX],AL
00BE100E: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeA at 7C860CDC (0) got patched. Here is the diff:
Address New-Original
7C860CDC: E9 - 8B
7C860CDD: 44 - FF
7C860CDE: F3 - 55
7C860CDF: 37 - 8B
7C860CE0: 84 - EC
--> JMP DWORD PTR DS:[00BE0025]
Disassembly old code:
7C860CDC: 8BFF MOV EDI, EDI
7C860CDE: 55 PUSH EBP
7C860CDF: 8BEC MOV EBP, ESP

Disassembly new code:
7C860CDC: E9 44F33784 JMP 00BE0025
Disassembly of hooker:
00BE0025: 68 25B8E9C4 PUSH C4E9B825
00BE002A: E8 8FDFD27B CALL 7C90DFBE
00BE002F: 58 POP EAX
00BE0030: C2 2000 RET 0020
00BE0033: C3 RET ; Pop IP
00BE0034: 0300 ADD EAX,DWORD PTR DS:[EAX]
00BE0036: 68 25B8E9C4 PUSH C4E9B825
00BE003B: E8 7EDFD27B CALL 7C90DFBE
00BE0040: 58 POP EAX
00BE0041: C2 2000 RET 0020
00BE0044: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeW at 7C82F0DD (0) got patched. Here is the diff:
Address New-Original
7C82F0DD: E9 - 8B
7C82F0DE: 54 - FF
7C82F0DF: 0F - 55
7C82F0E0: 3B - 8B
7C82F0E1: 84 - EC
--> JMP DWORD PTR DS:[00BE0036]
Disassembly old code:
7C82F0DD: 8BFF MOV EDI, EDI
7C82F0DF: 55 PUSH EBP
7C82F0E0: 8BEC MOV EBP, ESP

Disassembly new code:
7C82F0DD: E9 540F3B84 JMP 00BE0036
Disassembly of hooker:
00BE0036: 68 25B8E9C4 PUSH C4E9B825
00BE003B: E8 7EDFD27B CALL 7C90DFBE
00BE0040: 58 POP EAX
00BE0041: C2 2000 RET 0020
00BE0044: C3 RET ; Pop IP
00BE0045: 0400 ADD AL, 00
00BE0047: 8BFF MOV EDI, EDI
00BE0049: 55 PUSH EBP
00BE004A: 8BEC MOV EBP, ESP
00BE004C: E9 91F0C47B JMP 7C82F0E2
00BE0051: 8BFF MOV EDI, EDI
00BE0053: 55 PUSH EBP
00BE0054: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreatePipe at 7C81D83F (0) got patched. Here is the diff:
Address New-Original
7C81D83F: E9 - 8B
7C81D840: 1B - FF
7C81D841: 37 - 55
7C81D842: 3C - 8B
7C81D843: 84 - EC
--> JMP DWORD PTR DS:[00BE0F5F]
Disassembly old code:
7C81D83F: 8BFF MOV EDI, EDI
7C81D841: 55 PUSH EBP
7C81D842: 8BEC MOV EBP, ESP

Disassembly new code:
7C81D83F: E9 1B373C84 JMP 00BE0F5F
Disassembly of hooker:
00BE0F5F: 68 25B8E9C4 PUSH C4E9B825
00BE0F64: E8 55D0D27B CALL 7C90DFBE
00BE0F69: 58 POP EAX
00BE0F6A: C2 1000 RET 0010
00BE0F6D: C3 RET ; Pop IP
00BE0F6E: 1D 006825B8 SBB EAX, B8256800
00BE0F73: E9 C4E844D0 JMP D102F83C
00BE0F78: D27B58 SAR BYTE PTR DS:[EBX+58H],CL
00BE0F7B: C2 1400 RET 0014
00BE0F7E: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: E9 - 8B
7C80236C: B9 - FF
7C80236D: EB - 55
7C80236E: 3D - 8B
7C80236F: 84 - EC
--> JMP DWORD PTR DS:[00BE0F29]
Disassembly old code:
7C80236B: 8BFF MOV EDI, EDI
7C80236D: 55 PUSH EBP
7C80236E: 8BEC MOV EBP, ESP

Disassembly new code:
7C80236B: E9 B9EB3D84 JMP 00BE0F29
Disassembly of hooker:
00BE0F29: 68 25B8E9C4 PUSH C4E9B825
00BE0F2E: E8 8BD0D27B CALL 7C90DFBE
00BE0F33: 58 POP EAX
00BE0F34: C2 2800 RET 0028
00BE0F37: C3 RET ; Pop IP
00BE0F38: 2100 AND DWORD PTR DS:[EAX],EAX
00BE0F3A: 68 25B8E9C4 PUSH C4E9B825
00BE0F3F: E8 7AD0D27B CALL 7C90DFBE
00BE0F44: 58 POP EAX
00BE0F45: C2 0400 RET 0004
00BE0F48: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: E9 - 8B
7C802337: 7D - FF
7C802338: DD - 55
7C802339: 3D - 8B
7C80233A: 84 - EC
--> JMP DWORD PTR DS:[00BE00B8]
Disassembly old code:
7C802336: 8BFF MOV EDI, EDI
7C802338: 55 PUSH EBP
7C802339: 8BEC MOV EBP, ESP

Disassembly new code:
7C802336: E9 7DDD3D84 JMP 00BE00B8
Disassembly of hooker:
00BE00B8: 68 25B8E9C4 PUSH C4E9B825
00BE00BD: E8 FCDED27B CALL 7C90DFBE
00BE00C2: 58 POP EAX
00BE00C3: C2 2800 RET 0028
00BE00C6: C3 RET ; Pop IP
00BE00C7: 2200 AND AL,BYTE PTR DS:[EAX]
00BE00C9: 0000 ADD BYTE PTR DS:[EAX],AL
00BE00CB: 0000 ADD BYTE PTR DS:[EAX],AL
00BE00CD: 0000 ADD BYTE PTR DS:[EAX],AL
00BE00CF: 0000 ADD BYTE PTR DS:[EAX],AL
00BE00D1: 0000 ADD BYTE PTR DS:[EAX],AL
00BE00D3: 0000 ADD BYTE PTR DS:[EAX],AL
00BE00D5: 0000 ADD BYTE PTR DS:[EAX],AL
00BE00D7: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetProcAddress at 7C80AE40 (0) got patched. Here is the diff:
Address New-Original
7C80AE40: E9 - 8B
7C80AE41: BF - FF
7C80AE42: 60 - 55
7C80AE43: 3D - 8B
7C80AE44: 84 - EC
--> JMP DWORD PTR DS:[00BE0F04]
Disassembly old code:
7C80AE40: 8BFF MOV EDI, EDI
7C80AE42: 55 PUSH EBP
7C80AE43: 8BEC MOV EBP, ESP

Disassembly new code:
7C80AE40: E9 BF603D84 JMP 00BE0F04
Disassembly of hooker:
00BE0F04: 68 25B8E9C4 PUSH C4E9B825
00BE0F09: E8 B0D0D27B CALL 7C90DFBE
00BE0F0E: 58 POP EAX
00BE0F0F: C2 0800 RET 0008
00BE0F12: C3 RET ; Pop IP
00BE0F13: 2300 AND EAX,DWORD PTR DS:[EAX]
00BE0F15: 8BFF MOV EDI, EDI
00BE0F17: 55 PUSH EBP
00BE0F18: 8BEC MOV EBP, ESP
00BE0F1A: E9 1C14C27B JMP 7C80233B
00BE0F1F: 8BFF MOV EDI, EDI
00BE0F21: 55 PUSH EBP
00BE0F22: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoA at 7C801EF2 (0) got patched. Here is the diff:
Address New-Original
7C801EF2: E9 - 6A
7C801EF3: 95 - 18
7C801EF4: E1 - 68
--> JMP DWORD PTR DS:[00BE008C]
Disassembly old code:
7C801EF2: 6A18 PUSH 18

Disassembly new code:
7C801EF2: E9 95E13D84 JMP 00BE008C
Disassembly of hooker:
00BE008C: 68 25B8E9C4 PUSH C4E9B825
00BE0091: E8 28DFD27B CALL 7C90DFBE
00BE0096: 58 POP EAX
00BE0097: C2 0400 RET 0004
00BE009A: C3 RET ; Pop IP
00BE009B: 1E PUSH DS ; Push DS register to the stack
00BE009C: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
00BE00A2: E9 6B24C87B JMP 7C862512
00BE00A7: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoW at 7C801E54 (0) got patched. Here is the diff:
Address New-Original
7C801E54: E9 - 8B
7C801E55: E1 - FF
7C801E56: F0 - 55
7C801E57: 3D - 8B
7C801E58: 84 - EC
--> JMP DWORD PTR DS:[00BE0F3A]
Disassembly old code:
7C801E54: 8BFF MOV EDI, EDI
7C801E56: 55 PUSH EBP
7C801E57: 8BEC MOV EBP, ESP

Disassembly new code:
7C801E54: E9 E1F03D84 JMP 00BE0F3A
Disassembly of hooker:
00BE0F3A: 68 25B8E9C4 PUSH C4E9B825
00BE0F3F: E8 7AD0D27B CALL 7C90DFBE
00BE0F44: 58 POP EAX
00BE0F45: C2 0400 RET 0004
00BE0F48: C3 RET ; Pop IP
00BE0F49: 1F POP DS ; Pop top stack to DS
00BE0F4A: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
00BE0F50: E9 040FC27B JMP 7C801E59
00BE0F55: 8BFF MOV EDI, EDI
00BE0F57: 55 PUSH EBP
00BE0F58: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryA at 7C801D7B (0) got patched. Here is the diff:
Address New-Original
7C801D7B: E9 - 8B
7C801D7C: DB - FF
7C801D7D: E2 - 55
7C801D7E: 3D - 8B
7C801D7F: 84 - EC
--> JMP DWORD PTR DS:[00BE005B]
Disassembly old code:
7C801D7B: 8BFF MOV EDI, EDI
7C801D7D: 55 PUSH EBP
7C801D7E: 8BEC MOV EBP, ESP

Disassembly new code:
7C801D7B: E9 DBE23D84 JMP 00BE005B
Disassembly of hooker:
00BE005B: 68 25B8E9C4 PUSH C4E9B825
00BE0060: E8 59DFD27B CALL 7C90DFBE
00BE0065: 58 POP EAX
00BE0066: C2 0400 RET 0004
00BE0069: C3 RET ; Pop IP
00BE006A: 17 POP SS ; Pop top stack to SS
00BE006B: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
00BE0071: E9 7AAEC27B JMP 7C80AEF0
00BE0076: 8BFF MOV EDI, EDI
00BE0078: 55 PUSH EBP
00BE0079: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #78 on:** August 08, 2010, 09:33:12 PM »

The code of LoadLibraryExA at 7C801D53 (0) got patched. Here is the diff:
Address New-Original
7C801D53: E9 - 8B
7C801D54: 61 - FF
7C801D55: F2 - 55
7C801D56: 3D - 8B
7C801D57: 84 - EC
--> JMP DWORD PTR DS:[00BE0FB9]
Disassembly old code:
7C801D53: 8BFF MOV EDI, EDI
7C801D55: 55 PUSH EBP
7C801D56: 8BEC MOV EBP, ESP

Disassembly new code:
7C801D53: E9 61F23D84 JMP 00BE0FB9
Disassembly of hooker:
00BE0FB9: 68 25B8E9C4 PUSH C4E9B825
00BE0FBE: E8 FBCFD27B CALL 7C90DFBE
00BE0FC3: 58 POP EAX
00BE0FC4: C2 0C00 RET 000C
00BE0FC7: C3 RET ; Pop IP
00BE0FC8: 1900 SBB DWORD PTR DS:[EAX],EAX
00BE0FCA: 8BFF MOV EDI, EDI
00BE0FCC: 55 PUSH EBP
00BE0FCD: 8BEC MOV EBP, ESP
00BE0FCF: E9 840DC27B JMP 7C801D58
00BE0FD4: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryExW at 7C801AF5 (0) got patched. Here is the diff:
Address New-Original
7C801AF5: E9 - 6A
7C801AF6: AE - 34
7C801AF7: F4 - 68
--> JMP DWORD PTR DS:[00BE0FA8]
Disassembly old code:
7C801AF5: 6A34 PUSH 34

Disassembly new code:
7C801AF5: E9 AEF43D84 JMP 00BE0FA8
Disassembly of hooker:
00BE0FA8: 68 25B8E9C4 PUSH C4E9B825
00BE0FAD: E8 0CD0D27B CALL 7C90DFBE
00BE0FB2: 58 POP EAX
00BE0FB3: C2 0C00 RET 000C
00BE0FB6: C3 RET ; Pop IP
00BE0FB7: 1A00 SBB AL,BYTE PTR DS:[EAX]
00BE0FB9: 68 25B8E9C4 PUSH C4E9B825
00BE0FBE: E8 FBCFD27B CALL 7C90DFBE
00BE0FC3: 58 POP EAX
00BE0FC4: C2 0C00 RET 000C
00BE0FC7: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryW at 7C80AEEB (0) got patched. Here is the diff:
Address New-Original
7C80AEEB: E9 - 8B
7C80AEEC: E4 - FF
7C80AEED: 60 - 55
7C80AEEE: 3D - 8B
7C80AEEF: 84 - EC
--> JMP DWORD PTR DS:[00BE0FD4]
Disassembly old code:
7C80AEEB: 8BFF MOV EDI, EDI
7C80AEED: 55 PUSH EBP
7C80AEEE: 8BEC MOV EBP, ESP

Disassembly new code:
7C80AEEB: E9 E4603D84 JMP 00BE0FD4
Disassembly of hooker:
00BE0FD4: 68 25B8E9C4 PUSH C4E9B825
00BE0FD9: E8 E0CFD27B CALL 7C90DFBE
00BE0FDE: 58 POP EAX
00BE0FDF: C2 0400 RET 0004
00BE0FE2: C3 RET ; Pop IP
00BE0FE3: 1800 SBB BYTE PTR DS:[EAX],AL
00BE0FE5: 8BFF MOV EDI, EDI
00BE0FE7: 55 PUSH EBP
00BE0FE8: 8BEC MOV EBP, ESP
00BE0FEA: E9 16F8C27B JMP 7C810805
00BE0FEF: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtect at 7C801AD4 (0) got patched. Here is the diff:
Address New-Original
7C801AD4: E9 - 8B
7C801AD5: B2 - FF
7C801AD6: F4 - 55
7C801AD7: 3D - 8B
7C801AD8: 84 - EC
--> JMP DWORD PTR DS:[00BE0F8B]
Disassembly old code:
7C801AD4: 8BFF MOV EDI, EDI
7C801AD6: 55 PUSH EBP
7C801AD7: 8BEC MOV EBP, ESP

Disassembly new code:
7C801AD4: E9 B2F43D84 JMP 00BE0F8B
Disassembly of hooker:
00BE0F8B: 68 25B8E9C4 PUSH C4E9B825
00BE0F90: E8 29D0D27B CALL 7C90DFBE
00BE0F95: 58 POP EAX
00BE0F96: C2 1000 RET 0010
00BE0F99: C3 RET ; Pop IP
00BE0F9A: 1B00 SBB EAX,DWORD PTR DS:[EAX]
00BE0F9C: 6A34 PUSH 34
00BE0F9E: 68 F8E0807C PUSH 7C80E0F8
00BE0FA3: E9 540BC27B JMP 7C801AFC
00BE0FA8: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtectEx at 7C801A61 (0) got patched. Here is the diff:
Address New-Original
7C801A61: E9 - 8B
7C801A62: 0A - FF
7C801A63: F5 - 55
7C801A64: 3D - 8B
7C801A65: 84 - EC
--> JMP DWORD PTR DS:[00BE0F70]
Disassembly old code:
7C801A61: 8BFF MOV EDI, EDI
7C801A63: 55 PUSH EBP
7C801A64: 8BEC MOV EBP, ESP

Disassembly new code:
7C801A61: E9 0AF53D84 JMP 00BE0F70
Disassembly of hooker:
00BE0F70: 68 25B8E9C4 PUSH C4E9B825
00BE0F75: E8 44D0D27B CALL 7C90DFBE
00BE0F7A: 58 POP EAX
00BE0F7B: C2 1400 RET 0014
00BE0F7E: C3 RET ; Pop IP
00BE0F7F: 1C00 SBB AL, 00
00BE0F81: 8BFF MOV EDI, EDI
00BE0F83: 55 PUSH EBP
00BE0F84: 8BEC MOV EBP, ESP
00BE0F86: E9 4E0BC27B JMP 7C801AD9
00BE0F8B: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of WinExec at 7C86250D (0) got patched. Here is the diff:
Address New-Original
7C86250D: E9 - 8B
7C86250E: 95 - FF
7C86250F: DB - 55
7C862510: 37 - 8B
7C862511: 84 - EC
--> JMP DWORD PTR DS:[00BE00A7]
Disassembly old code:
7C86250D: 8BFF MOV EDI, EDI
7C86250F: 55 PUSH EBP
7C862510: 8BEC MOV EBP, ESP

Disassembly new code:
7C86250D: E9 95DB3784 JMP 00BE00A7
Disassembly of hooker:
00BE00A7: 68 25B8E9C4 PUSH C4E9B825
00BE00AC: E8 0DDFD27B CALL 7C90DFBE
00BE00B1: 58 POP EAX
00BE00B2: C2 0800 RET 0008
00BE00B5: C3 RET ; Pop IP
00BE00B6: 2000 AND BYTE PTR DS:[EAX],AL
00BE00B8: 68 25B8E9C4 PUSH C4E9B825
00BE00BD: E8 FCDED27B CALL 7C90DFBE
00BE00C2: 58 POP EAX
00BE00C3: C2 2800 RET 0028
00BE00C6: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll (77DD0000 - 77E6B000)
The code of RegCreateKeyA at 77DFBCF3 (0) got patched. Here is the diff:
Address New-Original
77DFBCF3: E9 - 8B
77DFBCF4: AD - FF
77DFBCF5: 52 - 55
77DFBCF6: F2 - 8B
77DFBCF7: 88 - EC
--> JMP DWORD PTR DS:[00D20FA5]
Disassembly old code:
77DFBCF3: 8BFF MOV EDI, EDI
77DFBCF5: 55 PUSH EBP
77DFBCF6: 8BEC MOV EBP, ESP

Disassembly new code:
77DFBCF3: E9 AD52F288 JMP 00D20FA5
Disassembly of hooker:
00D20FA5: 68 25B8E9C4 PUSH C4E9B825
00D20FAA: E8 0FD0BE7B CALL 7C90DFBE
00D20FAF: 58 POP EAX
00D20FB0: C2 0C00 RET 000C
00D20FB3: C3 RET ; Pop IP
00D20FB4: 1300 ADC EAX,DWORD PTR DS:[EAX]
00D20FB6: 8BFF MOV EDI, EDI
00D20FB8: 55 PUSH EBP
00D20FB9: 8BEC MOV EBP, ESP
00D20FBB: E9 F45A0B77 JMP 77DD6AB4
00D20FC0: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExA at 77DDE9F4 (0) got patched. Here is the diff:
Address New-Original
77DDE9F4: E9 - 8B
77DDE9F5: 3D - FF
77DDE9F6: 16 - 55
77DDE9F7: F4 - 8B
77DDE9F8: 88 - EC
--> JMP DWORD PTR DS:[00D20036]
Disassembly old code:
77DDE9F4: 8BFF MOV EDI, EDI
77DDE9F6: 55 PUSH EBP
77DDE9F7: 8BEC MOV EBP, ESP

Disassembly new code:
77DDE9F4: E9 3D16F488 JMP 00D20036
Disassembly of hooker:
00D20036: 68 25B8E9C4 PUSH C4E9B825
00D2003B: E8 7EDFBE7B CALL 7C90DFBE
00D20040: 58 POP EAX
00D20041: C2 2400 RET 0024
00D20044: C3 RET ; Pop IP
00D20045: 15 008BFF55 ADC EAX, 55FF8B00
00D2004A: 8BEC MOV EBP, ESP
00D2004C: E9 A8E90B77 JMP 77DDE9F9
00D20051: 8BFF MOV EDI, EDI
00D20053: 55 PUSH EBP
00D20054: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExW at 77DD776C (0) got patched. Here is the diff:
Address New-Original
77DD776C: E9 - 8B
77DD776D: 12 - FF
77DD776E: 98 - 55
77DD776F: F4 - 8B
77DD7770: 88 - EC
--> JMP DWORD PTR DS:[00D20F83]
Disassembly old code:
77DD776C: 8BFF MOV EDI, EDI
77DD776E: 55 PUSH EBP
77DD776F: 8BEC MOV EBP, ESP

Disassembly new code:
77DD776C: E9 1298F488 JMP 00D20F83
Disassembly of hooker:
00D20F83: 68 25B8E9C4 PUSH C4E9B825
00D20F88: E8 31D0BE7B CALL 7C90DFBE
00D20F8D: 58 POP EAX
00D20F8E: C2 2400 RET 0024
00D20F91: C3 RET ; Pop IP
00D20F92: 16 PUSH SS ; Push SS register to the stack
00D20F93: 006825 ADD BYTE PTR DS:[EAX+25H],CH
00D20F96: B8 E9C4E820 MOV EAX, 20E8C4E9
00D20F9B: D0BE 7B58C20C SAR BYTE PTR DS:[ESI+0CC2587B],1
00D20FA1: 00C3 ADD BL, AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyW at 77DFBA55 (0) got patched. Here is the diff:
Address New-Original
77DFBA55: E9 - 8B
77DFBA56: 3A - FF
77DFBA58: F2 - 8B
77DFBA59: 88 - EC
--> JMP DWORD PTR DS:[00D20F94]
Disassembly old code:
77DFBA55: 8BFF MOV EDI, EDI
77DFBA57: 55 PUSH EBP
77DFBA58: 8BEC MOV EBP, ESP

Disassembly new code:
77DFBA55: E9 3A55F288 JMP 00D20F94
Disassembly of hooker:
00D20F94: 68 25B8E9C4 PUSH C4E9B825
00D20F99: E8 20D0BE7B CALL 7C90DFBE
00D20F9E: 58 POP EAX
00D20F9F: C2 0C00 RET 000C
00D20FA2: C3 RET ; Pop IP
00D20FA3: 1400 ADC AL, 00
00D20FA5: 68 25B8E9C4 PUSH C4E9B825
00D20FAA: E8 0FD0BE7B CALL 7C90DFBE
00D20FAF: 58 POP EAX
00D20FB0: C2 0C00 RET 000C
00D20FB3: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #79 on:** August 08, 2010, 09:33:58 PM »

The code of RegOpenKeyA at 77DDEFC8 (0) got patched. Here is the diff:
Address New-Original
77DDEFC8: E9 - 8B
77DDEFC9: 33 - FF
77DDEFCA: 10 - 55
77DDEFCB: F4 - 8B
77DDEFCC: 88 - EC
--> JMP DWORD PTR DS:[00D20000]
Disassembly old code:
77DDEFC8: 8BFF MOV EDI, EDI
77DDEFCA: 55 PUSH EBP
77DDEFCB: 8BEC MOV EBP, ESP

Disassembly new code:
77DDEFC8: E9 3310F488 JMP 00D20000
Disassembly of hooker:
00D20000: 68 25B8E9C4 PUSH C4E9B825
00D20005: E8 B4DFBE7B CALL 7C90DFBE
00D2000A: 58 POP EAX
00D2000B: C2 0C00 RET 000C
00D2000E: C3 RET ; Pop IP
00D2000F: 0F006825 VERW WORD PTR DS:[EAX+25]
00D20013: B8 E9C4E8A3 MOV EAX, A3E8C4E9
00D20018: DFBE 7B58C20C FISTP QWORD PTR DS:[ESI+0CC2587B]
00D2001E: 00C3 ADD BL, AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExA at 77DD7852 (0) got patched. Here is the diff:
Address New-Original
77DD7852: E9 - 8B
77DD7853: 7A - FF
77DD7854: 97 - 55
77DD7855: F4 - 8B
77DD7856: 88 - EC
--> JMP DWORD PTR DS:[00D20FD1]
Disassembly old code:
77DD7852: 8BFF MOV EDI, EDI
77DD7854: 55 PUSH EBP
77DD7855: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7852: E9 7A97F488 JMP 00D20FD1
Disassembly of hooker:
00D20FD1: 68 25B8E9C4 PUSH C4E9B825
00D20FD6: E8 E3CFBE7B CALL 7C90DFBE
00D20FDB: 58 POP EAX
00D20FDC: C2 1400 RET 0014
00D20FDF: C3 RET ; Pop IP
00D20FE0: 1100 ADC DWORD PTR DS:[EAX],EAX
00D20FE2: 8BFF MOV EDI, EDI
00D20FE4: 55 PUSH EBP
00D20FE5: 8BEC MOV EBP, ESP
00D20FE7: E9 6B680B77 JMP 77DD7857
00D20FEC: 8BFF MOV EDI, EDI
00D20FEE: 55 PUSH EBP
00D20FEF: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExW at 77DD6AAF (0) got patched. Here is the diff:
Address New-Original
77DD6AAF: E9 - 8B
77DD6AB0: 0C - FF
77DD6AB1: A5 - 55
77DD6AB2: F4 - 8B
77DD6AB3: 88 - EC
--> JMP DWORD PTR DS:[00D20FC0]
Disassembly old code:
77DD6AAF: 8BFF MOV EDI, EDI
77DD6AB1: 55 PUSH EBP
77DD6AB2: 8BEC MOV EBP, ESP

Disassembly new code:
77DD6AAF: E9 0CA5F488 JMP 00D20FC0
Disassembly of hooker:
00D20FC0: 68 25B8E9C4 PUSH C4E9B825
00D20FC5: E8 F4CFBE7B CALL 7C90DFBE
00D20FCA: 58 POP EAX
00D20FCB: C2 1400 RET 0014
00D20FCE: C3 RET ; Pop IP
00D20FCF: 1200 ADC AL,BYTE PTR DS:[EAX]
00D20FD1: 68 25B8E9C4 PUSH C4E9B825
00D20FD6: E8 E3CFBE7B CALL 7C90DFBE
00D20FDB: 58 POP EAX
00D20FDC: C2 1400 RET 0014
00D20FDF: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyW at 77DD7946 (0) got patched. Here is the diff:
Address New-Original
77DD7946: E9 - 8B
77DD7947: C6 - FF
77DD7948: 86 - 55
77DD7949: F4 - 8B
77DD794A: 88 - EC
--> JMP DWORD PTR DS:[00D20011]
Disassembly old code:
77DD7946: 8BFF MOV EDI, EDI
77DD7948: 55 PUSH EBP
77DD7949: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7946: E9 C686F488 JMP 00D20011
Disassembly of hooker:
00D20011: 68 25B8E9C4 PUSH C4E9B825
00D20016: E8 A3DFBE7B CALL 7C90DFBE
00D2001B: 58 POP EAX
00D2001C: C2 0C00 RET 000C
00D2001F: C3 RET ; Pop IP
00D20020: 1000 ADC BYTE PTR DS:[EAX],AL
00D20022: 8BFF MOV EDI, EDI
00D20024: 55 PUSH EBP
00D20025: 8BEC MOV EBP, ESP
00D20027: E9 CCBC0D77 JMP 77DFBCF8
00D2002C: 8BFF MOV EDI, EDI
00D2002E: 55 PUSH EBP
00D2002F: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
LSASRV.dll (75730000 - 757E5000)
MPR.dll (71B20000 - 71B32000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
MSASN1.dll (77B20000 - 77B32000)
msvcrt.dll (77C10000 - 77C68000)
The code of _creat at 77C2D40F (0) got patched. Here is the diff:
Address New-Original
77C2D40F: E9 - 8B
77C2D410: 13 - FF
77C2D411: 2C - 55
77C2D412: 0E - 8B
77C2D413: 89 - EC
--> JMP DWORD PTR DS:[00D10027]
Disassembly old code:
77C2D40F: 8BFF MOV EDI, EDI
77C2D411: 55 PUSH EBP
77C2D412: 8BEC MOV EBP, ESP

Disassembly new code:
77C2D40F: E9 132C0E89 JMP 00D10027
Disassembly of hooker:
00D10027: 68 25B8E9C4 PUSH C4E9B825
00D1002C: E8 8DDFBF7B CALL 7C90DFBE
00D10031: 58 POP EAX
00D10032: C2 0000 RET 0000
00D10035: C3 RET ; Pop IP
00D10036: 0B00 OR EAX,DWORD PTR DS:[EAX]
00D10038: 68 25B8E9C4 PUSH C4E9B825
00D1003D: E8 7CDFBF7B CALL 7C90DFBE
00D10042: 58 POP EAX
00D10043: C2 0000 RET 0000
00D10046: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _open at 77C2F566 (0) got patched. Here is the diff:
Address New-Original
77C2F566: E9 - 6A
77C2F567: A1 - 14
77C2F568: 0A - 68
--> JMP DWORD PTR DS:[00D1000C]
Disassembly old code:
77C2F566: 6A14 PUSH 14

Disassembly new code:
77C2F566: E9 A10A0E89 JMP 00D1000C
Disassembly of hooker:
00D1000C: 68 25B8E9C4 PUSH C4E9B825
00D10011: E8 A8DFBF7B CALL 7C90DFBE
00D10016: 58 POP EAX
00D10017: C2 0000 RET 0000
00D1001A: C3 RET ; Pop IP
00D1001B: 0900 OR DWORD PTR DS:[EAX],EAX
00D1001D: 8BFF MOV EDI, EDI
00D1001F: 55 PUSH EBP
00D10020: 8BEC MOV EBP, ESP
00D10022: E9 EDD3F176 JMP 77C2D414
00D10027: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wcreat at 77C2FC9B (0) got patched. Here is the diff:
Address New-Original
77C2FC9B: E9 - 8B
77C2FC9C: 32 - FF
77C2FC9D: 13 - 55
77C2FC9E: 0E - 8B
77C2FC9F: 89 - EC
--> JMP DWORD PTR DS:[00D10FD2]
Disassembly old code:
77C2FC9B: 8BFF MOV EDI, EDI
77C2FC9D: 55 PUSH EBP
77C2FC9E: 8BEC MOV EBP, ESP

Disassembly new code:
77C2FC9B: E9 32130E89 JMP 00D10FD2
Disassembly of hooker:
00D10FD2: 68 25B8E9C4 PUSH C4E9B825
00D10FD7: E8 E2CFBF7B CALL 7C90DFBE
00D10FDC: 58 POP EAX
00D10FDD: C2 0000 RET 0000
00D10FE0: C3 RET ; Pop IP
00D10FE1: 0C00 OR AL, 00
00D10FE3: 68 25B8E9C4 PUSH C4E9B825
00D10FE8: E8 D1CFBF7B CALL 7C90DFBE
00D10FED: 58 POP EAX
00D10FEE: C2 0000 RET 0000
00D10FF1: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wopen at 77C30055 (0) got patched. Here is the diff:
Address New-Original
77C30055: E9 - 6A
77C30056: 89 - 14
77C30057: 0F - 68
--> JMP DWORD PTR DS:[00D10FE3]
Disassembly old code:
77C30055: 6A14 PUSH 14

Disassembly new code:
77C30055: E9 890F0E89 JMP 00D10FE3
Disassembly of hooker:
00D10FE3: 68 25B8E9C4 PUSH C4E9B825
00D10FE8: E8 D1CFBF7B CALL 7C90DFBE
00D10FED: 58 POP EAX
00D10FEE: C2 0000 RET 0000
00D10FF1: C3 RET ; Pop IP
00D10FF2: 0A00 OR AL,BYTE PTR DS:[EAX]
00D10FF4: 0000 ADD BYTE PTR DS:[EAX],AL
00D10FF6: 0000 ADD BYTE PTR DS:[EAX],AL
00D10FF8: 0000 ADD BYTE PTR DS:[EAX],AL
00D10FFA: 0000 ADD BYTE PTR DS:[EAX],AL
00D10FFC: 0000 ADD BYTE PTR DS:[EAX],AL
00D10FFE: 0000 ADD BYTE PTR DS:[EAX],AL
00D11000: 0000 ADD BYTE PTR DS:[EAX],AL
00D11002: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wsystem at 77C2931E (0) got patched. Here is the diff:
Address New-Original
77C2931E: E9 - 8B
77C2931F: 30 - FF
77C29320: 6D - 55
77C29321: 0E - 8B
77C29322: 89 - EC
--> JMP DWORD PTR DS:[00D10053]
Disassembly old code:
77C2931E: 8BFF MOV EDI, EDI
77C29320: 55 PUSH EBP
77C29321: 8BEC MOV EBP, ESP

Disassembly new code:
77C2931E: E9 306D0E89 JMP 00D10053
Disassembly of hooker:
00D10053: 68 25B8E9C4 PUSH C4E9B825
00D10058: E8 61DFBF7B CALL 7C90DFBE
00D1005D: 58 POP EAX
00D1005E: C2 0000 RET 0000
00D10061: C3 RET ; Pop IP
00D10062: 0E PUSH CS ; Push CS register to the stack
00D10063: 0000 ADD BYTE PTR DS:[EAX],AL
00D10065: 0000 ADD BYTE PTR DS:[EAX],AL
00D10067: 0000 ADD BYTE PTR DS:[EAX],AL
00D10069: 0000 ADD BYTE PTR DS:[EAX],AL
00D1006B: 0000 ADD BYTE PTR DS:[EAX],AL
00D1006D: 0000 ADD BYTE PTR DS:[EAX],AL
00D1006F: 0000 ADD BYTE PTR DS:[EAX],AL
00D10071: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of system at 77C293C7 (0) got patched. Here is the diff:
Address New-Original
77C293C7: E9 - 8B
77C293C8: 6C - FF
77C293C9: 6C - 55
77C293CA: 0E - 8B
77C293CB: 89 - EC
--> JMP DWORD PTR DS:[00D10038]
Disassembly old code:
77C293C7: 8BFF MOV EDI, EDI
77C293C9: 55 PUSH EBP
77C293CA: 8BEC MOV EBP, ESP

Disassembly new code:
77C293C7: E9 6C6C0E89 JMP 00D10038
Disassembly of hooker:
00D10038: 68 25B8E9C4 PUSH C4E9B825
00D1003D: E8 7CDFBF7B CALL 7C90DFBE
00D10042: 58 POP EAX
00D10043: C2 0000 RET 0000
00D10046: C3 RET ; Pop IP
00D10047: 0D 008BFF55 OR EAX, 55FF8B00
00D1004C: 8BEC MOV EBP, ESP
00D1004E: E9 7993F176 JMP 77C293CC
00D10053: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NETAPI32.dll (5B860000 - 5B8B5000)
NTDSAPI.dll (767A0000 - 767B3000)
DNSAPI.dll (76F20000 - 76F47000)
WS2_32.dll (71AB0000 - 71AC7000)
The code of socket at 71AB4211 (0) got patched. Here is the diff:
Address New-Original
71AB4211: E9 - 8B
71AB4212: EA - FF
71AB4213: BD - 55
71AB4214: 24 - 8B
71AB4215: 8F - EC
--> JMP DWORD PTR DS:[00D00000]
Disassembly old code:
71AB4211: 8BFF MOV EDI, EDI
71AB4213: 55 PUSH EBP
71AB4214: 8BEC MOV EBP, ESP

Disassembly new code:
71AB4211: E9 EABD248F JMP 00D00000
Disassembly of hooker:
00D00000: 68 25B8E9C4 PUSH C4E9B825
00D00005: E8 B4DFC07B CALL 7C90DFBE
00D0000A: 58 POP EAX
00D0000B: C2 0C00 RET 000C
00D0000E: C3 RET ; Pop IP
00D0000F: 0800 OR BYTE PTR DS:[EAX],AL
00D00011: 8BFF MOV EDI, EDI
00D00013: 55 PUSH EBP
00D00014: 8BEC MOV EBP, ESP
00D00016: E9 FB41DB70 JMP 71AB4216
00D0001B: 0000 ADD BYTE PTR DS:[EAX],AL
00D0001D: 0000 ADD BYTE PTR DS:[EAX],AL
00D0001F: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WS2HELP.dll (71AA0000 - 71AA8000)
WLDAP32.dll (76F60000 - 76F8C000)
SAMLIB.dll (71BF0000 - 71C03000)
SAMSRV.dll (74440000 - 744AA000)
cryptdll.dll (76790000 - 7679C000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msprivs.dll (4D200000 - 4D20E000)
kerberos.dll (71CF0000 - 71D3C000)
msv1_0.dll (77C70000 - 77C95000)
iphlpapi.dll (76D60000 - 76D79000)
netlogon.dll (744B0000 - 74515000)
w32time.dll (767C0000 - 767EC000)
MSVCP60.dll (76080000 - 760E5000)
schannel.dll (767F0000 - 76818000)
CRYPT32.dll (77A80000 - 77B15000)
wdigest.dll (7DFC0000 - 7DFD1000)
rsaenh.dll (68000000 - 68036000)
scecli.dll (74410000 - 7443F000)
SETUPAPI.dll (77920000 - 77A13000)

PID 1560 - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
WINMM.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll:
Base address:   6BFA0000
Size:      0001E000
Flags:      80084004
Load count:   1
Name:      AOL Diagnostics
Prod. Version:   3.3.15.2
Company:   AOL LLC
File Version:   3.3.15.2
Description:   AOL Diagnostics
Location:   C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WINMM.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll:
Base address:   6BFA0000
Size:      0001E000
Flags:      80084004
Load count:   1
Name:      AOL Diagnostics
Prod. Version:   3.3.15.2
Company:   AOL LLC
File Version:   3.3.15.2
Description:   AOL Diagnostics
Location:   C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WINMM.dll :LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll:
Base address:   6BFA0000
Size:      0001E000
Flags:      80084004
Load count:   1
Name:      AOL Diagnostics
Prod. Version:   3.3.15.2
Company:   AOL LLC
File Version:   3.3.15.2
Description:   AOL Diagnostics
Location:   C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WINMM.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #80 on:** August 08, 2010, 09:34:49 PM »

Information about C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll:
Base address:   6BFA0000
Size:      0001E000
Flags:      80084004
Load count:   1
Name:      AOL Diagnostics
Prod. Version:   3.3.15.2
Company:   AOL LLC
File Version:   3.3.15.2
Description:   AOL Diagnostics
Location:   C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll:LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ADVAPI32.dll:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ADVAPI32.dll:LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ADVAPI32.dll:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
RPCRT4.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
RPCRT4.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
RPCRT4.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Secur32.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Secur32.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
Secur32.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
GDI32.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
GDI32.dll :LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
GDI32.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
GDI32.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
USER32.dll :LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
USER32.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
USER32.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
USER32.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
TAPI32.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
TAPI32.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
msvcrt.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
msvcrt.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
rtutils.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
rtutils.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
rtutils.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHLWAPI.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHLWAPI.dll :LoadLibraryExA --[HOOKED]-- @6BFA9D54 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHLWAPI.dll :LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHLWAPI.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHLWAPI.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
WS2_32.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
WS2_32.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
WS2HELP.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
WS2HELP.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SETUPAPI.dll:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SETUPAPI.dll:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SETUPAPI.dll:LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
VERSION.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
VERSION.dll :LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
VERSION.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHELL32.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHELL32.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHELL32.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHELL32.dll :LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
SHELL32.dll :LoadLibraryExA --[HOOKED]-- @6BFA9D54 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ole32.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ole32.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ole32.dll :LoadLibraryExW --[HOOKED]-- @6BFA9DE1 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ole32.dll :LoadLibraryExA --[HOOKED]-- @6BFA9D54 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
ole32.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
OLEAUT32.dll:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
OLEAUT32.dll:LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
OLEAUT32.dll:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IMM32.DLL :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IMM32.DLL :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
comctl32.dll:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
comctl32.dll:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
comctl32.dll:LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
comctl32.dll:LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
comctl32.dll:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
comctl32.dll:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
msctfime.ime:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
msctfime.ime:LoadLibraryExA --[HOOKED]-- @6BFA9D54 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
msctfime.ime:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
msctfime.ime:LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
psapi.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
psapi.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
wtsapi32.dll:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
wtsapi32.dll:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
WINSTA.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
NETAPI32.dll:LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
NETAPI32.dll:SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
NETAPI32.dll:LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
userenv.dll :LoadLibraryW --[HOOKED]-- @6BFA9CCD by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
userenv.dll :LoadLibraryExA --[HOOKED]-- @6BFA9D54 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
userenv.dll :LoadLibraryA --[HOOKED]-- @6BFA9C46 by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
userenv.dll :SetUnhandledExceptionFilter--[HOOKED]-- @6BFA9E6E by C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
AOLacsd.dll (10000000 - 10142000)
WINMM.dll (76B40000 - 76B6D000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
TAPI32.dll (76EB0000 - 76EDF000)
msvcrt.dll (77C10000 - 77C68000)
rtutils.dll (76E80000 - 76E8E000)
SHLWAPI.dll (77F60000 - 77FD6000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
SETUPAPI.dll (77920000 - 77A13000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
xpat.dll (00350000 - 0036E000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
psapi.dll (76BF0000 - 76BFB000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
userenv.dll (769C0000 - 76A74000)
ACSMDiag.dll (00BE0000 - 00BF9000)
tbdiag.dll (6BFA0000 - 6BFBE000)
AcsCmn.dll (00E20000 - 00E5F000)

PID 1572 - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
SETUPAPI.dll (77920000 - 77A13000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
USERENV.dll (769C0000 - 76A74000)
IMM32.DLL (76390000 - 763AD000)
NTMARTA.DLL (77690000 - 776B1000)
ole32.dll (774E0000 - 7761D000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)
rsaenh.dll (68000000 - 68036000)

PID 1592 - C:\Program Files\Bonjour\mDNSResponder.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
IPHLPAPI.DLL (76D60000 - 76D79000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
NETAPI32.dll (5B860000 - 5B8B5000)
POWRPROF.dll (74AD0000 - 74AD8000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
rsaenh.dll (68000000 - 68036000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
WLDAP32.dll (76F60000 - 76F8C000)
ATL.DLL (76B20000 - 76B31000)
rtutils.dll (76E80000 - 76E8E000)
SAMLIB.dll (71BF0000 - 71C03000)
SETUPAPI.dll (77920000 - 77A13000)

PID 1632 - C:\WINDOWS\system32\CTsvcCDA.EXE
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
IMM32.DLL (76390000 - 763AD000)

PID 1672 - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
mscoree.dll (79000000 - 79046000)
Cannot read memory @00005DC0: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00005DC0
Cannot read memory @00002E90: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00002E90
Cannot read memory @0000B8C0: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @0000B8C0
Cannot read memory @00011E10: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00011E10
Disassembly of hooker:
0003A580: 0000 ADD BYTE PTR DS:[EAX],AL
0003A582: 0000 ADD BYTE PTR DS:[EAX],AL
0003A584: 0000 ADD BYTE PTR DS:[EAX],AL
0003A586: 0000 ADD BYTE PTR DS:[EAX],AL
0003A588: 0000 ADD BYTE PTR DS:[EAX],AL
0003A58A: 0000 ADD BYTE PTR DS:[EAX],AL
0003A58C: 0000 ADD BYTE PTR DS:[EAX],AL
0003A58E: 0000 ADD BYTE PTR DS:[EAX],AL
0003A590: 0000 ADD BYTE PTR DS:[EAX],AL
0003A592: 0000 ADD BYTE PTR DS:[EAX],AL
0003A594: 0000 ADD BYTE PTR DS:[EAX],AL
0003A596: 0000 ADD BYTE PTR DS:[EAX],AL
0003A598: 0000 ADD BYTE PTR DS:[EAX],AL
0003A59A: 0000 ADD BYTE PTR DS:[EAX],AL
0003A59C: 0000 ADD BYTE PTR DS:[EAX],AL
0003A59E: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @0003A580
Cannot read memory @00004850: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00004850
Cannot read memory @00009B90: 8000000D
Intuit.Spc.Fo_CorDllMain --[HOOKED]-- @00009B90
Disassembly of hooker:
0006EA10: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA12: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA14: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA16: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA18: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA1A: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA1C: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA1E: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA20: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA22: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA24: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA26: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA28: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA2A: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA2C: 0000 ADD BYTE PTR DS:[EAX],AL
0006EA2E: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Fo_CorDllMain --[HOOKED]-- @0006EA10
Cannot read memory @0000E210: 8000000D
Intuit.Spc.Fo_CorDllMain --[HOOKED]-- @0000E210
Disassembly of hooker:
00010C40: 0000 ADD BYTE PTR DS:[EAX],AL
00010C42: 0000 ADD BYTE PTR DS:[EAX],AL
00010C44: 0000 ADD BYTE PTR DS:[EAX],AL
00010C46: 0000 ADD BYTE PTR DS:[EAX],AL
00010C48: 0000 ADD BYTE PTR DS:[EAX],AL
00010C4A: 0000 ADD BYTE PTR DS:[EAX],AL
00010C4C: 0000 ADD BYTE PTR DS:[EAX],AL
00010C4E: 0000 ADD BYTE PTR DS:[EAX],AL
00010C50: 0000 ADD BYTE PTR DS:[EAX],AL
00010C52: 0000 ADD BYTE PTR DS:[EAX],AL
00010C54: 0000 ADD BYTE PTR DS:[EAX],AL
00010C56: 0000 ADD BYTE PTR DS:[EAX],AL
00010C58: 0000 ADD BYTE PTR DS:[EAX],AL
00010C5A: 0000 ADD BYTE PTR DS:[EAX],AL
00010C5C: 0000 ADD BYTE PTR DS:[EAX],AL
00010C5E: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Fo_CorDllMain --[HOOKED]-- @00010C40
Disassembly of hooker:
002AC1E0: 0000 ADD BYTE PTR DS:[EAX],AL
002AC1E2: 004013 ADD BYTE PTR DS:[EAX+13H],AL
002AC1E5: 0000 ADD BYTE PTR DS:[EAX],AL
002AC1E7: 0000 ADD BYTE PTR DS:[EAX],AL
002AC1E9: 00D4 ADD AH, DL
002AC1EB: C54900 LDS ECX,FWORD PTR DS:[ECX+00H]
002AC1EE: 7400 JZ 002AC1F0
002AC1F0: 61 POPAD
002AC1F1: 006C0069 ADD BYTE PTR DS:[EAX+EAX+69H],CH
002AC1F5: 006100 ADD BYTE PTR DS:[ECX+00H],AH
002AC1F8: 6E OUTSB ; DX, Byte ptr ES:[edi]
002AC1F9: 0000 ADD BYTE PTR DS:[EAX],AL
002AC1FB: 004900 ADD BYTE PTR DS:[ECX+00H],CL
002AC1FE: 54 PUSH ESP
002AC1FF: 004100 ADD BYTE PTR DS:[ECX+00H],AL
System.dll :_CorDllMain --[HOOKED]-- @002AC1E0
Disassembly of hooker:
0005C1D0: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1D2: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1D4: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1D6: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1D8: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1DA: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1DC: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1DE: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1E0: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1E2: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1E4: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1E6: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1E8: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1EA: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1EC: 0000 ADD BYTE PTR DS:[EAX],AL
0005C1EE: 0000 ADD BYTE PTR DS:[EAX],AL
System.Config_CorDllMain --[HOOKED]-- @0005C1D0
Disassembly of hooker:
001D65C0: 0000 ADD BYTE PTR DS:[EAX],AL
001D65C2: 0000 ADD BYTE PTR DS:[EAX],AL
001D65C4: 0000 ADD BYTE PTR DS:[EAX],AL
001D65C6: 0000 ADD BYTE PTR DS:[EAX],AL
001D65C8: 0000 ADD BYTE PTR DS:[EAX],AL
001D65CA: 0000 ADD BYTE PTR DS:[EAX],AL
001D65CC: 0000 ADD BYTE PTR DS:[EAX],AL
001D65CE: 0000 ADD BYTE PTR DS:[EAX],AL
001D65D0: 0000 ADD BYTE PTR DS:[EAX],AL
001D65D2: 0000 ADD BYTE PTR DS:[EAX],AL
001D65D4: 0000 ADD BYTE PTR DS:[EAX],AL
001D65D6: 0000 ADD BYTE PTR DS:[EAX],AL
001D65D8: 0000 ADD BYTE PTR DS:[EAX],AL
001D65DA: 0000 ADD BYTE PTR DS:[EAX],AL
001D65DC: 0000 ADD BYTE PTR DS:[EAX],AL
001D65DE: 0000 ADD BYTE PTR DS:[EAX],AL
System.Xml.dl_CorDllMain --[HOOKED]-- @001D65C0
Disassembly of hooker:
000623B0: 0000 ADD BYTE PTR DS:[EAX],AL
000623B2: 0000 ADD BYTE PTR DS:[EAX],AL
000623B4: 0000 ADD BYTE PTR DS:[EAX],AL
000623B6: 0000 ADD BYTE PTR DS:[EAX],AL
000623B8: 0000 ADD BYTE PTR DS:[EAX],AL
000623BA: 0000 ADD BYTE PTR DS:[EAX],AL
000623BC: 0000 ADD BYTE PTR DS:[EAX],AL
000623BE: 0000 ADD BYTE PTR DS:[EAX],AL
000623C0: 0000 ADD BYTE PTR DS:[EAX],AL
000623C2: 0000 ADD BYTE PTR DS:[EAX],AL
000623C4: 0000 ADD BYTE PTR DS:[EAX],AL
000623C6: 0000 ADD BYTE PTR DS:[EAX],AL
000623C8: 0000 ADD BYTE PTR DS:[EAX],AL
000623CA: 0000 ADD BYTE PTR DS:[EAX],AL
000623CC: 0000 ADD BYTE PTR DS:[EAX],AL
000623CE: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @000623B0
Cannot read memory @0001D6C0: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @0001D6C0
Cannot read memory @0001FFC0: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @0001FFC0
Disassembly of hooker:
00071340: 0000 ADD BYTE PTR DS:[EAX],AL
00071342: 0000 ADD BYTE PTR DS:[EAX],AL
00071344: 0000 ADD BYTE PTR DS:[EAX],AL
00071346: 0000 ADD BYTE PTR DS:[EAX],AL
00071348: 0000 ADD BYTE PTR DS:[EAX],AL
0007134A: 0000 ADD BYTE PTR DS:[EAX],AL
0007134C: 0000 ADD BYTE PTR DS:[EAX],AL
0007134E: 0000 ADD BYTE PTR DS:[EAX],AL
00071350: 0000 ADD BYTE PTR DS:[EAX],AL
00071352: 0000 ADD BYTE PTR DS:[EAX],AL
00071354: 0000 ADD BYTE PTR DS:[EAX],AL
00071356: 0000 ADD BYTE PTR DS:[EAX],AL
00071358: 0000 ADD BYTE PTR DS:[EAX],AL
0007135A: 0000 ADD BYTE PTR DS:[EAX],AL
0007135C: 0000 ADD BYTE PTR DS:[EAX],AL
0007135E: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Ma_CorDllMain --[HOOKED]-- @00071340
Disassembly of hooker:
0003B650: 0000 ADD BYTE PTR DS:[EAX],AL
0003B652: 0000 ADD BYTE PTR DS:[EAX],AL
0003B654: 0000 ADD BYTE PTR DS:[EAX],AL
0003B656: 0000 ADD BYTE PTR DS:[EAX],AL
0003B658: 0000 ADD BYTE PTR DS:[EAX],AL
0003B65A: 0000 ADD BYTE PTR DS:[EAX],AL
0003B65C: 0000 ADD BYTE PTR DS:[EAX],AL
0003B65E: 0000 ADD BYTE PTR DS:[EAX],AL
0003B660: 0000 ADD BYTE PTR DS:[EAX],AL
0003B662: 0000 ADD BYTE PTR DS:[EAX],AL
0003B664: 0000 ADD BYTE PTR DS:[EAX],AL
0003B666: 0000 ADD BYTE PTR DS:[EAX],AL
0003B668: 0000 ADD BYTE PTR DS:[EAX],AL
0003B66A: 0000 ADD BYTE PTR DS:[EAX],AL
0003B66C: 0000 ADD BYTE PTR DS:[EAX],AL
0003B66E: 0000 ADD BYTE PTR DS:[EAX],AL
System.Enterp_CorDllMain --[HOOKED]-- @0003B650
Disassembly of hooker:
000477E0: 0000 ADD BYTE PTR DS:[EAX],AL
000477E2: 0000 ADD BYTE PTR DS:[EAX],AL
000477E4: 0000 ADD BYTE PTR DS:[EAX],AL
000477E6: 0000 ADD BYTE PTR DS:[EAX],AL
000477E8: 0000 ADD BYTE PTR DS:[EAX],AL
000477EA: 0000 ADD BYTE PTR DS:[EAX],AL
000477EC: 0000 ADD BYTE PTR DS:[EAX],AL
000477EE: 0000 ADD BYTE PTR DS:[EAX],AL
000477F0: 0000 ADD BYTE PTR DS:[EAX],AL
000477F2: 0000 ADD BYTE PTR DS:[EAX],AL
000477F4: 0000 ADD BYTE PTR DS:[EAX],AL
000477F6: 0000 ADD BYTE PTR DS:[EAX],AL
000477F8: 0000 ADD BYTE PTR DS:[EAX],AL
000477FA: 0000 ADD BYTE PTR DS:[EAX],AL
000477FC: 0000 ADD BYTE PTR DS:[EAX],AL
000477FE: 0000 ADD BYTE PTR DS:[EAX],AL
System.Runtim_CorDllMain --[HOOKED]-- @000477E0
Cannot read memory @0047C030: 8000000D
System.Window_CorDllMain --[HOOKED]-- @0047C030
Disassembly of hooker:
00088BD0: 0000 ADD BYTE PTR DS:[EAX],AL
00088BD2: 0000 ADD BYTE PTR DS:[EAX],AL
00088BD4: 0000 ADD BYTE PTR DS:[EAX],AL
00088BD6: 0000 ADD BYTE PTR DS:[EAX],AL
00088BD8: 0000 ADD BYTE PTR DS:[EAX],AL
00088BDA: 0000 ADD BYTE PTR DS:[EAX],AL
00088BDC: 0000 ADD BYTE PTR DS:[EAX],AL
00088BDE: 0000 ADD BYTE PTR DS:[EAX],AL
00088BE0: 0000 ADD BYTE PTR DS:[EAX],AL
00088BE2: 0000 ADD BYTE PTR DS:[EAX],AL
00088BE4: 0000 ADD BYTE PTR DS:[EAX],AL
00088BE6: 0000 ADD BYTE PTR DS:[EAX],AL
00088BE8: 0000 ADD BYTE PTR DS:[EAX],AL
00088BEA: 0000 ADD BYTE PTR DS:[EAX],AL
00088BEC: 0000 ADD BYTE PTR DS:[EAX],AL
00088BEE: 0000 ADD BYTE PTR DS:[EAX],AL
System.Drawin_CorDllMain --[HOOKED]-- @00088BD0

Xerinous · « **Reply #81 on:** August 08, 2010, 09:35:29 PM »

Disassembly of hooker:
001039F8: 0000 ADD BYTE PTR DS:[EAX],AL
001039FA: 0000 ADD BYTE PTR DS:[EAX],AL
001039FC: 0000 ADD BYTE PTR DS:[EAX],AL
001039FE: 0000 ADD BYTE PTR DS:[EAX],AL
00103A00: 0000 ADD BYTE PTR DS:[EAX],AL
00103A02: 0000 ADD BYTE PTR DS:[EAX],AL
00103A04: 0000 ADD BYTE PTR DS:[EAX],AL
00103A06: 0000 ADD BYTE PTR DS:[EAX],AL
00103A08: 0000 ADD BYTE PTR DS:[EAX],AL
00103A0A: 0000 ADD BYTE PTR DS:[EAX],AL
00103A0C: 0000 ADD BYTE PTR DS:[EAX],AL
00103A0E: 0000 ADD BYTE PTR DS:[EAX],AL
00103A10: 0000 ADD BYTE PTR DS:[EAX],AL
00103A12: 0000 ADD BYTE PTR DS:[EAX],AL
00103A14: 0000 ADD BYTE PTR DS:[EAX],AL
00103A16: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Ma_CorDllMain --[HOOKED]-- @001039F8
Cannot read memory @0001AA40: 8000000D
System.Servic_CorDllMain --[HOOKED]-- @0001AA40
Cannot read memory @0000B710: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @0000B710
Cannot read memory @00011400: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00011400
Disassembly of hooker:
00042050: 0000 ADD BYTE PTR DS:[EAX],AL
00042052: 0000 ADD BYTE PTR DS:[EAX],AL
00042054: 0000 ADD BYTE PTR DS:[EAX],AL
00042056: 0000 ADD BYTE PTR DS:[EAX],AL
00042058: 0000 ADD BYTE PTR DS:[EAX],AL
0004205A: 0000 ADD BYTE PTR DS:[EAX],AL
0004205C: 0000 ADD BYTE PTR DS:[EAX],AL
0004205E: 0000 ADD BYTE PTR DS:[EAX],AL
00042060: 0000 ADD BYTE PTR DS:[EAX],AL
00042062: 0000 ADD BYTE PTR DS:[EAX],AL
00042064: 0000 ADD BYTE PTR DS:[EAX],AL
00042066: 0000 ADD BYTE PTR DS:[EAX],AL
00042068: 0000 ADD BYTE PTR DS:[EAX],AL
0004206A: 0000 ADD BYTE PTR DS:[EAX],AL
0004206C: 0000 ADD BYTE PTR DS:[EAX],AL
0004206E: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00042050
Cannot read memory @00004840: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00004840
Disassembly of hooker:
00040A90: 0000 ADD BYTE PTR DS:[EAX],AL
00040A92: 0000 ADD BYTE PTR DS:[EAX],AL
00040A94: 0000 ADD BYTE PTR DS:[EAX],AL
00040A96: 0000 ADD BYTE PTR DS:[EAX],AL
00040A98: 0000 ADD BYTE PTR DS:[EAX],AL
00040A9A: 0000 ADD BYTE PTR DS:[EAX],AL
00040A9C: 0000 ADD BYTE PTR DS:[EAX],AL
00040A9E: 0000 ADD BYTE PTR DS:[EAX],AL
00040AA0: 0000 ADD BYTE PTR DS:[EAX],AL
00040AA2: 0000 ADD BYTE PTR DS:[EAX],AL
00040AA4: 0000 ADD BYTE PTR DS:[EAX],AL
00040AA6: 0000 ADD BYTE PTR DS:[EAX],AL
00040AA8: 0000 ADD BYTE PTR DS:[EAX],AL
00040AAA: 0000 ADD BYTE PTR DS:[EAX],AL
00040AAC: 0000 ADD BYTE PTR DS:[EAX],AL
00040AAE: 0000 ADD BYTE PTR DS:[EAX],AL
log4net.dll :_CorDllMain --[HOOKED]-- @00040A90
Disassembly of hooker:
00066650: 0000 ADD BYTE PTR DS:[EAX],AL
00066652: 0000 ADD BYTE PTR DS:[EAX],AL
00066654: 0000 ADD BYTE PTR DS:[EAX],AL
00066656: 0000 ADD BYTE PTR DS:[EAX],AL
00066658: 0000 ADD BYTE PTR DS:[EAX],AL
0006665A: 0000 ADD BYTE PTR DS:[EAX],AL
0006665C: 0000 ADD BYTE PTR DS:[EAX],AL
0006665E: 0000 ADD BYTE PTR DS:[EAX],AL
00066660: 0000 ADD BYTE PTR DS:[EAX],AL
00066662: 0000 ADD BYTE PTR DS:[EAX],AL
00066664: 0000 ADD BYTE PTR DS:[EAX],AL
00066666: 0000 ADD BYTE PTR DS:[EAX],AL
00066668: 0000 ADD BYTE PTR DS:[EAX],AL
0006666A: 0000 ADD BYTE PTR DS:[EAX],AL
0006666C: 0000 ADD BYTE PTR DS:[EAX],AL
0006666E: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @00066650
Cannot read memory @0001D3F0: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @0001D3F0
Cannot read memory @0001DB80: 8000000D
Intuit.Spc.Es_CorDllMain --[HOOKED]-- @0001DB80
Disassembly of hooker:
00071950: 0000 ADD BYTE PTR DS:[EAX],AL
00071952: 0000 ADD BYTE PTR DS:[EAX],AL
00071954: 0000 ADD BYTE PTR DS:[EAX],AL
00071956: 0000 ADD BYTE PTR DS:[EAX],AL
00071958: 0000 ADD BYTE PTR DS:[EAX],AL
0007195A: 0000 ADD BYTE PTR DS:[EAX],AL
0007195C: 0000 ADD BYTE PTR DS:[EAX],AL
0007195E: 0000 ADD BYTE PTR DS:[EAX],AL
00071960: 0000 ADD BYTE PTR DS:[EAX],AL
00071962: 0000 ADD BYTE PTR DS:[EAX],AL
00071964: 0000 ADD BYTE PTR DS:[EAX],AL
00071966: 0000 ADD BYTE PTR DS:[EAX],AL
00071968: 0000 ADD BYTE PTR DS:[EAX],AL
0007196A: 0000 ADD BYTE PTR DS:[EAX],AL
0007196C: 0000 ADD BYTE PTR DS:[EAX],AL
0007196E: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Ma_CorDllMain --[HOOKED]-- @00071950
Disassembly of hooker:
00063D24: 0000 ADD BYTE PTR DS:[EAX],AL
00063D26: 0000 ADD BYTE PTR DS:[EAX],AL
00063D28: 0000 ADD BYTE PTR DS:[EAX],AL
00063D2A: 0000 ADD BYTE PTR DS:[EAX],AL
00063D2C: 0000 ADD BYTE PTR DS:[EAX],AL
00063D2E: 0000 ADD BYTE PTR DS:[EAX],AL
00063D30: 0000 ADD BYTE PTR DS:[EAX],AL
00063D32: 0000 ADD BYTE PTR DS:[EAX],AL
00063D34: 0000 ADD BYTE PTR DS:[EAX],AL
00063D36: 0000 ADD BYTE PTR DS:[EAX],AL
00063D38: 0000 ADD BYTE PTR DS:[EAX],AL
00063D3A: 0000 ADD BYTE PTR DS:[EAX],AL
00063D3C: 0000 ADD BYTE PTR DS:[EAX],AL
00063D3E: 0000 ADD BYTE PTR DS:[EAX],AL
00063D40: 0000 ADD BYTE PTR DS:[EAX],AL
00063D42: 0000 ADD BYTE PTR DS:[EAX],AL
Intuit.Spc.Ma_CorDllMain --[HOOKED]-- @00063D24
KERNEL32.dll (7C800000 - 7C8F6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHLWAPI.dll (77F60000 - 77FD6000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
IMM32.DLL (76390000 - 763AD000)
mscorwks.dll (79E70000 - 7A400000)
MSVCR80.dll (78130000 - 781CB000)
shell32.dll (7C9C0000 - 7D1D7000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
mscorlib.ni.dll (790C0000 - 79BB7000)
ole32.dll (774E0000 - 7761D000)
rsaenh.dll (68000000 - 68036000)
mscorjit.dll (79060000 - 790BB000)
System.ni.dll (7A440000 - 7ABC5000)
System.ServiceProcess.ni.dll(67A20000 - 67A57000)
Intuit.Spc.Esd.WinClient.Application.Up dateService.dll(00A10000 - 00A1A000)
Intuit.Spc.Esd.WinClient.Application.Up dateService.PluginContract.dll(00C30000 - 00C38000)
shfolder.dll (76780000 - 76789000)
version.dll (77C00000 - 77C08000)
Intuit.Spc.Esd.WinClient.Application.Up dateServicePlugin.dll(00E10000 - 00E20000)
Intuit.Spc.Esd.Client.Common.dll(00E20000 - 00E36000)
Intuit.Spc.Esd.Core.dll(00E60000 - 00EA0000)
Intuit.Spc.Esd.WinClient.Ipc.Remoting.U pdateServiceWorker.dll(00EE0000 - 00EEA000)
Intuit.Spc.Foundations.Primary.Logging. dll(11000000 - 1100E000)
Intuit.Spc.Foundations.Portability.dll(00F30000 - 00FA4000)
Intuit.Spc.Foundations.Primary.Exceptio nHandling.dll(00FC0000 - 00FD4000)
Intuit.Spc.Foundations.Primary.Config.d ll(031A0000 - 031B6000)
System.dll (03800000 - 03B04000)
System.Configuration.dll(64890000 - 648FC000)
System.Xml.dll (637A0000 - 63998000)
diasymreader.dll (5E3A0000 - 5E42D000)
Intuit.Spc.Esd.WinClient.Api.Net.dll(03BA0000 - 03C08000)
Intuit.Spc.Esd.Client.DataAccess.dll(03EF0000 - 03F12000)
Intuit.Spc.Esd.Client.BusinessLogic.dll(03F20000 - 03F44000)
System.Data.SQLite.dll(10000000 - 100BF000)
System.Data.dll (64E70000 - 65144000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
System.Transactions.dll(67AA0000 - 67AE3000)
Intuit.Spc.Map.Reporter.dll(04430000 - 044A6000)
System.EnterpriseServices.dll(673F0000 - 67432000)
System.EnterpriseServices.Wrapper.dll(04710000 - 04730000)
OLEAUT32.dll (77120000 - 771AB000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
System.Runtime.Remoting.dll(67770000 - 677BC000)
System.Windows.Forms.dll(7AFD0000 - 7B49E000)
System.Drawing.dll (7ADE0000 - 7AE7C000)
Intuit.Spc.Map.WindowsFirewallUtilities .dll(05260000 - 05368000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
System.ServiceProcess.dll(050D0000 - 050F0000)
Intuit.Spc.Esd.WinClient.Application.Up dateServicePlugin.dll(05390000 - 053A0000)
Intuit.Spc.Esd.Client.Common.dll(053A0000 - 053B6000)
Intuit.Spc.Esd.Core.dll(053E0000 - 05428000)
Intuit.Spc.Esd.WinClient.Ipc.Remoting.U pdateServiceWorker.dll(05430000 - 0543A000)
log4net.dll (054D0000 - 05516000)
Intuit.Spc.Esd.WinClient.Api.Net.dll(05740000 - 057AC000)
Intuit.Spc.Esd.Client.DataAccess.dll(05820000 - 05842000)
Intuit.Spc.Esd.Client.BusinessLogic.dll(05880000 - 058A2000)
System.Data.SQLite.dll(05AB0000 - 05B86000)
Intuit.Spc.Map.Reporter.dll(05930000 - 059A6000)
Intuit.Spc.Map.WindowsFirewallUtilities .dll(05EE0000 - 05F48000)
msi.dll (7D1E0000 - 7D49C000)

PID 1852 - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
RPCRT4.dll (77E70000 - 77F02000)
ADVAPI32.dll (77DD0000 - 77E6B000)
Secur32.dll (77FE0000 - 77FF1000)
CAServer.dll (10000000 - 10026000)
MSVCP71.dll (7C3A0000 - 7C41B000)
MSVCR71.dll (7C340000 - 7C396000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)

PID 1864 - C:\Program Files\Java\jre6\bin\jqs.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
WS2_32.dll (71AB0000 - 71AC7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
WS2HELP.dll (71AA0000 - 71AA8000)
ole32.dll (774E0000 - 7761D000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
MSVCR71.dll (7C340000 - 7C396000)
IMM32.DLL (76390000 - 763AD000)
psapi.dll (76BF0000 - 76BFB000)
pdh.dll (74000000 - 74056000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
ODBC32.dll (74320000 - 7435D000)
odbcbcp.dll (711A0000 - 711A6000)
VERSION.dll (77C00000 - 77C08000)
OLEAUT32.dll (77120000 - 771AB000)
comctl32.dll (773D0000 - 774D3000)
odbcint.dll (007F0000 - 00807000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
perfos.dll (5E760000 - 5E76A000)
perfdisk.dll (5E790000 - 5E799000)

PID 1892 - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
CRYPT32.dll :LoadLibraryA --[HOOKED]-- @00407740 by C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe:
Base address:   00400000
Size:      00026000
Flags:      00005000
Load count:   65535
Name:      SYSCORE
Prod. Version:   (null)
Company:   McAfee, Inc.
File Version:   SYSCORE.14.2.0.866.x86
Description:   McAfee Process Validation Service
Location:   C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PSAPI.DLL (76BF0000 - 76BFB000)
ADVAPI32.dll (77DD0000 - 77E6B000)
CRYPT32.dll :RegQueryValueExW --[HOOKED]-- @004076E0 by C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe:
Base address:   00400000
Size:      00026000
Flags:      00005000
Load count:   65535
Name:      SYSCORE
Prod. Version:   (null)
Company:   McAfee, Inc.
File Version:   SYSCORE.14.2.0.866.x86
Description:   McAfee Process Validation Service
Location:   C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
Signed:      YES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
sfc.dll (76BB0000 - 76BB5000)
sfc_os.dll (76C60000 - 76C8A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
msvcrt.dll (77C10000 - 77C68000)
IMAGEHLP.dll (76C90000 - 76CB8000)
ole32.dll (774E0000 - 7761D000)
IMM32.DLL (76390000 - 763AD000)
rsaenh.dll (68000000 - 68036000)
xpsp2res.dll (00E20000 - 010E5000)
userenv.dll (769C0000 - 76A74000)
VERSION.dll (77C00000 - 77C08000)
netapi32.dll (5B860000 - 5B8B5000)

PID 1916 - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
The code of NtCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address New-Original
7C90D0AE: E9 - B8
7C90D0AF: 4D - 25
7C90D0B0: 2F - 00
7C90D0B1: B5 - 00
7C90D0B2: 94 - 00
--> JMP DWORD PTR DS:[11460000]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 4D2FB594 JMP 11460000
Disassembly of hooker:
11460000: 68 25B8E9C4 PUSH C4E9B825
11460005: E8 B4DF4A6B CALL 7C90DFBE
1146000A: 58 POP EAX
1146000B: C2 2C00 RET 002C
1146000E: C3 RET ; Pop IP
1146000F: 1800 SBB BYTE PTR DS:[EAX],AL
11460011: B8 89000000 MOV EAX, 00000089
11460016: E9 D8D64A6B JMP 7C90D6F3
1146001B: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address New-Original
7C90D14E: E9 - B8
7C90D14F: C8 - 2F
7C90D150: 2E - 00
7C90D151: B5 - 00
7C90D152: 94 - 00
--> JMP DWORD PTR DS:[1146001B]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 C82EB594 JMP 1146001B
Disassembly of hooker:
1146001B: 68 25B8E9C4 PUSH C4E9B825
11460020: E8 99DF4A6B CALL 7C90DFBE
11460025: 58 POP EAX
11460026: C2 2000 RET 0020
11460029: C3 RET ; Pop IP
1146002A: 1A00 SBB AL,BYTE PTR DS:[EAX]
1146002C: B8 2F000000 MOV EAX, 0000002F
11460031: E9 1DD14A6B JMP 7C90D153
11460036: 0000 ADD BYTE PTR DS:[EAX],AL
11460038: 0000 ADD BYTE PTR DS:[EAX],AL
1146003A: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address New-Original
7C90D6EE: E9 - B8
7C90D6EF: F2 - 89
7C90D6F0: 38 - 00
7C90D6F1: B5 - 00
7C90D6F2: 94 - 00
--> JMP DWORD PTR DS:[11460FE5]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Disassembly new code:
7C90D6EE: E9 F238B594 JMP 11460FE5
Disassembly of hooker:
11460FE5: 68 25B8E9C4 PUSH C4E9B825
11460FEA: E8 CFCF4A6B CALL 7C90DFBE
11460FEF: 58 POP EAX
11460FF0: C2 1400 RET 0014
11460FF3: C3 RET ; Pop IP
11460FF4: 1900 SBB DWORD PTR DS:[EAX],EAX
11460FF6: 0000 ADD BYTE PTR DS:[EAX],AL
11460FF8: 0000 ADD BYTE PTR DS:[EAX],AL
11460FFA: 0000 ADD BYTE PTR DS:[EAX],AL
11460FFC: 0000 ADD BYTE PTR DS:[EAX],AL
11460FFE: 0000 ADD BYTE PTR DS:[EAX],AL
11461000: 0000 ADD BYTE PTR DS:[EAX],AL
11461002: 0000 ADD BYTE PTR DS:[EAX],AL
11461004: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address New-Original
7C90D0AE: E9 - B8
7C90D0AF: 4D - 25
7C90D0B0: 2F - 00
7C90D0B1: B5 - 00
7C90D0B2: 94 - 00
--> JMP DWORD PTR DS:[11460000]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 4D2FB594 JMP 11460000
Disassembly of hooker:
11460000: 68 25B8E9C4 PUSH C4E9B825
11460005: E8 B4DF4A6B CALL 7C90DFBE
1146000A: 58 POP EAX
1146000B: C2 2C00 RET 002C
1146000E: C3 RET ; Pop IP
1146000F: 1800 SBB BYTE PTR DS:[EAX],AL
11460011: B8 89000000 MOV EAX, 00000089
11460016: E9 D8D64A6B JMP 7C90D6F3
1146001B: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address New-Original
7C90D14E: E9 - B8
7C90D14F: C8 - 2F
7C90D150: 2E - 00
7C90D151: B5 - 00
7C90D152: 94 - 00
--> JMP DWORD PTR DS:[1146001B]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 C82EB594 JMP 1146001B
Disassembly of hooker:
1146001B: 68 25B8E9C4 PUSH C4E9B825
11460020: E8 99DF4A6B CALL 7C90DFBE
11460025: 58 POP EAX
11460026: C2 2000 RET 0020
11460029: C3 RET ; Pop IP
1146002A: 1A00 SBB AL,BYTE PTR DS:[EAX]
1146002C: B8 2F000000 MOV EAX, 0000002F
11460031: E9 1DD14A6B JMP 7C90D153
11460036: 0000 ADD BYTE PTR DS:[EAX],AL
11460038: 0000 ADD BYTE PTR DS:[EAX],AL
1146003A: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #82 on:** August 08, 2010, 09:36:09 PM »

The code of ZwProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address New-Original
7C90D6EE: E9 - B8
7C90D6EF: F2 - 89
7C90D6F0: 38 - 00
7C90D6F1: B5 - 00
7C90D6F2: 94 - 00
--> JMP DWORD PTR DS:[11460FE5]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Disassembly new code:
7C90D6EE: E9 F238B594 JMP 11460FE5
Disassembly of hooker:
11460FE5: 68 25B8E9C4 PUSH C4E9B825
11460FEA: E8 CFCF4A6B CALL 7C90DFBE
11460FEF: 58 POP EAX
11460FF0: C2 1400 RET 0014
11460FF3: C3 RET ; Pop IP
11460FF4: 1900 SBB DWORD PTR DS:[EAX],EAX
11460FF6: 0000 ADD BYTE PTR DS:[EAX],AL
11460FF8: 0000 ADD BYTE PTR DS:[EAX],AL
11460FFA: 0000 ADD BYTE PTR DS:[EAX],AL
11460FFC: 0000 ADD BYTE PTR DS:[EAX],AL
11460FFE: 0000 ADD BYTE PTR DS:[EAX],AL
11461000: 0000 ADD BYTE PTR DS:[EAX],AL
11461002: 0000 ADD BYTE PTR DS:[EAX],AL
11461004: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
kernel32.dll (7C800000 - 7C8F6000)
The code of CreateFileA at 7C801A28 (0) got patched. Here is the diff:
Address New-Original
7C801A28: E9 - 8B
7C801A29: B8 - FF
7C801A2A: F5 - 55
7C801A2B: 5B - 8B
7C801A2C: 84 - EC
--> JMP DWORD PTR DS:[00DC0FE5]
Disassembly old code:
7C801A28: 8BFF MOV EDI, EDI
7C801A2A: 55 PUSH EBP
7C801A2B: 8BEC MOV EBP, ESP

Disassembly new code:
7C801A28: E9 B8F55B84 JMP 00DC0FE5
Disassembly of hooker:
00DC0FE5: 68 25B8E9C4 PUSH C4E9B825
00DC0FEA: E8 CFCFB47B CALL 7C90DFBE
00DC0FEF: 58 POP EAX
00DC0FF0: C2 1C00 RET 001C
00DC0FF3: C3 RET ; Pop IP
00DC0FF4: 07 POP ES ; Pop top stack to ES
00DC0FF5: 0000 ADD BYTE PTR DS:[EAX],AL
00DC0FF7: 0000 ADD BYTE PTR DS:[EAX],AL
00DC0FF9: 0000 ADD BYTE PTR DS:[EAX],AL
00DC0FFB: 0000 ADD BYTE PTR DS:[EAX],AL
00DC0FFD: 0000 ADD BYTE PTR DS:[EAX],AL
00DC0FFF: 0000 ADD BYTE PTR DS:[EAX],AL
00DC1001: 0000 ADD BYTE PTR DS:[EAX],AL
00DC1003: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateFileW at 7C810800 (0) got patched. Here is the diff:
Address New-Original
7C810800: E9 - 8B
7C810801: CF - FF
7C810802: 07 - 55
7C810803: 5B - 8B
7C810804: 84 - EC
--> JMP DWORD PTR DS:[00DC0FD4]
Disassembly old code:
7C810800: 8BFF MOV EDI, EDI
7C810802: 55 PUSH EBP
7C810803: 8BEC MOV EBP, ESP

Disassembly new code:
7C810800: E9 CF075B84 JMP 00DC0FD4
Disassembly of hooker:
00DC0FD4: 68 25B8E9C4 PUSH C4E9B825
00DC0FD9: E8 E0CFB47B CALL 7C90DFBE
00DC0FDE: 58 POP EAX
00DC0FDF: C2 1C00 RET 001C
00DC0FE2: C3 RET ; Pop IP
00DC0FE3: 0800 OR BYTE PTR DS:[EAX],AL
00DC0FE5: 68 25B8E9C4 PUSH C4E9B825
00DC0FEA: E8 CFCFB47B CALL 7C90DFBE
00DC0FEF: 58 POP EAX
00DC0FF0: C2 1C00 RET 001C
00DC0FF3: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeA at 7C860CDC (0) got patched. Here is the diff:
Address New-Original
7C860CDC: E9 - 8B
7C860CDD: E2 - FF
7C860CDE: 02 - 55
7C860CDF: 56 - 8B
7C860CE0: 84 - EC
--> JMP DWORD PTR DS:[00DC0FC3]
Disassembly old code:
7C860CDC: 8BFF MOV EDI, EDI
7C860CDE: 55 PUSH EBP
7C860CDF: 8BEC MOV EBP, ESP

Disassembly new code:
7C860CDC: E9 E2025684 JMP 00DC0FC3
Disassembly of hooker:
00DC0FC3: 68 25B8E9C4 PUSH C4E9B825
00DC0FC8: E8 F1CFB47B CALL 7C90DFBE
00DC0FCD: 58 POP EAX
00DC0FCE: C2 2000 RET 0020
00DC0FD1: C3 RET ; Pop IP
00DC0FD2: 0900 OR DWORD PTR DS:[EAX],EAX
00DC0FD4: 68 25B8E9C4 PUSH C4E9B825
00DC0FD9: E8 E0CFB47B CALL 7C90DFBE
00DC0FDE: 58 POP EAX
00DC0FDF: C2 1C00 RET 001C
00DC0FE2: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeW at 7C82F0DD (0) got patched. Here is the diff:
Address New-Original
7C82F0DD: E9 - 8B
7C82F0DE: C6 - FF
7C82F0DF: 1E - 55
7C82F0E0: 59 - 8B
7C82F0E1: 84 - EC
--> JMP DWORD PTR DS:[00DC0FA8]
Disassembly old code:
7C82F0DD: 8BFF MOV EDI, EDI
7C82F0DF: 55 PUSH EBP
7C82F0E0: 8BEC MOV EBP, ESP

Disassembly new code:
7C82F0DD: E9 C61E5984 JMP 00DC0FA8
Disassembly of hooker:
00DC0FA8: 68 25B8E9C4 PUSH C4E9B825
00DC0FAD: E8 0CD0B47B CALL 7C90DFBE
00DC0FB2: 58 POP EAX
00DC0FB3: C2 2000 RET 0020
00DC0FB6: C3 RET ; Pop IP
00DC0FB7: 0A00 OR AL,BYTE PTR DS:[EAX]
00DC0FB9: 8BFF MOV EDI, EDI
00DC0FBB: 55 PUSH EBP
00DC0FBC: 8BEC MOV EBP, ESP
00DC0FBE: E9 1EFDA97B JMP 7C860CE1
00DC0FC3: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreatePipe at 7C81D83F (0) got patched. Here is the diff:
Address New-Original
7C81D83F: E9 - 8B
7C81D840: F1 - FF
7C81D841: 36 - 55
7C81D842: 5A - 8B
7C81D843: 84 - EC
--> JMP DWORD PTR DS:[00DC0F35]
Disassembly old code:
7C81D83F: 8BFF MOV EDI, EDI
7C81D841: 55 PUSH EBP
7C81D842: 8BEC MOV EBP, ESP

Disassembly new code:
7C81D83F: E9 F1365A84 JMP 00DC0F35
Disassembly of hooker:
00DC0F35: 68 25B8E9C4 PUSH C4E9B825
00DC0F3A: E8 7FD0B47B CALL 7C90DFBE
00DC0F3F: 58 POP EAX
00DC0F40: C2 1000 RET 0010
00DC0F43: C3 RET ; Pop IP
00DC0F44: 1100 ADC DWORD PTR DS:[EAX],EAX
00DC0F46: 68 25B8E9C4 PUSH C4E9B825
00DC0F4B: E8 6ED0B47B CALL 7C90DFBE
00DC0F50: 58 POP EAX
00DC0F51: C2 1400 RET 0014
00DC0F54: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: E9 - 8B
7C80236C: 99 - FF
7C80236D: EB - 55
7C80236E: 5B - 8B
7C80236F: 84 - EC
--> JMP DWORD PTR DS:[00DC0F09]
Disassembly old code:
7C80236B: 8BFF MOV EDI, EDI
7C80236D: 55 PUSH EBP
7C80236E: 8BEC MOV EBP, ESP

Disassembly new code:
7C80236B: E9 99EB5B84 JMP 00DC0F09
Disassembly of hooker:
00DC0F09: 68 25B8E9C4 PUSH C4E9B825
00DC0F0E: E8 ABD0B47B CALL 7C90DFBE
00DC0F13: 58 POP EAX
00DC0F14: C2 2800 RET 0028
00DC0F17: C3 RET ; Pop IP
00DC0F18: 15 008BFF55 ADC EAX, 55FF8B00
00DC0F1D: 8BEC MOV EBP, ESP
00DC0F1F: E9 EE15AA7B JMP 7C862512
00DC0F24: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: E9 - 8B
7C802337: B3 - FF
7C802338: EB - 55
7C802339: 5B - 8B
7C80233A: 84 - EC
--> JMP DWORD PTR DS:[00DC0EEE]
Disassembly old code:
7C802336: 8BFF MOV EDI, EDI
7C802338: 55 PUSH EBP
7C802339: 8BEC MOV EBP, ESP

Disassembly new code:
7C802336: E9 B3EB5B84 JMP 00DC0EEE
Disassembly of hooker:
00DC0EEE: 68 25B8E9C4 PUSH C4E9B825
00DC0EF3: E8 C6D0B47B CALL 7C90DFBE
00DC0EF8: 58 POP EAX
00DC0EF9: C2 2800 RET 0028
00DC0EFC: C3 RET ; Pop IP
00DC0EFD: 16 PUSH SS ; Push SS register to the stack
00DC0EFE: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
00DC0F04: E9 3214A47B JMP 7C80233B
00DC0F09: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetProcAddress at 7C80AE40 (0) got patched. Here is the diff:
Address New-Original
7C80AE40: E9 - 8B
7C80AE41: 98 - FF
7C80AE42: 60 - 55
7C80AE43: 5B - 8B
7C80AE44: 84 - EC
--> JMP DWORD PTR DS:[00DC0EDD]
Disassembly old code:
7C80AE40: 8BFF MOV EDI, EDI
7C80AE42: 55 PUSH EBP
7C80AE43: 8BEC MOV EBP, ESP

Disassembly new code:
7C80AE40: E9 98605B84 JMP 00DC0EDD
Disassembly of hooker:
00DC0EDD: 68 25B8E9C4 PUSH C4E9B825
00DC0EE2: E8 D7D0B47B CALL 7C90DFBE
00DC0EE7: 58 POP EAX
00DC0EE8: C2 0800 RET 0008
00DC0EEB: C3 RET ; Pop IP
00DC0EEC: 17 POP SS ; Pop top stack to SS
00DC0EED: 006825 ADD BYTE PTR DS:[EAX+25H],CH
00DC0EF0: B8 E9C4E8C6 MOV EAX, C6E8C4E9
00DC0EF5: D0 B47B 58C22800 SAL BYTE PTR DS:[EDI*2+EBX+0028C258H],1
00DC0EFC: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoA at 7C801EF2 (0) got patched. Here is the diff:
Address New-Original
7C801EF2: E9 - 6A
7C801EF3: 75 - 18
7C801EF4: E1 - 68
--> JMP DWORD PTR DS:[00DC006C]
Disassembly old code:
7C801EF2: 6A18 PUSH 18

Disassembly new code:
7C801EF2: E9 75E15B84 JMP 00DC006C
Disassembly of hooker:
00DC006C: 68 25B8E9C4 PUSH C4E9B825
00DC0071: E8 48DFB47B CALL 7C90DFBE
00DC0076: 58 POP EAX
00DC0077: C2 0400 RET 0004
00DC007A: C3 RET ; Pop IP
00DC007B: 1200 ADC AL,BYTE PTR DS:[EAX]
00DC007D: 68 25B8E9C4 PUSH C4E9B825
00DC0082: E8 37DFB47B CALL 7C90DFBE
00DC0087: 58 POP EAX
00DC0088: C2 0400 RET 0004
00DC008B: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoW at 7C801E54 (0) got patched. Here is the diff:
Address New-Original
7C801E54: E9 - 8B
7C801E55: 24 - FF
7C801E56: E2 - 55
7C801E57: 5B - 8B
7C801E58: 84 - EC
--> JMP DWORD PTR DS:[00DC007D]
Disassembly old code:
7C801E54: 8BFF MOV EDI, EDI
7C801E56: 55 PUSH EBP
7C801E57: 8BEC MOV EBP, ESP

Disassembly new code:
7C801E54: E9 24E25B84 JMP 00DC007D
Disassembly of hooker:
00DC007D: 68 25B8E9C4 PUSH C4E9B825
00DC0082: E8 37DFB47B CALL 7C90DFBE
00DC0087: 58 POP EAX
00DC0088: C2 0400 RET 0004
00DC008B: C3 RET ; Pop IP
00DC008C: 1300 ADC EAX,DWORD PTR DS:[EAX]
00DC008E: 8BFF MOV EDI, EDI
00DC0090: 55 PUSH EBP
00DC0091: 8BEC MOV EBP, ESP
00DC0093: E9 C11DA47B JMP 7C801E59
00DC0098: 8BFF MOV EDI, EDI
00DC009A: 55 PUSH EBP
00DC009B: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryA at 7C801D7B (0) got patched. Here is the diff:
Address New-Original
7C801D7B: E9 - 8B
7C801D7C: 17 - FF
7C801D7D: F2 - 55
7C801D7E: 5B - 8B
7C801D7F: 84 - EC
--> JMP DWORD PTR DS:[00DC0F97]
Disassembly old code:
7C801D7B: 8BFF MOV EDI, EDI
7C801D7D: 55 PUSH EBP
7C801D7E: 8BEC MOV EBP, ESP

Disassembly new code:
7C801D7B: E9 17F25B84 JMP 00DC0F97
Disassembly of hooker:
00DC0F97: 68 25B8E9C4 PUSH C4E9B825
00DC0F9C: E8 1DD0B47B CALL 7C90DFBE
00DC0FA1: 58 POP EAX
00DC0FA2: C2 0400 RET 0004
00DC0FA5: C3 RET ; Pop IP
00DC0FA6: 0B00 OR EAX,DWORD PTR DS:[EAX]
00DC0FA8: 68 25B8E9C4 PUSH C4E9B825
00DC0FAD: E8 0CD0B47B CALL 7C90DFBE
00DC0FB2: 58 POP EAX
00DC0FB3: C2 2000 RET 0020
00DC0FB6: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryExA at 7C801D53 (0) got patched. Here is the diff:
Address New-Original
7C801D53: E9 - 8B
7C801D54: C6 - FF
7C801D55: E2 - 55
7C801D56: 5B - 8B
7C801D57: 84 - EC
--> JMP DWORD PTR DS:[00DC001E]
Disassembly old code:
7C801D53: 8BFF MOV EDI, EDI
7C801D55: 55 PUSH EBP
7C801D56: 8BEC MOV EBP, ESP

Disassembly new code:
7C801D53: E9 C6E25B84 JMP 00DC001E
Disassembly of hooker:
00DC001E: 68 25B8E9C4 PUSH C4E9B825
00DC0023: E8 96DFB47B CALL 7C90DFBE
00DC0028: 58 POP EAX
00DC0029: C2 0C00 RET 000C
00DC002C: C3 RET ; Pop IP
00DC002D: 0D 006825B8 OR EAX, B8256800
00DC0032: E9 C4E885DF JMP E061E8FB
00DC0037: B47B MOV AH, 7B
00DC0039: 58 POP EAX
00DC003A: C2 0C00 RET 000C
00DC003D: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryExW at 7C801AF5 (0) got patched. Here is the diff:
Address New-Original
7C801AF5: E9 - 6A
7C801AF6: 35 - 34
7C801AF7: E5 - 68
--> JMP DWORD PTR DS:[00DC002F]
Disassembly old code:
7C801AF5: 6A34 PUSH 34

Disassembly new code:
7C801AF5: E9 35E55B84 JMP 00DC002F
Disassembly of hooker:
00DC002F: 68 25B8E9C4 PUSH C4E9B825
00DC0034: E8 85DFB47B CALL 7C90DFBE
00DC0039: 58 POP EAX
00DC003A: C2 0C00 RET 000C
00DC003D: C3 RET ; Pop IP
00DC003E: 0E PUSH CS ; Push CS register to the stack
00DC003F: 006A34 ADD BYTE PTR DS:[EDX+34H],CH
00DC0042: 68 F8E0807C PUSH 7C80E0F8
00DC0047: E9 B01AA47B JMP 7C801AFC
00DC004C: 8BFF MOV EDI, EDI
00DC004E: 55 PUSH EBP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryW at 7C80AEEB (0) got patched. Here is the diff:
Address New-Original
7C80AEEB: E9 - 8B
7C80AEEC: 96 - FF
7C80AEED: 60 - 55
7C80AEEE: 5B - 8B
7C80AEEF: 84 - EC
--> JMP DWORD PTR DS:[00DC0F86]
Disassembly old code:
7C80AEEB: 8BFF MOV EDI, EDI
7C80AEED: 55 PUSH EBP
7C80AEEE: 8BEC MOV EBP, ESP

Disassembly new code:
7C80AEEB: E9 96605B84 JMP 00DC0F86
Disassembly of hooker:
00DC0F86: 68 25B8E9C4 PUSH C4E9B825
00DC0F8B: E8 2ED0B47B CALL 7C90DFBE
00DC0F90: 58 POP EAX
00DC0F91: C2 0400 RET 0004
00DC0F94: C3 RET ; Pop IP
00DC0F95: 0C00 OR AL, 00
00DC0F97: 68 25B8E9C4 PUSH C4E9B825
00DC0F9C: E8 1DD0B47B CALL 7C90DFBE
00DC0FA1: 58 POP EAX
00DC0FA2: C2 0400 RET 0004
00DC0FA5: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtect at 7C801AD4 (0) got patched. Here is the diff:
Address New-Original
7C801AD4: E9 - 8B
7C801AD5: 88 - FF
7C801AD6: F4 - 55
7C801AD7: 5B - 8B
7C801AD8: 84 - EC
--> JMP DWORD PTR DS:[00DC0F61]
Disassembly old code:
7C801AD4: 8BFF MOV EDI, EDI
7C801AD6: 55 PUSH EBP
7C801AD7: 8BEC MOV EBP, ESP

Disassembly new code:
7C801AD4: E9 88F45B84 JMP 00DC0F61
Disassembly of hooker:
00DC0F61: 68 25B8E9C4 PUSH C4E9B825
00DC0F66: E8 53D0B47B CALL 7C90DFBE
00DC0F6B: 58 POP EAX
00DC0F6C: C2 1000 RET 0010
00DC0F6F: C3 RET ; Pop IP
00DC0F70: 0F008B FF558BEC STR WORD PTR DS:[EBX+EC8B55FF]
00DC0F77: E9 DC0DA47B JMP 7C801D58
00DC0F7C: 8BFF MOV EDI, EDI
00DC0F7E: 55 PUSH EBP
00DC0F7F: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtectEx at 7C801A61 (0) got patched. Here is the diff:
Address New-Original
7C801A61: E9 - 8B
7C801A62: E0 - FF
7C801A63: F4 - 55
7C801A64: 5B - 8B
7C801A65: 84 - EC
--> JMP DWORD PTR DS:[00DC0F46]
Disassembly old code:
7C801A61: 8BFF MOV EDI, EDI
7C801A63: 55 PUSH EBP
7C801A64: 8BEC MOV EBP, ESP

Disassembly new code:
7C801A61: E9 E0F45B84 JMP 00DC0F46
Disassembly of hooker:
00DC0F46: 68 25B8E9C4 PUSH C4E9B825
00DC0F4B: E8 6ED0B47B CALL 7C90DFBE
00DC0F50: 58 POP EAX
00DC0F51: C2 1400 RET 0014
00DC0F54: C3 RET ; Pop IP
00DC0F55: 1000 ADC BYTE PTR DS:[EAX],AL
00DC0F57: 8BFF MOV EDI, EDI
00DC0F59: 55 PUSH EBP
00DC0F5A: 8BEC MOV EBP, ESP
00DC0F5C: E9 050BA47B JMP 7C801A66
00DC0F61: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #83 on:** August 08, 2010, 09:36:51 PM »

Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of WinExec at 7C86250D (0) got patched. Here is the diff:
Address New-Original
7C86250D: E9 - 8B
7C86250E: 12 - FF
7C86250F: EA - 55
7C862510: 55 - 8B
7C862511: 84 - EC
--> JMP DWORD PTR DS:[00DC0F24]
Disassembly old code:
7C86250D: 8BFF MOV EDI, EDI
7C86250F: 55 PUSH EBP
7C862510: 8BEC MOV EBP, ESP

Disassembly new code:
7C86250D: E9 12EA5584 JMP 00DC0F24
Disassembly of hooker:
00DC0F24: 68 25B8E9C4 PUSH C4E9B825
00DC0F29: E8 90D0B47B CALL 7C90DFBE
00DC0F2E: 58 POP EAX
00DC0F2F: C2 0800 RET 0008
00DC0F32: C3 RET ; Pop IP
00DC0F33: 1400 ADC AL, 00
00DC0F35: 68 25B8E9C4 PUSH C4E9B825
00DC0F3A: E8 7FD0B47B CALL 7C90DFBE
00DC0F3F: 58 POP EAX
00DC0F40: C2 1000 RET 0010
00DC0F43: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.DLL (77DD0000 - 77E6B000)
The code of RegCreateKeyA at 77DFBCF3 (0) got patched. Here is the diff:
Address New-Original
77DFBCF3: E9 - 8B
77DFBCF4: AD - FF
77DFBCF5: 52 - 55
77DFBCF6: FB - 8B
77DFBCF7: 88 - EC
--> JMP DWORD PTR DS:[00DB0FA5]
Disassembly old code:
77DFBCF3: 8BFF MOV EDI, EDI
77DFBCF5: 55 PUSH EBP
77DFBCF6: 8BEC MOV EBP, ESP

Disassembly new code:
77DFBCF3: E9 AD52FB88 JMP 00DB0FA5
Disassembly of hooker:
00DB0FA5: 68 25B8E9C4 PUSH C4E9B825
00DB0FAA: E8 0FD0B57B CALL 7C90DFBE
00DB0FAF: 58 POP EAX
00DB0FB0: C2 0C00 RET 000C
00DB0FB3: C3 RET ; Pop IP
00DB0FB4: 05 008BFF55 ADD EAX, 55FF8B00
00DB0FB9: 8BEC MOV EBP, ESP
00DB0FBB: E9 38AD0477 JMP 77DFBCF8
00DB0FC0: 8BFF MOV EDI, EDI
00DB0FC2: 55 PUSH EBP
00DB0FC3: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExA at 77DDE9F4 (0) got patched. Here is the diff:
Address New-Original
77DDE9F4: E9 - 8B
77DDE9F5: 87 - FF
77DDE9F6: 25 - 55
77DDE9F7: FD - 8B
77DDE9F8: 88 - EC
--> JMP DWORD PTR DS:[00DB0F80]
Disassembly old code:
77DDE9F4: 8BFF MOV EDI, EDI
77DDE9F6: 55 PUSH EBP
77DDE9F7: 8BEC MOV EBP, ESP

Disassembly new code:
77DDE9F4: E9 8725FD88 JMP 00DB0F80
Disassembly of hooker:
00DB0F80: 68 25B8E9C4 PUSH C4E9B825
00DB0F85: E8 34D0B57B CALL 7C90DFBE
00DB0F8A: 58 POP EAX
00DB0F8B: C2 2400 RET 0024
00DB0F8E: C3 RET ; Pop IP
00DB0F8F: 2200 AND AL,BYTE PTR DS:[EAX]
00DB0F91: 8BFF MOV EDI, EDI
00DB0F93: 55 PUSH EBP
00DB0F94: 8BEC MOV EBP, ESP
00DB0F96: E9 5EDA0277 JMP 77DDE9F9
00DB0F9B: 8BFF MOV EDI, EDI
00DB0F9D: 55 PUSH EBP
00DB0F9E: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExW at 77DD776C (0) got patched. Here is the diff:
Address New-Original
77DD776C: E9 - 8B
77DD776D: F4 - FF
77DD776E: 97 - 55
77DD776F: FD - 8B
77DD7770: 88 - EC
--> JMP DWORD PTR DS:[00DB0F65]
Disassembly old code:
77DD776C: 8BFF MOV EDI, EDI
77DD776E: 55 PUSH EBP
77DD776F: 8BEC MOV EBP, ESP

Disassembly new code:
77DD776C: E9 F497FD88 JMP 00DB0F65
Disassembly of hooker:
00DB0F65: 68 25B8E9C4 PUSH C4E9B825
00DB0F6A: E8 4FD0B57B CALL 7C90DFBE
00DB0F6F: 58 POP EAX
00DB0F70: C2 2400 RET 0024
00DB0F73: C3 RET ; Pop IP
00DB0F74: 2300 AND EAX,DWORD PTR DS:[EAX]
00DB0F76: 8BFF MOV EDI, EDI
00DB0F78: 55 PUSH EBP
00DB0F79: 8BEC MOV EBP, ESP
00DB0F7B: E9 F1670277 JMP 77DD7771
00DB0F80: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyW at 77DFBA55 (0) got patched. Here is the diff:
Address New-Original
77DFBA55: E9 - 8B
77DFBA56: D2 - FF
77DFBA57: 45 - 55
77DFBA58: FB - 8B
77DFBA59: 88 - EC
--> JMP DWORD PTR DS:[00DB002C]
Disassembly old code:
77DFBA55: 8BFF MOV EDI, EDI
77DFBA57: 55 PUSH EBP
77DFBA58: 8BEC MOV EBP, ESP

Disassembly new code:
77DFBA55: E9 D245FB88 JMP 00DB002C
Disassembly of hooker:
00DB002C: 68 25B8E9C4 PUSH C4E9B825
00DB0031: E8 88DFB57B CALL 7C90DFBE
00DB0036: 58 POP EAX
00DB0037: C2 0C00 RET 000C
00DB003A: C3 RET ; Pop IP
00DB003B: 06 PUSH ES ; Push ES register to the stack
00DB003C: 0000 ADD BYTE PTR DS:[EAX],AL
00DB003E: 0000 ADD BYTE PTR DS:[EAX],AL
00DB0040: 0000 ADD BYTE PTR DS:[EAX],AL
00DB0042: 0000 ADD BYTE PTR DS:[EAX],AL
00DB0044: 0000 ADD BYTE PTR DS:[EAX],AL
00DB0046: 0000 ADD BYTE PTR DS:[EAX],AL
00DB0048: 0000 ADD BYTE PTR DS:[EAX],AL
00DB004A: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyA at 77DDEFC8 (0) got patched. Here is the diff:
Address New-Original
77DDEFC8: E9 - 8B
77DDEFC9: 22 - FF
77DDEFCA: 20 - 55
77DDEFCB: FD - 8B
77DDEFCC: 88 - EC
--> JMP DWORD PTR DS:[00DB0FEF]
Disassembly old code:
77DDEFC8: 8BFF MOV EDI, EDI
77DDEFCA: 55 PUSH EBP
77DDEFCB: 8BEC MOV EBP, ESP

Disassembly new code:
77DDEFC8: E9 2220FD88 JMP 00DB0FEF
Disassembly of hooker:
00DB0FEF: 68 25B8E9C4 PUSH C4E9B825
00DB0FF4: E8 C5CFB57B CALL 7C90DFBE
00DB0FF9: 58 POP EAX
00DB0FFA: C2 0C00 RET 000C
00DB0FFD: C3 RET ; Pop IP
00DB0FFE: 0100 ADD DWORD PTR DS:[EAX],EAX
00DB1000: 0000 ADD BYTE PTR DS:[EAX],AL
00DB1002: 0000 ADD BYTE PTR DS:[EAX],AL
00DB1004: 0000 ADD BYTE PTR DS:[EAX],AL
00DB1006: 0000 ADD BYTE PTR DS:[EAX],AL
00DB1008: 0000 ADD BYTE PTR DS:[EAX],AL
00DB100A: 0000 ADD BYTE PTR DS:[EAX],AL
00DB100C: 0000 ADD BYTE PTR DS:[EAX],AL
00DB100E: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExA at 77DD7852 (0) got patched. Here is the diff:
Address New-Original
77DD7852: E9 - 8B
77DD7853: B3 - FF
77DD7854: 87 - 55
77DD7855: FD - 8B
77DD7856: 88 - EC
--> JMP DWORD PTR DS:[00DB000A]
Disassembly old code:
77DD7852: 8BFF MOV EDI, EDI
77DD7854: 55 PUSH EBP
77DD7855: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7852: E9 B387FD88 JMP 00DB000A
Disassembly of hooker:
00DB000A: 68 25B8E9C4 PUSH C4E9B825
00DB000F: E8 AADFB57B CALL 7C90DFBE
00DB0014: 58 POP EAX
00DB0015: C2 1400 RET 0014
00DB0018: C3 RET ; Pop IP
00DB0019: 0300 ADD EAX,DWORD PTR DS:[EAX]
00DB001B: 68 25B8E9C4 PUSH C4E9B825
00DB0020: E8 99DFB57B CALL 7C90DFBE
00DB0025: 58 POP EAX
00DB0026: C2 1400 RET 0014
00DB0029: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExW at 77DD6AAF (0) got patched. Here is the diff:
Address New-Original
77DD6AAF: E9 - 8B
77DD6AB0: 67 - FF
77DD6AB1: 95 - 55
77DD6AB2: FD - 8B
77DD6AB3: 88 - EC
--> JMP DWORD PTR DS:[00DB001B]
Disassembly old code:
77DD6AAF: 8BFF MOV EDI, EDI
77DD6AB1: 55 PUSH EBP
77DD6AB2: 8BEC MOV EBP, ESP

Disassembly new code:
77DD6AAF: E9 6795FD88 JMP 00DB001B
Disassembly of hooker:
00DB001B: 68 25B8E9C4 PUSH C4E9B825
00DB0020: E8 99DFB57B CALL 7C90DFBE
00DB0025: 58 POP EAX
00DB0026: C2 1400 RET 0014
00DB0029: C3 RET ; Pop IP
00DB002A: 0400 ADD AL, 00
00DB002C: 68 25B8E9C4 PUSH C4E9B825
00DB0031: E8 88DFB57B CALL 7C90DFBE
00DB0036: 58 POP EAX
00DB0037: C2 0C00 RET 000C
00DB003A: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyW at 77DD7946 (0) got patched. Here is the diff:
Address New-Original
77DD7946: E9 - 8B
77DD7947: 89 - FF
77DD7948: 96 - 55
77DD7949: FD - 8B
77DD794A: 88 - EC
--> JMP DWORD PTR DS:[00DB0FD4]
Disassembly old code:
77DD7946: 8BFF MOV EDI, EDI
77DD7948: 55 PUSH EBP
77DD7949: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7946: E9 8996FD88 JMP 00DB0FD4
Disassembly of hooker:
00DB0FD4: 68 25B8E9C4 PUSH C4E9B825
00DB0FD9: E8 E0CFB57B CALL 7C90DFBE
00DB0FDE: 58 POP EAX
00DB0FDF: C2 0C00 RET 000C
00DB0FE2: C3 RET ; Pop IP
00DB0FE3: 0200 ADD AL,BYTE PTR DS:[EAX]
00DB0FE5: 8BFF MOV EDI, EDI
00DB0FE7: 55 PUSH EBP
00DB0FE8: 8BEC MOV EBP, ESP
00DB0FEA: E9 5C690277 JMP 77DD794B
00DB0FEF: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
USER32.DLL (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
OPENDS60.DLL (41060000 - 41066000)
MSVCRT.DLL (77C10000 - 77C68000)
The code of _creat at 77C2D40F (0) got patched. Here is the diff:
Address New-Original
77C2D40F: E9 - 8B
77C2D410: 04 - FF
77C2D411: 2C - 55
77C2D412: B4 - 8B
77C2D413: 99 - EC
--> JMP DWORD PTR DS:[11770018]
Disassembly old code:
77C2D40F: 8BFF MOV EDI, EDI
77C2D411: 55 PUSH EBP
77C2D412: 8BEC MOV EBP, ESP

Disassembly new code:
77C2D40F: E9 042CB499 JMP 11770018
Disassembly of hooker:
11770018: 68 25B8E9C4 PUSH C4E9B825
1177001D: E8 9CDF196B CALL 7C90DFBE
11770022: 58 POP EAX
11770023: C2 0000 RET 0000
11770026: C3 RET ; Pop IP
11770027: 1E PUSH DS ; Push DS register to the stack
11770028: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
1177002E: E9 E1D34B66 JMP 77C2D414
11770033: 8BFF MOV EDI, EDI
11770035: 55 PUSH EBP
11770036: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _open at 77C2F566 (0) got patched. Here is the diff:
Address New-Original
77C2F566: E9 - 6A
77C2F567: 84 - 14
77C2F568: 1A - 68
--> JMP DWORD PTR DS:[11770FEF]
Disassembly old code:
77C2F566: 6A14 PUSH 14

Disassembly new code:
77C2F566: E9 841AB499 JMP 11770FEF
Disassembly of hooker:
11770FEF: 68 25B8E9C4 PUSH C4E9B825
11770FF4: E8 C5CF196B CALL 7C90DFBE
11770FF9: 58 POP EAX
11770FFA: C2 0000 RET 0000
11770FFD: C3 RET ; Pop IP
11770FFE: 1C00 SBB AL, 00
11771000: 0000 ADD BYTE PTR DS:[EAX],AL
11771002: 0000 ADD BYTE PTR DS:[EAX],AL
11771004: 0000 ADD BYTE PTR DS:[EAX],AL
11771006: 0000 ADD BYTE PTR DS:[EAX],AL
11771008: 0000 ADD BYTE PTR DS:[EAX],AL
1177100A: 0000 ADD BYTE PTR DS:[EAX],AL
1177100C: 0000 ADD BYTE PTR DS:[EAX],AL
1177100E: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wcreat at 77C2FC9B (0) got patched. Here is the diff:
Address New-Original
77C2FC9B: E9 - 8B
77C2FC9C: 23 - FF
77C2FC9D: 13 - 55
77C2FC9E: B4 - 8B
77C2FC9F: 99 - EC
--> JMP DWORD PTR DS:[11770FC3]
Disassembly old code:
77C2FC9B: 8BFF MOV EDI, EDI
77C2FC9D: 55 PUSH EBP
77C2FC9E: 8BEC MOV EBP, ESP

Disassembly new code:
77C2FC9B: E9 2313B499 JMP 11770FC3
Disassembly of hooker:
11770FC3: 68 25B8E9C4 PUSH C4E9B825
11770FC8: E8 F1CF196B CALL 7C90DFBE
11770FCD: 58 POP EAX
11770FCE: C2 0000 RET 0000
11770FD1: C3 RET ; Pop IP
11770FD2: 1F POP DS ; Pop top stack to DS
11770FD3: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
11770FD9: E9 C2EC4B66 JMP 77C2FCA0
11770FDE: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wopen at 77C30055 (0) got patched. Here is the diff:
Address New-Original
77C30055: E9 - 6A
77C30056: 84 - 14
77C30057: 0F - 68
--> JMP DWORD PTR DS:[11770FDE]
Disassembly old code:
77C30055: 6A14 PUSH 14

Disassembly new code:
77C30055: E9 840FB499 JMP 11770FDE
Disassembly of hooker:
11770FDE: 68 25B8E9C4 PUSH C4E9B825
11770FE3: E8 D6CF196B CALL 7C90DFBE
11770FE8: 58 POP EAX
11770FE9: C2 0000 RET 0000
11770FEC: C3 RET ; Pop IP
11770FED: 1D 006825B8 SBB EAX, B8256800
11770FF2: E9 C4E8C5CF JMP E13CF8BB
11770FF7: 196B58 SBB DWORD PTR DS:[EBX+58H],EBP
11770FFA: C2 0000 RET 0000
11770FFD: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wsystem at 77C2931E (0) got patched. Here is the diff:
Address New-Original
77C2931E: E9 - 8B
77C2931F: 8F - FF
77C29320: 7C - 55
77C29321: B4 - 8B
77C29322: 99 - EC
--> JMP DWORD PTR DS:[11770FB2]
Disassembly old code:
77C2931E: 8BFF MOV EDI, EDI
77C29320: 55 PUSH EBP
77C29321: 8BEC MOV EBP, ESP

Disassembly new code:
77C2931E: E9 8F7CB499 JMP 11770FB2
Disassembly of hooker:
11770FB2: 68 25B8E9C4 PUSH C4E9B825
11770FB7: E8 02D0196B CALL 7C90DFBE
11770FBC: 58 POP EAX
11770FBD: C2 0000 RET 0000
11770FC0: C3 RET ; Pop IP
11770FC1: 2100 AND DWORD PTR DS:[EAX],EAX
11770FC3: 68 25B8E9C4 PUSH C4E9B825
11770FC8: E8 F1CF196B CALL 7C90DFBE
11770FCD: 58 POP EAX
11770FCE: C2 0000 RET 0000
11770FD1: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of system at 77C293C7 (0) got patched. Here is the diff:
Address New-Original
77C293C7: E9 - 8B
77C293C8: 71 - FF
77C293C9: 6C - 55
77C293CA: B4 - 8B
77C293CB: 99 - EC
--> JMP DWORD PTR DS:[1177003D]
Disassembly old code:
77C293C7: 8BFF MOV EDI, EDI
77C293C9: 55 PUSH EBP
77C293CA: 8BEC MOV EBP, ESP

Disassembly new code:
77C293C7: E9 716CB499 JMP 1177003D
Disassembly of hooker:
1177003D: 68 25B8E9C4 PUSH C4E9B825
11770042: E8 77DF196B CALL 7C90DFBE
11770047: 58 POP EAX
11770048: C2 0000 RET 0000
1177004B: C3 RET ; Pop IP
1177004C: 2000 AND BYTE PTR DS:[EAX],AL
1177004E: 0000 ADD BYTE PTR DS:[EAX],AL
11770050: 0000 ADD BYTE PTR DS:[EAX],AL
11770052: 0000 ADD BYTE PTR DS:[EAX],AL
11770054: 0000 ADD BYTE PTR DS:[EAX],AL
11770056: 0000 ADD BYTE PTR DS:[EAX],AL
11770058: 0000 ADD BYTE PTR DS:[EAX],AL
1177005A: 0000 ADD BYTE PTR DS:[EAX],AL
1177005C: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
UMS.DLL (41070000 - 4107C000)
SQLSORT.DLL (42AE0000 - 42B70000)
MSVCIRT.DLL (002B0000 - 002C1000)
IMM32.DLL (76390000 - 763AD000)
sqlevn70.RLL (10000000 - 10007000)
NETAPI32.DLL (10950000 - 109A5000)
SSNETLIB.dll (00CD0000 - 00CE5000)
WSOCK32.dll (00CF0000 - 00CF9000)
WS2_32.dll (00D00000 - 00D17000)
The code of socket at 00D04211 (0) got patched. Here is the diff:
Address New-Original
00D04211: E9 - 8B
00D04212: EA - FF
00D04213: BD - 55
00D04214: A5 - 8B
00D04215: 10 - EC
--> JMP DWORD PTR DS:[11760000]
Disassembly old code:
00D04211: 8BFF MOV EDI, EDI
00D04213: 55 PUSH EBP
00D04214: 8BEC MOV EBP, ESP

Disassembly new code:
00D04211: E9 EABDA510 JMP 11760000
Disassembly of hooker:
11760000: 68 25B8E9C4 PUSH C4E9B825
11760005: E8 B4DF1A6B CALL 7C90DFBE
1176000A: 58 POP EAX
1176000B: C2 0C00 RET 000C
1176000E: C3 RET ; Pop IP
1176000F: 1B00 SBB EAX,DWORD PTR DS:[EAX]
11760011: 8BFF MOV EDI, EDI
11760013: 55 PUSH EBP
11760014: 8BEC MOV EBP, ESP
11760016: E9 FB415AEF JMP 00D04216
1176001B: 0000 ADD BYTE PTR DS:[EAX],AL
1176001D: 0000 ADD BYTE PTR DS:[EAX],AL
1176001F: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #84 on:** August 08, 2010, 09:37:32 PM »

Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WS2HELP.dll (00D20000 - 00D28000)
security.dll (113A0000 - 113A4000)
VERSION.dll (11470000 - 11478000)
SSmsLPCn.dll (113B0000 - 113B8000)
ntdsapi.dll (11440000 - 11453000)
DNSAPI.dll (11480000 - 114A7000)
WLDAP32.dll (114B0000 - 114DC000)

PID 1956 - C:\WINDOWS\system32\nvsvc32.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
USERENV.dll (769C0000 - 76A74000)
msvcrt.dll (77C10000 - 77C68000)
POWRPROF.dll (74AD0000 - 74AD8000)
IMM32.DLL (76390000 - 763AD000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
SHLWAPI.dll (77F60000 - 77FD6000)
COMCTL32.dll (5D090000 - 5D12A000)
comctl32.dll (773D0000 - 774D3000)
msctfime.ime (755C0000 - 755EE000)
ole32.dll (774E0000 - 7761D000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
VERSION.dll (77C00000 - 77C08000)
Apphelp.dll (77B40000 - 77B62000)

PID 1968 - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
VERSION.dll (77C00000 - 77C08000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
ole32.dll (774E0000 - 7761D000)
sprtsched.dll (62D20000 - 62DFD000)
sprtfod.dll (627C0000 - 62823000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
LIBEAY32.dll (61F30000 - 62038000)
NETAPI32.dll (5B860000 - 5B8B5000)
WININET.DLL (3D930000 - 3DA01000)
Normaliz.dll (00B60000 - 00B69000)
iertutil.dll (3DFD0000 - 3E015000)
URLMON.DLL (78130000 - 78258000)
OLEAUT32.dll (77120000 - 771AB000)
sprtsync.dll (65700000 - 657DF000)
WINSPOOL.DRV (73000000 - 73026000)
sprtupdate.dll (62E00000 - 62E55000)
msi.dll (7D1E0000 - 7D49C000)
mswsock.dll (71A50000 - 71A8F000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
winrnr.dll (76FB0000 - 76FB8000)
WLDAP32.dll (76F60000 - 76F8C000)
mdnsNSP.dll (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
USERENV.dll (769C0000 - 76A74000)

PID 2004 - C:\WINDOWS\wanmpsvc.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
iphlpapi.dll (76D60000 - 76D79000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
NETAPI32.dll (5B860000 - 5B8B5000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)

PID 116 - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
LZ32.dll (73DC0000 - 73DC3000)
RPCRT4.dll (77E70000 - 77F02000)
ADVAPI32.dll (77DD0000 - 77E6B000)
Secur32.dll (77FE0000 - 77FF1000)
LockDown.dll (140E0000 - 140E9000)
msvcrt.dll (77C10000 - 77C68000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
mytilus3.dll (14180000 - 14199000)
mytilus3_worker.dll (14710000 - 14766000)
SHFOLDER.dll (76780000 - 76789000)
DNSAPI.dll (76F20000 - 76F47000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
WININET.dll (3D930000 - 3DA01000)
SHLWAPI.dll (77F60000 - 77FD6000)
Normaliz.dll (00340000 - 00349000)
iertutil.dll (3DFD0000 - 3E015000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
mytilus3_server.dll (14810000 - 1482C000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
mcshield.dll (14100000 - 1415C000)
FTL.Dll (14080000 - 1408E000)
SHELL32.dll (7C9C0000 - 7D1D7000)
comctl32.dll (5D090000 - 5D12A000)
psapi.dll (76BF0000 - 76BFB000)
WTSAPI32.Dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
mfeavfa.dll (6EFF0000 - 6F001000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
mfehida.dll (66240000 - 66255000)
mfevtpa.dll (6DA50000 - 6DA73000)
sfc.dll (76BB0000 - 76BB5000)
sfc_os.dll (76C60000 - 76C8A000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
mcscan32.dll (12000000 - 1231C000)
mfeapfa.dll (65490000 - 6549E000)
rsaenh.dll (68000000 - 68036000)
xpsp2res.dll (0F350000 - 0F615000)
userenv.dll (769C0000 - 76A74000)
VERSION.dll (77C00000 - 77C08000)
mfebopa.dll (603D0000 - 603DF000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
iphlpapi.dll (76D60000 - 76D79000)

PID 280 - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
RPCRT4.dll (77E70000 - 77F02000)
ADVAPI32.dll (77DD0000 - 77E6B000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
IMM32.DLL (76390000 - 763AD000)
mfehida.dll (66240000 - 66255000)
dnsapi.dll (76F20000 - 76F47000)
IPHLPAPI.DLL (76D60000 - 76D79000)
netman.dll (77D00000 - 77D33000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
NETAPI32.dll (5B860000 - 5B8B5000)
WLDAP32.dll (76F60000 - 76F8C000)
ATL.DLL (76B20000 - 76B31000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
rtutils.dll (76E80000 - 76E8E000)
SAMLIB.dll (71BF0000 - 71C03000)
SETUPAPI.dll (77920000 - 77A13000)
netshell.dll (76400000 - 765A5000)
credui.dll (76C00000 - 76C2E000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
dot3api.dll (478C0000 - 478CA000)
dot3dlg.dll (736D0000 - 736D6000)
OneX.DLL (5DCA0000 - 5DCC8000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
eappcfg.dll (745B0000 - 745D2000)
MSVCP60.dll (76080000 - 760E5000)
eappprxy.dll (5DCD0000 - 5DCDE000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
WINMM.dll (76B40000 - 76B6D000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00970000 - 00979000)
iertutil.dll (3DFD0000 - 3E015000)
WZCSAPI.DLL (73030000 - 73040000)
WZCSvc.DLL (7DB10000 - 7DB9C000)
WMI.dll (76D30000 - 76D34000)
DHCPCSVC.DLL (7D4B0000 - 7D4D2000)
EapolQec.dll (72810000 - 7281B000)
QUtil.dll (726C0000 - 726D6000)
ESENT.dll (606B0000 - 607BD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)

PID 344 - C:\WINDOWS\Explorer.EXE
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
The code of NtCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address New-Original
7C90D0AE: E9 - B8
7C90D0AF: 4D - 25
7C90D0B0: 2F - 00
7C90D0B1: 78 - 00
7C90D0B2: 83 - 00
--> JMP DWORD PTR DS:[00090000]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 4D2F7883 JMP 00090000
Disassembly of hooker:
00090000: 68 25B8E9C4 PUSH C4E9B825
00090005: E8 B4DF877C CALL 7C90DFBE
0009000A: 58 POP EAX
0009000B: C2 2C00 RET 002C
0009000E: C3 RET ; Pop IP
0009000F: 0100 ADD DWORD PTR DS:[EAX],EAX
00090011: 0000 ADD BYTE PTR DS:[EAX],AL
00090013: 0000 ADD BYTE PTR DS:[EAX],AL
00090015: 0000 ADD BYTE PTR DS:[EAX],AL
00090017: 0000 ADD BYTE PTR DS:[EAX],AL
00090019: 0000 ADD BYTE PTR DS:[EAX],AL
0009001B: 0000 ADD BYTE PTR DS:[EAX],AL
0009001D: 0000 ADD BYTE PTR DS:[EAX],AL
0009001F: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address New-Original
7C90D14E: E9 - B8
7C90D14F: 6D - 2F
7C90D150: 3E - 00
7C90D151: 78 - 00
7C90D152: 83 - 00
--> JMP DWORD PTR DS:[00090FC0]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 6D3E7883 JMP 00090FC0
Disassembly of hooker:
00090FC0: 68 25B8E9C4 PUSH C4E9B825
00090FC5: E8 F4CF877C CALL 7C90DFBE
00090FCA: 58 POP EAX
00090FCB: C2 2000 RET 0020
00090FCE: C3 RET ; Pop IP
00090FCF: 0300 ADD EAX,DWORD PTR DS:[EAX]
00090FD1: B8 2F000000 MOV EAX, 0000002F
00090FD6: E9 78C1877C JMP 7C90D153
00090FDB: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of NtProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address New-Original
7C90D6EE: E9 - B8
7C90D6EF: E8 - 89
7C90D6F0: 38 - 00
7C90D6F1: 78 - 00
7C90D6F2: 83 - 00
--> JMP DWORD PTR DS:[00090FDB]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Disassembly new code:
7C90D6EE: E9 E8387883 JMP 00090FDB
Disassembly of hooker:
00090FDB: 68 25B8E9C4 PUSH C4E9B825
00090FE0: E8 D9CF877C CALL 7C90DFBE
00090FE5: 58 POP EAX
00090FE6: C2 1400 RET 0014
00090FE9: C3 RET ; Pop IP
00090FEA: 0200 ADD AL,BYTE PTR DS:[EAX]
00090FEC: B8 89000000 MOV EAX, 00000089
00090FF1: E9 FDC6877C JMP 7C90D6F3
00090FF6: B8 25000000 MOV EAX, 00000025
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateFile at 7C90D0AE (0) got patched. Here is the diff:
Address New-Original
7C90D0AE: E9 - B8
7C90D0AF: 4D - 25
7C90D0B0: 2F - 00
7C90D0B1: 78 - 00
7C90D0B2: 83 - 00
--> JMP DWORD PTR DS:[00090000]
Disassembly old code:
7C90D0AE: B8 25000000 MOV EAX, 00000025

Disassembly new code:
7C90D0AE: E9 4D2F7883 JMP 00090000
Disassembly of hooker:
00090000: 68 25B8E9C4 PUSH C4E9B825
00090005: E8 B4DF877C CALL 7C90DFBE
0009000A: 58 POP EAX
0009000B: C2 2C00 RET 002C
0009000E: C3 RET ; Pop IP
0009000F: 0100 ADD DWORD PTR DS:[EAX],EAX
00090011: 0000 ADD BYTE PTR DS:[EAX],AL
00090013: 0000 ADD BYTE PTR DS:[EAX],AL
00090015: 0000 ADD BYTE PTR DS:[EAX],AL
00090017: 0000 ADD BYTE PTR DS:[EAX],AL
00090019: 0000 ADD BYTE PTR DS:[EAX],AL
0009001B: 0000 ADD BYTE PTR DS:[EAX],AL
0009001D: 0000 ADD BYTE PTR DS:[EAX],AL
0009001F: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwCreateProcess at 7C90D14E (0) got patched. Here is the diff:
Address New-Original
7C90D14E: E9 - B8
7C90D14F: 6D - 2F
7C90D150: 3E - 00
7C90D151: 78 - 00
7C90D152: 83 - 00
--> JMP DWORD PTR DS:[00090FC0]
Disassembly old code:
7C90D14E: B8 2F000000 MOV EAX, 0000002F

Disassembly new code:
7C90D14E: E9 6D3E7883 JMP 00090FC0
Disassembly of hooker:
00090FC0: 68 25B8E9C4 PUSH C4E9B825
00090FC5: E8 F4CF877C CALL 7C90DFBE
00090FCA: 58 POP EAX
00090FCB: C2 2000 RET 0020
00090FCE: C3 RET ; Pop IP
00090FCF: 0300 ADD EAX,DWORD PTR DS:[EAX]
00090FD1: B8 2F000000 MOV EAX, 0000002F
00090FD6: E9 78C1877C JMP 7C90D153
00090FDB: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of ZwProtectVirtualMemory at 7C90D6EE (0) got patched. Here is the diff:
Address New-Original
7C90D6EE: E9 - B8
7C90D6EF: E8 - 89
7C90D6F0: 38 - 00
7C90D6F1: 78 - 00
7C90D6F2: 83 - 00
--> JMP DWORD PTR DS:[00090FDB]
Disassembly old code:
7C90D6EE: B8 89000000 MOV EAX, 00000089

Disassembly new code:
7C90D6EE: E9 E8387883 JMP 00090FDB
Disassembly of hooker:
00090FDB: 68 25B8E9C4 PUSH C4E9B825
00090FE0: E8 D9CF877C CALL 7C90DFBE
00090FE5: 58 POP EAX
00090FE6: C2 1400 RET 0014
00090FE9: C3 RET ; Pop IP
00090FEA: 0200 ADD AL,BYTE PTR DS:[EAX]
00090FEC: B8 89000000 MOV EAX, 00000089
00090FF1: E9 FDC6877C JMP 7C90D6F3
00090FF6: B8 25000000 MOV EAX, 00000025
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
kernel32.dll (7C800000 - 7C8F6000)
Explorer.EXE:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ShimEng.dll:
Base address:   5CB70000
Size:      00026000
Flags:      8000400C
Load count:   1
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5512
Company:   Microsoft Corporation
File Version:   5.1.2600.5512 (xpsp.080413-2105)
Description:   Shim Engine DLL
Location:   C:\WINDOWS\system32\ShimEng.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ShimEng.dll:
Base address:   5CB70000
Size:      00026000
Flags:      8000400C
Load count:   1
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5512
Company:   Microsoft Corporation
File Version:   5.1.2600.5512 (xpsp.080413-2105)
Description:   Shim Engine DLL
Location:   C:\WINDOWS\system32\ShimEng.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RPCRT4.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
Secur32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
BROWSEUI.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
GDI32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
USER32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msvcrt.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ole32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SHLWAPI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
OLEAUT32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SHDOCVW.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CRYPT32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MSASN1.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CRYPTUI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NETAPI32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
VERSION.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WININET.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
iertutil.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINTRUST.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
IMAGEHLP.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WLDAP32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SHELL32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
UxTheme.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINMM.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MSACM32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
USERENV.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
IMM32.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
comctl32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
comctl32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msctfime.ime:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
appHelp.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CLBCATQ.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
AcSignIcon.dlGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINSPOOL.DRV:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
OLEACC.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
cscui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
CSCDLL.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
themeui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msutb.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MSCTF.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
AcSignCore16.GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WS2_32.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WS2HELP.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
LINKINFO.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ntshrui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ATL.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
SETUPAPI.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ieframe.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
PSAPI.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
webcheck.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MSVCR80.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NETSHELL.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
credui.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WTSAPI32.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
eappcfg.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
iphlpapi.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
msi.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
stobject.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
BatMeter.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WPDShServiceOGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
WINHTTP.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
rsaenh.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
urlmon.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
mydocs.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
PortableDevicGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
PortableDevicGetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MLANG.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
fxsst.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
FXSAPI.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NTMARTA.DLL :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
MPR.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
AdobeDriveCS4GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
ntlanman.dll:GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
NETUI0.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
davclnt.dll :GetProcAddress --[HOOKED]-- @5CB77774 by C:\WINDOWS\system32\ShimEng.dll
The code of CreateFileA at 7C801A28 (0) got patched. Here is the diff:
Address New-Original
7C801A28: E9 - 8B
7C801A29: D3 - FF
7C801A2A: E5 - 55
7C801A2B: 9A - 8B
7C801A2C: 83 - EC
--> JMP DWORD PTR DS:[001B0000]
Disassembly old code:
7C801A28: 8BFF MOV EDI, EDI
7C801A2A: 55 PUSH EBP
7C801A2B: 8BEC MOV EBP, ESP

Disassembly new code:
7C801A28: E9 D3E59A83 JMP 001B0000
Disassembly of hooker:
001B0000: 68 25B8E9C4 PUSH C4E9B825
001B0005: E8 B4DF757C CALL 7C90DFBE
001B000A: 58 POP EAX
001B000B: C2 1C00 RET 001C
001B000E: C3 RET ; Pop IP
001B000F: 0400 ADD AL, 00
001B0011: 68 25B8E9C4 PUSH C4E9B825
001B0016: E8 A3DF757C CALL 7C90DFBE
001B001B: 58 POP EAX
001B001C: C2 1C00 RET 001C
001B001F: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #85 on:** August 08, 2010, 09:38:09 PM »

Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateFileW at 7C810800 (0) got patched. Here is the diff:
Address New-Original
7C810800: E9 - 8B
7C810801: 0C - FF
7C810802: F8 - 55
7C810803: 99 - 8B
7C810804: 83 - EC
--> JMP DWORD PTR DS:[001B0011]
Disassembly old code:
7C810800: 8BFF MOV EDI, EDI
7C810802: 55 PUSH EBP
7C810803: 8BEC MOV EBP, ESP

Disassembly new code:
7C810800: E9 0CF89983 JMP 001B0011
Disassembly of hooker:
001B0011: 68 25B8E9C4 PUSH C4E9B825
001B0016: E8 A3DF757C CALL 7C90DFBE
001B001B: 58 POP EAX
001B001C: C2 1C00 RET 001C
001B001F: C3 RET ; Pop IP
001B0020: 05 008BFF55 ADD EAX, 55FF8B00
001B0025: 8BEC MOV EBP, ESP
001B0027: E9 D907667C JMP 7C810805
001B002C: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeA at 7C860CDC (0) got patched. Here is the diff:
Address New-Original
7C860CDC: E9 - 8B
7C860CDD: 4B - FF
7C860CDE: F3 - 55
7C860CDF: 94 - 8B
7C860CE0: 83 - EC
--> JMP DWORD PTR DS:[001B002C]
Disassembly old code:
7C860CDC: 8BFF MOV EDI, EDI
7C860CDE: 55 PUSH EBP
7C860CDF: 8BEC MOV EBP, ESP

Disassembly new code:
7C860CDC: E9 4BF39483 JMP 001B002C
Disassembly of hooker:
001B002C: 68 25B8E9C4 PUSH C4E9B825
001B0031: E8 88DF757C CALL 7C90DFBE
001B0036: 58 POP EAX
001B0037: C2 2000 RET 0020
001B003A: C3 RET ; Pop IP
001B003B: 06 PUSH ES ; Push ES register to the stack
001B003C: 006825 ADD BYTE PTR DS:[EAX+25H],CH
001B003F: B8 E9C4E877 MOV EAX, 77E8C4E9
001B0044: DF757C FBSTP TBYTE PTR SS:[EBP+7CH]
001B0047: 58 POP EAX
001B0048: C2 2000 RET 0020
001B004B: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateNamedPipeW at 7C82F0DD (0) got patched. Here is the diff:
Address New-Original
7C82F0DD: E9 - 8B
7C82F0DE: 5B - FF
7C82F0DF: 0F - 55
7C82F0E0: 98 - 8B
7C82F0E1: 83 - EC
--> JMP DWORD PTR DS:[001B003D]
Disassembly old code:
7C82F0DD: 8BFF MOV EDI, EDI
7C82F0DF: 55 PUSH EBP
7C82F0E0: 8BEC MOV EBP, ESP

Disassembly new code:
7C82F0DD: E9 5B0F9883 JMP 001B003D
Disassembly of hooker:
001B003D: 68 25B8E9C4 PUSH C4E9B825
001B0042: E8 77DF757C CALL 7C90DFBE
001B0047: 58 POP EAX
001B0048: C2 2000 RET 0020
001B004B: C3 RET ; Pop IP
001B004C: 07 POP ES ; Pop top stack to ES
001B004D: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
001B0053: E9 281D657C JMP 7C801D80
001B0058: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreatePipe at 7C81D83F (0) got patched. Here is the diff:
Address New-Original
7C81D83F: E9 - 8B
7C81D840: 41 - FF
7C81D841: 37 - 55
7C81D842: 99 - 8B
7C81D843: 83 - EC
--> JMP DWORD PTR DS:[001B0F85]
Disassembly old code:
7C81D83F: 8BFF MOV EDI, EDI
7C81D841: 55 PUSH EBP
7C81D842: 8BEC MOV EBP, ESP

Disassembly new code:
7C81D83F: E9 41379983 JMP 001B0F85
Disassembly of hooker:
001B0F85: 68 25B8E9C4 PUSH C4E9B825
001B0F8A: E8 2FD0757C CALL 7C90DFBE
001B0F8F: 58 POP EAX
001B0F90: C2 1000 RET 0010
001B0F93: C3 RET ; Pop IP
001B0F94: 0E PUSH CS ; Push CS register to the stack
001B0F95: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
001B0F9B: E9 C60A657C JMP 7C801A66
001B0FA0: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessA at 7C80236B (0) got patched. Here is the diff:
Address New-Original
7C80236B: E9 - 8B
7C80236C: FA - FF
7C80236D: EB - 55
7C80236E: 9A - 8B
7C80236F: 83 - EC
--> JMP DWORD PTR DS:[001B0F6A]
Disassembly old code:
7C80236B: 8BFF MOV EDI, EDI
7C80236D: 55 PUSH EBP
7C80236E: 8BEC MOV EBP, ESP

Disassembly new code:
7C80236B: E9 FAEB9A83 JMP 001B0F6A
Disassembly of hooker:
001B0F6A: 68 25B8E9C4 PUSH C4E9B825
001B0F6F: E8 4AD0757C CALL 7C90DFBE
001B0F74: 58 POP EAX
001B0F75: C2 2800 RET 0028
001B0F78: C3 RET ; Pop IP
001B0F79: 1200 ADC AL,BYTE PTR DS:[EAX]
001B0F7B: 8BFF MOV EDI, EDI
001B0F7D: 55 PUSH EBP
001B0F7E: 8BEC MOV EBP, ESP
001B0F80: E9 8D156B7C JMP 7C862512
001B0F85: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of CreateProcessW at 7C802336 (0) got patched. Here is the diff:
Address New-Original
7C802336: E9 - 8B
7C802337: C8 - FF
7C802338: DD - 55
7C802339: 9A - 8B
7C80233A: 83 - EC
--> JMP DWORD PTR DS:[001B0103]
Disassembly old code:
7C802336: 8BFF MOV EDI, EDI
7C802338: 55 PUSH EBP
7C802339: 8BEC MOV EBP, ESP

Disassembly new code:
7C802336: E9 C8DD9A83 JMP 001B0103
Disassembly of hooker:
001B0103: 68 25B8E9C4 PUSH C4E9B825
001B0108: E8 B1DE757C CALL 7C90DFBE
001B010D: 58 POP EAX
001B010E: C2 2800 RET 0028
001B0111: C3 RET ; Pop IP
001B0112: 1300 ADC EAX,DWORD PTR DS:[EAX]
001B0114: 8BFF MOV EDI, EDI
001B0116: 55 PUSH EBP
001B0117: 8BEC MOV EBP, ESP
001B0119: E9 1D22657C JMP 7C80233B
001B011E: 0000 ADD BYTE PTR DS:[EAX],AL
001B0120: 0000 ADD BYTE PTR DS:[EAX],AL
001B0122: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetProcAddress at 7C80AE40 (0) got patched. Here is the diff:
Address New-Original
7C80AE40: E9 - 8B
7C80AE41: 0A - FF
7C80AE42: 61 - 55
7C80AE43: 9A - 8B
7C80AE44: 83 - EC
--> JMP DWORD PTR DS:[001B0F4F]
Disassembly old code:
7C80AE40: 8BFF MOV EDI, EDI
7C80AE42: 55 PUSH EBP
7C80AE43: 8BEC MOV EBP, ESP

Disassembly new code:
7C80AE40: E9 0A619A83 JMP 001B0F4F
Disassembly of hooker:
001B0F4F: 68 25B8E9C4 PUSH C4E9B825
001B0F54: E8 65D0757C CALL 7C90DFBE
001B0F59: 58 POP EAX
001B0F5A: C2 0800 RET 0008
001B0F5D: C3 RET ; Pop IP
001B0F5E: 1400 ADC AL, 00
001B0F60: 8BFF MOV EDI, EDI
001B0F62: 55 PUSH EBP
001B0F63: 8BEC MOV EBP, ESP
001B0F65: E9 DB9E657C JMP 7C80AE45
001B0F6A: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoA at 7C801EF2 (0) got patched. Here is the diff:
Address New-Original
7C801EF2: E9 - 6A
7C801EF3: B9 - 18
7C801EF4: E1 - 68
--> JMP DWORD PTR DS:[001B00B0]
Disassembly old code:
7C801EF2: 6A18 PUSH 18

Disassembly new code:
7C801EF2: E9 B9E19A83 JMP 001B00B0
Disassembly of hooker:
001B00B0: 68 25B8E9C4 PUSH C4E9B825
001B00B5: E8 04DF757C CALL 7C90DFBE
001B00BA: 58 POP EAX
001B00BB: C2 0400 RET 0004
001B00BE: C3 RET ; Pop IP
001B00BF: 0F006A18 VERW WORD PTR DS:[EDX+18]
001B00C3: 68 C82F817C PUSH 7C812FC8
001B00C8: E9 2C1E657C JMP 7C801EF9
001B00CD: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of GetStartupInfoW at 7C801E54 (0) got patched. Here is the diff:
Address New-Original
7C801E54: E9 - 8B
7C801E55: 74 - FF
7C801E56: E2 - 55
7C801E57: 9A - 8B
7C801E58: 83 - EC
--> JMP DWORD PTR DS:[001B00CD]
Disassembly old code:
7C801E54: 8BFF MOV EDI, EDI
7C801E56: 55 PUSH EBP
7C801E57: 8BEC MOV EBP, ESP

Disassembly new code:
7C801E54: E9 74E29A83 JMP 001B00CD
Disassembly of hooker:
001B00CD: 68 25B8E9C4 PUSH C4E9B825
001B00D2: E8 E7DE757C CALL 7C90DFBE
001B00D7: 58 POP EAX
001B00D8: C2 0400 RET 0004
001B00DB: C3 RET ; Pop IP
001B00DC: 1000 ADC BYTE PTR DS:[EAX],AL
001B00DE: 8BFF MOV EDI, EDI
001B00E0: 55 PUSH EBP
001B00E1: 8BEC MOV EBP, ESP
001B00E3: E9 711D657C JMP 7C801E59
001B00E8: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryA at 7C801D7B (0) got patched. Here is the diff:
Address New-Original
7C801D7B: E9 - 8B
7C801D7C: 51 - FF
7C801D7D: F2 - 55
7C801D7E: 9A - 8B
7C801D7F: 83 - EC
--> JMP DWORD PTR DS:[001B0FD1]
Disassembly old code:
7C801D7B: 8BFF MOV EDI, EDI
7C801D7D: 55 PUSH EBP
7C801D7E: 8BEC MOV EBP, ESP

Disassembly new code:
7C801D7B: E9 51F29A83 JMP 001B0FD1
Disassembly of hooker:
001B0FD1: 68 25B8E9C4 PUSH C4E9B825
001B0FD6: E8 E3CF757C CALL 7C90DFBE
001B0FDB: 58 POP EAX
001B0FDC: C2 0400 RET 0004
001B0FDF: C3 RET ; Pop IP
001B0FE0: 0800 OR BYTE PTR DS:[EAX],AL
001B0FE2: 8BFF MOV EDI, EDI
001B0FE4: 55 PUSH EBP
001B0FE5: 8BEC MOV EBP, ESP
001B0FE7: E9 F6E0677C JMP 7C82F0E2
001B0FEC: 8BFF MOV EDI, EDI
001B0FEE: 55 PUSH EBP
001B0FEF: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryExA at 7C801D53 (0) got patched. Here is the diff:
Address New-Original
7C801D53: E9 - 8B
7C801D54: 1B - FF
7C801D55: E3 - 55
7C801D56: 9A - 8B
7C801D57: 83 - EC
--> JMP DWORD PTR DS:[001B0073]
Disassembly old code:
7C801D53: 8BFF MOV EDI, EDI
7C801D55: 55 PUSH EBP
7C801D56: 8BEC MOV EBP, ESP

Disassembly new code:
7C801D53: E9 1BE39A83 JMP 001B0073
Disassembly of hooker:
001B0073: 68 25B8E9C4 PUSH C4E9B825
001B0078: E8 41DF757C CALL 7C90DFBE
001B007D: 58 POP EAX
001B007E: C2 0C00 RET 000C
001B0081: C3 RET ; Pop IP
001B0082: 0A00 OR AL,BYTE PTR DS:[EAX]
001B0084: 68 25B8E9C4 PUSH C4E9B825
001B0089: E8 30DF757C CALL 7C90DFBE
001B008E: 58 POP EAX
001B008F: C2 0C00 RET 000C
001B0092: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryExW at 7C801AF5 (0) got patched. Here is the diff:
Address New-Original
7C801AF5: E9 - 6A
7C801AF6: 8A - 34
7C801AF7: E5 - 68
--> JMP DWORD PTR DS:[001B0084]
Disassembly old code:
7C801AF5: 6A34 PUSH 34

Disassembly new code:
7C801AF5: E9 8AE59A83 JMP 001B0084
Disassembly of hooker:
001B0084: 68 25B8E9C4 PUSH C4E9B825
001B0089: E8 30DF757C CALL 7C90DFBE
001B008E: 58 POP EAX
001B008F: C2 0C00 RET 000C
001B0092: C3 RET ; Pop IP
001B0093: 0B00 OR EAX,DWORD PTR DS:[EAX]
001B0095: 68 25B8E9C4 PUSH C4E9B825
001B009A: E8 1FDF757C CALL 7C90DFBE
001B009F: 58 POP EAX
001B00A0: C2 1400 RET 0014
001B00A3: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of LoadLibraryW at 7C80AEEB (0) got patched. Here is the diff:
Address New-Original
7C80AEEB: E9 - 8B
7C80AEEC: 68 - FF
7C80AEED: 51 - 55
7C80AEEE: 9A - 8B
7C80AEEF: 83 - EC
--> JMP DWORD PTR DS:[001B0058]
Disassembly old code:
7C80AEEB: 8BFF MOV EDI, EDI
7C80AEED: 55 PUSH EBP
7C80AEEE: 8BEC MOV EBP, ESP

Disassembly new code:
7C80AEEB: E9 68519A83 JMP 001B0058
Disassembly of hooker:
001B0058: 68 25B8E9C4 PUSH C4E9B825
001B005D: E8 5CDF757C CALL 7C90DFBE
001B0062: 58 POP EAX
001B0063: C2 0400 RET 0004
001B0066: C3 RET ; Pop IP
001B0067: 0900 OR DWORD PTR DS:[EAX],EAX
001B0069: 8BFF MOV EDI, EDI
001B006B: 55 PUSH EBP
001B006C: 8BEC MOV EBP, ESP
001B006E: E9 7DAE657C JMP 7C80AEF0
001B0073: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtect at 7C801AD4 (0) got patched. Here is the diff:
Address New-Original
7C801AD4: E9 - 8B
7C801AD5: C7 - FF
7C801AD6: F4 - 55
7C801AD7: 9A - 8B
7C801AD8: 83 - EC
--> JMP DWORD PTR DS:[001B0FA0]
Disassembly old code:
7C801AD4: 8BFF MOV EDI, EDI
7C801AD6: 55 PUSH EBP
7C801AD7: 8BEC MOV EBP, ESP

Disassembly new code:
7C801AD4: E9 C7F49A83 JMP 001B0FA0
Disassembly of hooker:
001B0FA0: 68 25B8E9C4 PUSH C4E9B825
001B0FA5: E8 14D0757C CALL 7C90DFBE
001B0FAA: 58 POP EAX
001B0FAB: C2 1000 RET 0010
001B0FAE: C3 RET ; Pop IP
001B0FAF: 0C00 OR AL, 00
001B0FB1: 8BFF MOV EDI, EDI
001B0FB3: 55 PUSH EBP
001B0FB4: 8BEC MOV EBP, ESP
001B0FB6: E9 1E0B657C JMP 7C801AD9
001B0FBB: 6A34 PUSH 34
001B0FBD: 68 F8E0807C PUSH 7C80E0F8
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of VirtualProtectEx at 7C801A61 (0) got patched. Here is the diff:
Address New-Original
7C801A61: E9 - 8B
7C801A62: 2F - FF
7C801A63: E6 - 55
7C801A64: 9A - 8B
7C801A65: 83 - EC
--> JMP DWORD PTR DS:[001B0095]
Disassembly old code:
7C801A61: 8BFF MOV EDI, EDI
7C801A63: 55 PUSH EBP
7C801A64: 8BEC MOV EBP, ESP

Disassembly new code:
7C801A61: E9 2FE69A83 JMP 001B0095
Disassembly of hooker:
001B0095: 68 25B8E9C4 PUSH C4E9B825
001B009A: E8 1FDF757C CALL 7C90DFBE
001B009F: 58 POP EAX
001B00A0: C2 1400 RET 0014
001B00A3: C3 RET ; Pop IP
001B00A4: 0D 008BFF55 OR EAX, 55FF8B00
001B00A9: 8BEC MOV EBP, ESP
001B00AB: E9 94D7667C JMP 7C81D844
001B00B0: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of WinExec at 7C86250D (0) got patched. Here is the diff:
Address New-Original
7C86250D: E9 - 8B
7C86250E: D6 - FF
7C86250F: DB - 55
7C862510: 94 - 8B
7C862511: 83 - EC
--> JMP DWORD PTR DS:[001B00E8]
Disassembly old code:
7C86250D: 8BFF MOV EDI, EDI
7C86250F: 55 PUSH EBP
7C862510: 8BEC MOV EBP, ESP

Disassembly new code:
7C86250D: E9 D6DB9483 JMP 001B00E8
Disassembly of hooker:
001B00E8: 68 25B8E9C4 PUSH C4E9B825
001B00ED: E8 CCDE757C CALL 7C90DFBE
001B00F2: 58 POP EAX
001B00F3: C2 0800 RET 0008
001B00F6: C3 RET ; Pop IP
001B00F7: 1100 ADC DWORD PTR DS:[EAX],EAX
001B00F9: 8BFF MOV EDI, EDI
001B00FB: 55 PUSH EBP
001B00FC: 8BEC MOV EBP, ESP
001B00FE: E9 6D22657C JMP 7C802370
001B0103: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ADVAPI32.dll (77DD0000 - 77E6B000)
The code of RegCreateKeyA at 77DFBCF3 (0) got patched. Here is the diff:
Address New-Original
77DFBCF3: E9 - 8B
77DFBCF4: 48 - FF
77DFBCF5: 43 - 55
77DFBCF6: 4A - 8B
77DFBCF7: 88 - EC
--> JMP DWORD PTR DS:[002A0040]
Disassembly old code:
77DFBCF3: 8BFF MOV EDI, EDI
77DFBCF5: 55 PUSH EBP
77DFBCF6: 8BEC MOV EBP, ESP

Disassembly new code:
77DFBCF3: E9 48434A88 JMP 002A0040
Disassembly of hooker:
002A0040: 68 25B8E9C4 PUSH C4E9B825
002A0045: E8 74DF667C CALL 7C90DFBE
002A004A: 58 POP EAX
002A004B: C2 0C00 RET 000C
002A004E: C3 RET ; Pop IP
002A004F: 1900 SBB DWORD PTR DS:[EAX],EAX
002A0051: 8BFF MOV EDI, EDI
002A0053: 55 PUSH EBP
002A0054: 8BEC MOV EBP, ESP
002A0056: E9 FFB9B577 JMP 77DFBA5A
002A005B: 8BFF MOV EDI, EDI
002A005D: 55 PUSH EBP
002A005E: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Xerinous · « **Reply #86 on:** August 08, 2010, 09:38:57 PM »

Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExA at 77DDE9F4 (0) got patched. Here is the diff:
Address New-Original
77DDE9F4: E9 - 8B
77DDE9F5: AF - FF
77DDE9F6: 25 - 55
77DDE9F7: 4C - 8B
77DDE9F8: 88 - EC
--> JMP DWORD PTR DS:[002A0FA8]
Disassembly old code:
77DDE9F4: 8BFF MOV EDI, EDI
77DDE9F6: 55 PUSH EBP
77DDE9F7: 8BEC MOV EBP, ESP

Disassembly new code:
77DDE9F4: E9 AF254C88 JMP 002A0FA8
Disassembly of hooker:
002A0FA8: 68 25B8E9C4 PUSH C4E9B825
002A0FAD: E8 0CD0667C CALL 7C90DFBE
002A0FB2: 58 POP EAX
002A0FB3: C2 2400 RET 0024
002A0FB6: C3 RET ; Pop IP
002A0FB7: 1B00 SBB EAX,DWORD PTR DS:[EAX]
002A0FB9: 68 25B8E9C4 PUSH C4E9B825
002A0FBE: E8 FBCF667C CALL 7C90DFBE
002A0FC3: 58 POP EAX
002A0FC4: C2 0C00 RET 000C
002A0FC7: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyExW at 77DD776C (0) got patched. Here is the diff:
Address New-Original
77DD776C: E9 - 8B
77DD776D: FE - FF
77DD776E: 88 - 55
77DD776F: 4C - 8B
77DD7770: 88 - EC
--> JMP DWORD PTR DS:[002A006F]
Disassembly old code:
77DD776C: 8BFF MOV EDI, EDI
77DD776E: 55 PUSH EBP
77DD776F: 8BEC MOV EBP, ESP

Disassembly new code:
77DD776C: E9 FE884C88 JMP 002A006F
Disassembly of hooker:
002A006F: 68 25B8E9C4 PUSH C4E9B825
002A0074: E8 45DF667C CALL 7C90DFBE
002A0079: 58 POP EAX
002A007A: C2 2400 RET 0024
002A007D: C3 RET ; Pop IP
002A007E: 1C00 SBB AL, 00
002A0080: 0000 ADD BYTE PTR DS:[EAX],AL
002A0082: 0000 ADD BYTE PTR DS:[EAX],AL
002A0084: 0000 ADD BYTE PTR DS:[EAX],AL
002A0086: 0000 ADD BYTE PTR DS:[EAX],AL
002A0088: 0000 ADD BYTE PTR DS:[EAX],AL
002A008A: 0000 ADD BYTE PTR DS:[EAX],AL
002A008C: 0000 ADD BYTE PTR DS:[EAX],AL
002A008E: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegCreateKeyW at 77DFBA55 (0) got patched. Here is the diff:
Address New-Original
77DFBA55: E9 - 8B
77DFBA56: 5F - FF
77DFBA58: 4A - 8B
77DFBA59: 88 - EC
--> JMP DWORD PTR DS:[002A0FB9]
Disassembly old code:
77DFBA55: 8BFF MOV EDI, EDI
77DFBA57: 55 PUSH EBP
77DFBA58: 8BEC MOV EBP, ESP

Disassembly new code:
77DFBA55: E9 5F554A88 JMP 002A0FB9
Disassembly of hooker:
002A0FB9: 68 25B8E9C4 PUSH C4E9B825
002A0FBE: E8 FBCF667C CALL 7C90DFBE
002A0FC3: 58 POP EAX
002A0FC4: C2 0C00 RET 000C
002A0FC7: C3 RET ; Pop IP
002A0FC8: 1A00 SBB AL,BYTE PTR DS:[EAX]
002A0FCA: 8BFF MOV EDI, EDI
002A0FCC: 55 PUSH EBP
002A0FCD: 8BEC MOV EBP, ESP
002A0FCF: E9 24ADB577 JMP 77DFBCF8
002A0FD4: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyA at 77DDEFC8 (0) got patched. Here is the diff:
Address New-Original
77DDEFC8: E9 - 8B
77DDEFC9: 22 - FF
77DDEFCA: 20 - 55
77DDEFCB: 4C - 8B
77DDEFCC: 88 - EC
--> JMP DWORD PTR DS:[002A0FEF]
Disassembly old code:
77DDEFC8: 8BFF MOV EDI, EDI
77DDEFCA: 55 PUSH EBP
77DDEFCB: 8BEC MOV EBP, ESP

Disassembly new code:
77DDEFC8: E9 22204C88 JMP 002A0FEF
Disassembly of hooker:
002A0FEF: 68 25B8E9C4 PUSH C4E9B825
002A0FF4: E8 C5CF667C CALL 7C90DFBE
002A0FF9: 58 POP EAX
002A0FFA: C2 0C00 RET 000C
002A0FFD: C3 RET ; Pop IP
002A0FFE: 15 00000000 ADC EAX, 00000000
002A1003: 0000 ADD BYTE PTR DS:[EAX],AL
002A1005: 0000 ADD BYTE PTR DS:[EAX],AL
002A1007: 0000 ADD BYTE PTR DS:[EAX],AL
002A1009: 0000 ADD BYTE PTR DS:[EAX],AL
002A100B: 0000 ADD BYTE PTR DS:[EAX],AL
002A100D: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExA at 77DD7852 (0) got patched. Here is the diff:
Address New-Original
77DD7852: E9 - 8B
77DD7853: C4 - FF
77DD7854: 87 - 55
77DD7855: 4C - 8B
77DD7856: 88 - EC
--> JMP DWORD PTR DS:[002A001B]
Disassembly old code:
77DD7852: 8BFF MOV EDI, EDI
77DD7854: 55 PUSH EBP
77DD7855: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7852: E9 C4874C88 JMP 002A001B
Disassembly of hooker:
002A001B: 68 25B8E9C4 PUSH C4E9B825
002A0020: E8 99DF667C CALL 7C90DFBE
002A0025: 58 POP EAX
002A0026: C2 1400 RET 0014
002A0029: C3 RET ; Pop IP
002A002A: 17 POP SS ; Pop top stack to SS
002A002B: 008B FF558BEC ADD BYTE PTR DS:[EBX+EC8B55FF],CL
002A0031: E9 2178B377 JMP 77DD7857
002A0036: 8BFF MOV EDI, EDI
002A0038: 55 PUSH EBP
002A0039: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyExW at 77DD6AAF (0) got patched. Here is the diff:
Address New-Original
77DD6AAF: E9 - 8B
77DD6AB0: 20 - FF
77DD6AB1: A5 - 55
77DD6AB2: 4C - 8B
77DD6AB3: 88 - EC
--> JMP DWORD PTR DS:[002A0FD4]
Disassembly old code:
77DD6AAF: 8BFF MOV EDI, EDI
77DD6AB1: 55 PUSH EBP
77DD6AB2: 8BEC MOV EBP, ESP

Disassembly new code:
77DD6AAF: E9 20A54C88 JMP 002A0FD4
Disassembly of hooker:
002A0FD4: 68 25B8E9C4 PUSH C4E9B825
002A0FD9: E8 E0CF667C CALL 7C90DFBE
002A0FDE: 58 POP EAX
002A0FDF: C2 1400 RET 0014
002A0FE2: C3 RET ; Pop IP
002A0FE3: 1800 SBB BYTE PTR DS:[EAX],AL
002A0FE5: 8BFF MOV EDI, EDI
002A0FE7: 55 PUSH EBP
002A0FE8: 8BEC MOV EBP, ESP
002A0FEA: E9 DEDFB377 JMP 77DDEFCD
002A0FEF: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of RegOpenKeyW at 77DD7946 (0) got patched. Here is the diff:
Address New-Original
77DD7946: E9 - 8B
77DD7947: BF - FF
77DD7948: 86 - 55
77DD7949: 4C - 8B
77DD794A: 88 - EC
--> JMP DWORD PTR DS:[002A000A]
Disassembly old code:
77DD7946: 8BFF MOV EDI, EDI
77DD7948: 55 PUSH EBP
77DD7949: 8BEC MOV EBP, ESP

Disassembly new code:
77DD7946: E9 BF864C88 JMP 002A000A
Disassembly of hooker:
002A000A: 68 25B8E9C4 PUSH C4E9B825
002A000F: E8 AADF667C CALL 7C90DFBE
002A0014: 58 POP EAX
002A0015: C2 0C00 RET 000C
002A0018: C3 RET ; Pop IP
002A0019: 16 PUSH SS ; Push SS register to the stack
002A001A: 006825 ADD BYTE PTR DS:[EAX+25H],CH
002A001D: B8 E9C4E899 MOV EAX, 99E8C4E9
002A0022: DF667C FBLD TBYTE PTR DS:[ESI+7CH]
002A0025: 58 POP EAX
002A0026: C2 1400 RET 0014
002A0029: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
BROWSEUI.dll (75F80000 - 7607D000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
The code of _creat at 77C2D40F (0) got patched. Here is the diff:
Address New-Original
77C2D40F: E9 - 8B
77C2D410: CF - FF
77C2D411: 3B - 55
77C2D412: 68 - 8B
77C2D413: 88 - EC
--> JMP DWORD PTR DS:[002B0FE3]
Disassembly old code:
77C2D40F: 8BFF MOV EDI, EDI
77C2D411: 55 PUSH EBP
77C2D412: 8BEC MOV EBP, ESP

Disassembly new code:
77C2D40F: E9 CF3B6888 JMP 002B0FE3
Disassembly of hooker:
002B0FE3: 68 25B8E9C4 PUSH C4E9B825
002B0FE8: E8 D1CF657C CALL 7C90DFBE
002B0FED: 58 POP EAX
002B0FEE: C2 0000 RET 0000
002B0FF1: C3 RET ; Pop IP
002B0FF2: 1F POP DS ; Pop top stack to DS
002B0FF3: 0000 ADD BYTE PTR DS:[EAX],AL
002B0FF5: 0000 ADD BYTE PTR DS:[EAX],AL
002B0FF7: 0000 ADD BYTE PTR DS:[EAX],AL
002B0FF9: 0000 ADD BYTE PTR DS:[EAX],AL
002B0FFB: 0000 ADD BYTE PTR DS:[EAX],AL
002B0FFD: 0000 ADD BYTE PTR DS:[EAX],AL
002B0FFF: 0000 ADD BYTE PTR DS:[EAX],AL
002B1001: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _open at 77C2F566 (0) got patched. Here is the diff:
Address New-Original
77C2F566: E9 - 6A
77C2F567: A1 - 14
77C2F568: 0A - 68
--> JMP DWORD PTR DS:[002B000C]
Disassembly old code:
77C2F566: 6A14 PUSH 14

Disassembly new code:
77C2F566: E9 A10A6888 JMP 002B000C
Disassembly of hooker:
002B000C: 68 25B8E9C4 PUSH C4E9B825
002B0011: E8 A8DF657C CALL 7C90DFBE
002B0016: 58 POP EAX
002B0017: C2 0000 RET 0000
002B001A: C3 RET ; Pop IP
002B001B: 1D 006825B8 SBB EAX, B8256800
002B0020: E9 C4E897DF JMP DFC2E8E9
002B0025: 65:7C58 JL 002B0080
002B0028: C2 0000 RET 0000
002B002B: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wcreat at 77C2FC9B (0) got patched. Here is the diff:
Address New-Original
77C2FC9B: E9 - 8B
77C2FC9C: 1E - FF
77C2FC9D: 13 - 55
77C2FC9E: 68 - 8B
77C2FC9F: 88 - EC
--> JMP DWORD PTR DS:[002B0FBE]
Disassembly old code:
77C2FC9B: 8BFF MOV EDI, EDI
77C2FC9D: 55 PUSH EBP
77C2FC9E: 8BEC MOV EBP, ESP

Disassembly new code:
77C2FC9B: E9 1E136888 JMP 002B0FBE
Disassembly of hooker:
002B0FBE: 68 25B8E9C4 PUSH C4E9B825
002B0FC3: E8 F6CF657C CALL 7C90DFBE
002B0FC8: 58 POP EAX
002B0FC9: C2 0000 RET 0000
002B0FCC: C3 RET ; Pop IP
002B0FCD: 2000 AND BYTE PTR DS:[EAX],AL
002B0FCF: 8BFF MOV EDI, EDI
002B0FD1: 55 PUSH EBP
002B0FD2: 8BEC MOV EBP, ESP
002B0FD4: E9 C7EC9777 JMP 77C2FCA0
002B0FD9: 8BFF MOV EDI, EDI
002B0FDB: 55 PUSH EBP
002B0FDC: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wopen at 77C30055 (0) got patched. Here is the diff:
Address New-Original
77C30055: E9 - 6A
77C30056: C3 - 14
77C30057: FF - 68
--> JMP DWORD PTR DS:[002B001D]
Disassembly old code:
77C30055: 6A14 PUSH 14

Disassembly new code:
77C30055: E9 C3FF6788 JMP 002B001D
Disassembly of hooker:
002B001D: 68 25B8E9C4 PUSH C4E9B825
002B0022: E8 97DF657C CALL 7C90DFBE
002B0027: 58 POP EAX
002B0028: C2 0000 RET 0000
002B002B: C3 RET ; Pop IP
002B002C: 1E PUSH DS ; Push DS register to the stack
002B002D: 006825 ADD BYTE PTR DS:[EAX+25H],CH
002B0030: B8 E9C4E886 MOV EAX, 86E8C4E9
002B0035: DF657C FBLD TBYTE PTR SS:[EBP+7CH]
002B0038: 58 POP EAX
002B0039: C2 0000 RET 0000
002B003C: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of _wsystem at 77C2931E (0) got patched. Here is the diff:
Address New-Original
77C2931E: E9 - 8B
77C2931F: 0B - FF
77C29320: 6D - 55
77C29321: 68 - 8B
77C29322: 88 - EC
--> JMP DWORD PTR DS:[002B002E]
Disassembly old code:
77C2931E: 8BFF MOV EDI, EDI
77C29320: 55 PUSH EBP
77C29321: 8BEC MOV EBP, ESP

Disassembly new code:
77C2931E: E9 0B6D6888 JMP 002B002E
Disassembly of hooker:
002B002E: 68 25B8E9C4 PUSH C4E9B825
002B0033: E8 86DF657C CALL 7C90DFBE
002B0038: 58 POP EAX
002B0039: C2 0000 RET 0000
002B003C: C3 RET ; Pop IP
002B003D: 2200 AND AL,BYTE PTR DS:[EAX]
002B003F: 8BFF MOV EDI, EDI
002B0041: 55 PUSH EBP
002B0042: 8BEC MOV EBP, ESP
002B0044: E9 DA929777 JMP 77C29323
002B0049: 0000 ADD BYTE PTR DS:[EAX],AL
002B004B: 0000 ADD BYTE PTR DS:[EAX],AL
002B004D: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of system at 77C293C7 (0) got patched. Here is the diff:
Address New-Original
77C293C7: E9 - 8B
77C293C8: E1 - FF
77C293C9: 7B - 55
77C293CA: 68 - 8B
77C293CB: 88 - EC
--> JMP DWORD PTR DS:[002B0FAD]
Disassembly old code:
77C293C7: 8BFF MOV EDI, EDI
77C293C9: 55 PUSH EBP
77C293CA: 8BEC MOV EBP, ESP

Disassembly new code:
77C293C7: E9 E17B6888 JMP 002B0FAD
Disassembly of hooker:
002B0FAD: 68 25B8E9C4 PUSH C4E9B825
002B0FB2: E8 07D0657C CALL 7C90DFBE
002B0FB7: 58 POP EAX
002B0FB8: C2 0000 RET 0000
002B0FBB: C3 RET ; Pop IP
002B0FBC: 2100 AND DWORD PTR DS:[EAX],EAX
002B0FBE: 68 25B8E9C4 PUSH C4E9B825
002B0FC3: E8 F6CF657C CALL 7C90DFBE
002B0FC8: 58 POP EAX
002B0FC9: C2 0000 RET 0000
002B0FCC: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ole32.dll (774E0000 - 7761D000)
SHLWAPI.dll (77F60000 - 77FD6000)
OLEAUT32.dll (77120000 - 771AB000)
SHDOCVW.dll (7E290000 - 7E401000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
CRYPTUI.dll (754D0000 - 75550000)
NETAPI32.dll (5B860000 - 5B8B5000)
VERSION.dll (77C00000 - 77C08000)
WININET.dll (3D930000 - 3DA01000)
The code of InternetOpenA at 3D953081 (0) got patched. Here is the diff:
Address New-Original
3D953081: E9 - 8B
3D953082: 84 - FF
3D953083: CF - 55
3D953084: 97 - 8B
3D953085: C2 - EC
--> JMP DWORD PTR DS:[002D000A]
Disassembly old code:
3D953081: 8BFF MOV EDI, EDI
3D953083: 55 PUSH EBP
3D953084: 8BEC MOV EBP, ESP

Disassembly new code:
3D953081: E9 84CF97C2 JMP 002D000A
Disassembly of hooker:
002D000A: 68 25B8E9C4 PUSH C4E9B825
002D000F: E8 AADF637C CALL 7C90DFBE
002D0014: 58 POP EAX
002D0015: C2 1400 RET 0014
002D0018: C3 RET ; Pop IP
002D0019: 2300 AND EAX,DWORD PTR DS:[EAX]
002D001B: 8BFF MOV EDI, EDI
002D001D: 55 PUSH EBP
002D001E: 8BEC MOV EBP, ESP
002D0020: E9 3A6F683D JMP 3D956F5F
002D0025: 8BFF MOV EDI, EDI
002D0027: 55 PUSH EBP
002D0028: 8BEC MOV EBP, ESP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of InternetOpenUrlA at 3D956F5A (0) got patched. Here is the diff:
Address New-Original
3D956F5A: E9 - 8B
3D956F5B: 75 - FF
3D956F5C: A0 - 55
3D956F5D: 97 - 8B
3D956F5E: C2 - EC
--> JMP DWORD PTR DS:[002D0FD4]
Disassembly old code:
3D956F5A: 8BFF MOV EDI, EDI
3D956F5C: 55 PUSH EBP
3D956F5D: 8BEC MOV EBP, ESP

Disassembly new code:
3D956F5A: E9 75A097C2 JMP 002D0FD4
Disassembly of hooker:
002D0FD4: 68 25B8E9C4 PUSH C4E9B825
002D0FD9: E8 E0CF637C CALL 7C90DFBE
002D0FDE: 58 POP EAX
002D0FDF: C2 1800 RET 0018
002D0FE2: C3 RET ; Pop IP
002D0FE3: 25 008BFF55 AND EAX, 55FF8B00
002D0FE8: 8BEC MOV EBP, ESP
002D0FEA: E9 C726683D JMP 3D9536B6
002D0FEF: 68 25B8E9C4 PUSH C4E9B825
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of InternetOpenUrlW at 3D998439 (0) got patched. Here is the diff:
Address New-Original
3D998439: E9 - 8B
3D99843A: 85 - FF
3D99843B: 8B - 55
3D99843C: 93 - 8B
3D99843D: C2 - EC
--> JMP DWORD PTR DS:[002D0FC3]
Disassembly old code:
3D998439: 8BFF MOV EDI, EDI
3D99843B: 55 PUSH EBP
3D99843C: 8BEC MOV EBP, ESP

Disassembly new code:
3D998439: E9 858B93C2 JMP 002D0FC3
Disassembly of hooker:
002D0FC3: 68 25B8E9C4 PUSH C4E9B825
002D0FC8: E8 F1CF637C CALL 7C90DFBE
002D0FCD: 58 POP EAX
002D0FCE: C2 1800 RET 0018
002D0FD1: C3 RET ; Pop IP
002D0FD2: 26:006825 ADD BYTE PTR ES:[EAX+25H],CH
002D0FD6: B8 E9C4E8E0 MOV EAX, E0E8C4E9
002D0FDB: CF IRETD
002D0FDC: 637C58C2 ARPL DWORD PTR DS:[EBX*2+EAX-3EH],EDI
002D0FE0: 1800 SBB BYTE PTR DS:[EAX],AL
002D0FE2: C3 RET ; Pop IP
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
The code of InternetOpenW at 3D9536B1 (0) got patched. Here is the diff:
Address New-Original
3D9536B1: E9 - 8B
3D9536B2: 39 - FF
3D9536B3: D9 - 55
3D9536B4: 97 - 8B
3D9536B5: C2 - EC
--> JMP DWORD PTR DS:[002D0FEF]
Disassembly old code:
3D9536B1: 8BFF MOV EDI, EDI
3D9536B3: 55 PUSH EBP
3D9536B4: 8BEC MOV EBP, ESP

Disassembly new code:
3D9536B1: E9 39D997C2 JMP 002D0FEF
Disassembly of hooker:
002D0FEF: 68 25B8E9C4 PUSH C4E9B825
002D0FF4: E8 C5CF637C CALL 7C90DFBE
002D0FF9: 58 POP EAX
002D0FFA: C2 1400 RET 0014
002D0FFD: C3 RET ; Pop IP
002D0FFE: 2400 AND AL, 00
002D1000: 0000 ADD BYTE PTR DS:[EAX],AL
002D1002: 0000 ADD BYTE PTR DS:[EAX],AL
002D1004: 0000 ADD BYTE PTR DS:[EAX],AL
002D1006: 0000 ADD BYTE PTR DS:[EAX],AL
002D1008: 0000 ADD BYTE PTR DS:[EAX],AL
002D100A: 0000 ADD BYTE PTR DS:[EAX],AL
002D100C: 0000 ADD BYTE PTR DS:[EAX],AL
002D100E: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Normaliz.dll (00400000 - 00409000)
iertutil.dll (3DFD0000 - 3E015000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
WLDAP32.dll (76F60000 - 76F8C000)
SHELL32.dll (7C9C0000 - 7D1D7000)
UxTheme.dll (5AD70000 - 5ADA8000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
WINMM.dll (76B40000 - 76B6D000)
MSACM32.dll (77BE0000 - 77BF5000)
USERENV.dll (769C0000 - 76A74000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
appHelp.dll (77B40000 - 77B62000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
AcSignIcon.dll (62830000 - 62856000)
WINSPOOL.DRV (73000000 - 73026000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
cscui.dll (77A20000 - 77A74000)
CSCDLL.dll (76600000 - 7661D000)
themeui.dll (5BA60000 - 5BAD1000)
MSIMG32.dll (76380000 - 76385000)
msutb.dll (5FC10000 - 5FC43000)
MSCTF.dll (74720000 - 7476C000)
SAMLIB.dll (71BF0000 - 71C03000)
AcSignCore16.dll (628E0000 - 62919000)
WS2_32.dll (71AB0000 - 71AC7000)
The code of socket at 71AB4211 (0) got patched. Here is the diff:
Address New-Original
71AB4211: E9 - 8B
71AB4212: EA - FF
71AB4213: BD - 55
71AB4214: 87 - 8B
71AB4215: 8F - EC
--> JMP DWORD PTR DS:[01330000]
Disassembly old code:
71AB4211: 8BFF MOV EDI, EDI
71AB4213: 55 PUSH EBP
71AB4214: 8BEC MOV EBP, ESP

Disassembly new code:
71AB4211: E9 EABD878F JMP 01330000
Disassembly of hooker:
01330000: 68 25B8E9C4 PUSH C4E9B825
01330005: E8 B4DF5D7B CALL 7C90DFBE
0133000A: 58 POP EAX
0133000B: C2 0C00 RET 000C
0133000E: C3 RET ; Pop IP
0133000F: 27 DAA
01330010: 0000 ADD BYTE PTR DS:[EAX],AL
01330012: 0000 ADD BYTE PTR DS:[EAX],AL
01330014: 0000 ADD BYTE PTR DS:[EAX],AL
01330016: 0000 ADD BYTE PTR DS:[EAX],AL
01330018: 0000 ADD BYTE PTR DS:[EAX],AL
0133001A: 0000 ADD BYTE PTR DS:[EAX],AL
0133001C: 0000 ADD BYTE PTR DS:[EAX],AL
0133001E: 0000 ADD BYTE PTR DS:[EAX],AL
Patched by C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Information about C:\WINDOWS\system32\ntdll.dll!NtYieldExecution+0x0:
Base address:   7C900000
Size:      000B2000
Flags:      80084004
Load count:   65535
Name:      Microsoft® Windows® Operating System
Prod. Version:   5.1.2600.5755
Company:   Microsoft Corporation
File Version:   5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Description:   NT Layer DLL
Location:   C:\WINDOWS\system32\ntdll.dll
Signed:      > NO! <
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
WS2HELP.dll (71AA0000 - 71AA8000)
LINKINFO.dll (76980000 - 76988000)
ntshrui.dll (76990000 - 769B5000)
ATL.DLL (76B20000 - 76B31000)
SETUPAPI.dll (77920000 - 77A13000)
ieframe.dll (3E1C0000 - 3E78D000)
PSAPI.DLL (76BF0000 - 76BFB000)
WINSTA.dll (76360000 - 76370000)
webcheck.dll (42E40000 - 42E7C000)
MpShHook.dll (5F800000 - 5F815000)
MSVCR80.dll (78130000 - 781CB000)
MSVCP80.dll (7C420000 - 7C4A7000)
NETSHELL.dll (76400000 - 765A5000)
credui.dll (76C00000 - 76C2E000)
dot3api.dll (478C0000 - 478CA000)
rtutils.dll (76E80000 - 76E8E000)
dot3dlg.dll (736D0000 - 736D6000)
OneX.DLL (5DCA0000 - 5DCC8000)
WTSAPI32.dll (76F50000 - 76F58000)
eappcfg.dll (745B0000 - 745D2000)
eappprxy.dll (5DCD0000 - 5DCDE000)
iphlpapi.dll (76D60000 - 76D79000)
msi.dll (7D1E0000 - 7D49C000)
stobject.dll (76280000 - 762A1000)
BatMeter.dll (74AF0000 - 74AFA000)
POWRPROF.dll (74AD0000 - 74AD8000)
WPDShServiceObj.dll (164A0000 - 164C3000)
WINHTTP.dll (4D4F0000 - 4D549000)
rsaenh.dll (68000000 - 68036000)
urlmon.dll (01E80000 - 01FA8000)
mydocs.dll (72410000 - 7242A000)
PortableDeviceTypes.dll(109C0000 - 109EC000)
PortableDeviceApi.dll(10930000 - 10979000)
MLANG.dll (75CF0000 - 75D81000)
fxsst.dll (68DF0000 - 68E7D000)
FXSAPI.dll (5A980000 - 5A9F2000)
NTMARTA.DLL (77690000 - 776B1000)
MPR.dll (71B20000 - 71B32000)
AdobeDriveCS4_NP.dll(10000000 - 10013000)
drprov.dll (75F60000 - 75F67000)
ntlanman.dll (71C10000 - 71C1E000)
NETUI0.dll (71CD0000 - 71CE7000)
NETUI1.dll (71C90000 - 71CD0000)
NETRAP.dll (71C80000 - 71C87000)
davclnt.dll (75F70000 - 75F7A000)
xpsp2res.dll (029D0000 - 02C95000)
PDFShell.dll (01580000 - 015DB000)

PID 916 - C:\WINDOWS\CTHELPER.EXE
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
MFC42.DLL (73DD0000 - 73ECE000)
msvcrt.dll (77C10000 - 77C68000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ole32.dll (774E0000 - 7761D000)
SETUPAPI.dll (77920000 - 77A13000)
IMM32.DLL (76390000 - 763AD000)
COMCTL32.DLL (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
OLEAUT32.dll (77120000 - 771AB000)
VERSION.dll (77C00000 - 77C08000)

PID 944 - C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

Xerinous · « **Reply #87 on:** August 08, 2010, 09:39:35 PM »

-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
IntelMPM.dll (10000000 - 10020000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINSPOOL.DRV (73000000 - 73026000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
COMCTL32.dll (5D090000 - 5D12A000)
comdlg32.dll (763B0000 - 763F9000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
oledlg.dll (7DF70000 - 7DF92000)
ole32.dll (774E0000 - 7761D000)
OLEPRO32.DLL (5EDD0000 - 5EDE7000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
msctfime.ime (755C0000 - 755EE000)

PID 956 - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
MFC42.DLL (73DD0000 - 73ECE000)
msvcrt.dll (77C10000 - 77C68000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)

PID 964 - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
MFC42.DLL (73DD0000 - 73ECE000)
msvcrt.dll (77C10000 - 77C68000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
OLEAUT32.dll (77120000 - 771AB000)
VERSION.dll (77C00000 - 77C08000)
CTAudNav.dll (10000000 - 1002E000)
msctfime.ime (755C0000 - 755EE000)

PID 976 - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
WINMM.dll (76B40000 - 76B6D000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
CTAudSel.dll (10000000 - 10011000)
SHLWAPI.dll (77F60000 - 77FD6000)
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)
MFC42.DLL (73DD0000 - 73ECE000)
SHELL32.dll (7C9C0000 - 7D1D7000)
OLEAUT32.dll (77120000 - 771AB000)
VERSION.dll (77C00000 - 77C08000)
MSVCP60.dll (76080000 - 760E5000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
VolPanel.crl (61000000 - 61010000)
msctfime.ime (755C0000 - 755EE000)
CTTheme.dll (00930000 - 00957000)
CtrlSrc.dll (00960000 - 0096B000)
CTIniF.dll (00970000 - 0097E000)
GDICtrl.skc (00990000 - 009E1000)
comdlg32.dll (763B0000 - 763F9000)
GDICtrl2.skc (009F0000 - 00A19000)
gdiplus.dll (4EC50000 - 4EDFB000)
GDICtrl3.skc (00A20000 - 00A38000)
RtxCtrl.skc (00A40000 - 00A5C000)
UxTheme.dll (5AD70000 - 5ADA8000)

PID 992 - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
SHLWAPI.dll (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
VERSION.dll (77C00000 - 77C08000)
MFC42.DLL (73DD0000 - 73ECE000)
comdlg32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ole32.dll (774E0000 - 7761D000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
msctfime.ime (755C0000 - 755EE000)
AudDrvEm.dll (10000000 - 10010000)
WINMM.dll (76B40000 - 76B6D000)
SETUPAPI.dll (77920000 - 77A13000)
CTAudSel.dll (00920000 - 00931000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
OLEAUT32.dll (77120000 - 771AB000)
CTDCRES.DLL (01010000 - 01015000)
PanelSvc.dll (00960000 - 00973000)

PID 1020 - C:\WINDOWS\system32\dla\tfswctrl.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
tfswapi.dll (10000000 - 1000F000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
tfswcres.dll (00330000 - 0036B000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
Wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
OLEAUT32.dll (77120000 - 771AB000)
VERSION.dll (77C00000 - 77C08000)
VxBlock.dll (00960000 - 00969000)
SETUPAPI.dll (77920000 - 77A13000)

PID 1040 - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
IMM32.DLL (76390000 - 763AD000)

PID 1048 - C:\Program Files\Dell\Media Experience\DMXLauncher.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
ole32.dll (774E0000 - 7761D000)

PID 1500 - C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
COMCTL32.dll (5D090000 - 5D12A000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
CoreDll.dll (60680000 - 606E8000)
SHLWAPI.dll (77F60000 - 77FD6000)
msvcrt.dll (77C10000 - 77C68000)
SHELL32.dll (7C9C0000 - 7D1D7000)
MSVCP71.dll (7C3C0000 - 7C43B000)
MSVCR71.dll (7C340000 - 7C396000)
comdlg32.dll (763B0000 - 763F9000)
ole32.dll (774E0000 - 7761D000)
TrackUtils.dll (62080000 - 62091000)
Enforce.dll (67000000 - 6704B000)
Crypt.dll (606F0000 - 607AE000)
MMReg.dll (61670000 - 61687000)
MMHttp.dll (61470000 - 61484000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00330000 - 00339000)
iertutil.dll (3DFD0000 - 3E015000)
ThreadUtils.dll (61EC0000 - 61ECA000)
SkinnedCtrls.dll (61BC0000 - 61C4B000)
MFC71U.DLL (00420000 - 00522000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
msctfime.ime (755C0000 - 755EE000)
FileAssoc.dll (609F0000 - 60A02000)
USERENV.dll (769C0000 - 76A74000)
netapi32.dll (5B860000 - 5B8B5000)

PID 904 - C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
MPR.dll (71B20000 - 71B32000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
MFC71.DLL (7C140000 - 7C243000)
MSVCR71.dll (7C340000 - 7C396000)
SHLWAPI.dll (77F60000 - 77FD6000)
msvcrt.dll (77C10000 - 77C68000)
SHELL32.dll (7C9C0000 - 7D1D7000)
COMCTL32.dll (773D0000 - 774D3000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
MediaDetectRC.dll (10000000 - 10013000)
msctfime.ime (755C0000 - 755EE000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
VERSION.dll (77C00000 - 77C08000)

PID 1836 - C:\Program Files\Common Files\AOL\1144616972\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
IMM32.DLL (76390000 - 763AD000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msctfime.ime (755C0000 - 755EE000)
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)

PID 2044 - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
GoogleServices.DLL (05000000 - 05200000)
GoogleDesktopCommon.dll(42000000 - 42047000)
SHLWAPI.dll (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00340000 - 00349000)
iertutil.dll (3DFD0000 - 3E015000)
COMCTL32.dll (773D0000 - 774D3000)
IMM32.dll (76390000 - 763AD000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
USERENV.dll (769C0000 - 76A74000)
PSAPI.DLL (76BF0000 - 76BFB000)
GoogleDesktopResources_en.dll(62000000 - 62091000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
VERSION.dll (77C00000 - 77C08000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
msctfime.ime (755C0000 - 755EE000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
shell32.dll (7C9C0000 - 7D1D7000)
msxml3.dll (74980000 - 74AA3000)
rsaenh.dll (68000000 - 68036000)
UxTheme.dll (5AD70000 - 5ADA8000)
GoogleDesktopHyper.dll(4D000000 - 4D024000)
USP10.dll (74D90000 - 74DFB000)
asycfilt.dll (708F0000 - 70903000)

PID 404 - C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
VERSION.dll (77C00000 - 77C08000)
IMM32.DLL (76390000 - 763AD000)
msctfime.ime (755C0000 - 755EE000)
msvcrt.dll (77C10000 - 77C68000)
ole32.dll (774E0000 - 7761D000)

PID 420 - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
SHLWAPI.dll (77F60000 - 77FD6000)
msvcrt.dll (77C10000 - 77C68000)
SHELL32.dll (7C9C0000 - 7D1D7000)
VERSION.dll (77C00000 - 77C08000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msctfime.ime (755C0000 - 755EE000)
ole32.dll (774E0000 - 7761D000)
sprtmessage.dll (10000000 - 10014000)
mscoree.dll (79000000 - 79046000)
Cannot read memory @00007CB0: 8000000D
SupportSoft.A_CorDllMain --[HOOKED]-- @00007CB0
Cannot read memory @00003D50: 8000000D
SupportSoft.A_CorDllMain --[HOOKED]-- @00003D50
mscorwks.dll (79E70000 - 7A400000)
MSVCR80.dll (78130000 - 781CB000)
mscorlib.ni.dll (790C0000 - 79BB7000)
mscorjit.dll (79060000 - 790BB000)
sprtsched.dll (62D20000 - 62DFD000)
sprtevent.dll (62BE0000 - 62C3E000)
OLEAUT32.dll (77120000 - 771AB000)
sprtfod.dll (627C0000 - 62823000)
WSOCK32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
LIBEAY32.dll (61F30000 - 62038000)
NETAPI32.dll (5B860000 - 5B8B5000)
WININET.DLL (3D930000 - 3DA01000)
Normaliz.dll (02EA0000 - 02EA9000)
iertutil.dll (3DFD0000 - 3E015000)
URLMON.DLL (030C0000 - 031E8000)
sprtsync.dll (65700000 - 657DF000)
WINSPOOL.DRV (73000000 - 73026000)
sprtui.dll (654B0000 - 65510000)
mswsock.dll (71A50000 - 71A8F000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
winrnr.dll (76FB0000 - 76FB8000)
WLDAP32.dll (76F60000 - 76F8C000)
mdnsNSP.dll (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
SupportSoft.Agent.Sprocket.SupportMessa ge.dll(11000000 - 1100C000)
SupportSoft.Agent.Sprocket.dll(03EC0000 - 03EC8000)
System.ni.dll (7A440000 - 7ABC5000)
System.Xml.ni.dll (637A0000 - 63CD6000)

PID 352 - C:\Program Files\Java\jre6\bin\jusched.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
WININET.dll (3D930000 - 3DA01000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
Normaliz.dll (00340000 - 00349000)
iertutil.dll (3DFD0000 - 3E015000)
ole32.dll (774E0000 - 7761D000)
SHELL32.dll (7C9C0000 - 7D1D7000)
OLEAUT32.dll (77120000 - 771AB000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
Apphelp.dll (77B40000 - 77B62000)
ws2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
NETAPI32.dll (5B860000 - 5B8B5000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
USERENV.dll (769C0000 - 76A74000)
mswsock.dll (71A50000 - 71A8F000)
urlmon.dll (78130000 - 78258000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
mdnsNSP.dll (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)

PID 456 - C:\Program Files\McAfee.com\Agent\mcagent.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
WINTRUST.dll (76C30000 - 76C5E000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
msvcrt.dll (77C10000 - 77C68000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
IMAGEHLP.dll (76C90000 - 76CB8000)
COMDLG32.dll (763B0000 - 763F9000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00340000 - 00349000)
iertutil.dll (3DFD0000 - 3E015000)
VERSION.dll (77C00000 - 77C08000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
McUtil.dll (62600000 - 62643000)
SETUPAPI.dll (77920000 - 77A13000)
msctfime.ime (755C0000 - 755EE000)
psapi.dll (76BF0000 - 76BFB000)
rsaenh.dll (68000000 - 68036000)
xpsp2res.dll (00EB0000 - 01175000)
userenv.dll (769C0000 - 76A74000)
netapi32.dll (5B860000 - 5B8B5000)
cryptnet.dll (75E60000 - 75E73000)
SensApi.dll (722B0000 - 722B5000)
WINHTTP.dll (4D4F0000 - 4D549000)
WLDAP32.dll (76F60000 - 76F8C000)
Cabinet.dll (75150000 - 75163000)
ws2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
RASAPI32.DLL (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
mdnsNSP.dll (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)
McRtMui.dll (10000000 - 10077000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
LangSel.dll (014B0000 - 014DE000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msxml4.dll (69B10000 - 69C5D000)
McOemRes.dll (016A0000 - 016A2000)
OemUI.dll (01CC0000 - 01CC2000)
mcprlres.dll (66500000 - 667FA000)
mcmscshm.dll (01EF0000 - 01F89000)
McBrwsr2.dll (62400000 - 62463000)
urlmon.dll (78130000 - 78258000)
wbemprox.dll (74EF0000 - 74EF8000)
wbemcomn.dll (75290000 - 752C7000)
mpfshm.dll (020F0000 - 0214D000)
MSIMG32.dll (76380000 - 76385000)
mskcshim.dll (025A0000 - 025FE000)
mcoasshm.dll (02610000 - 02663000)
SXS.DLL (7E720000 - 7E7D0000)
McLWAPI.DLL (026B0000 - 026D8000)

PID 1296 - C:\Program Files\DellSupport\DSAgnt.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
SHELL32.dll (7C9C0000 - 7D1D7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
GDI32.dll (77F10000 - 77F59000)
USER32.dll (7E410000 - 7E4A1000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00340000 - 00349000)
iertutil.dll (3DFD0000 - 3E015000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
VERSION.dll (77C00000 - 77C08000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
msctfime.ime (755C0000 - 755EE000)
ws2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
GTAgnt.dll (10000000 - 10023000)
CfgData.DLL (00C20000 - 00C59000)
ActMgr.dll (00C60000 - 00C8B000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
msxml3.dll (74980000 - 74AA3000)
urlmon.dll (78130000 - 78258000)
MSOXMLMF.DLL (01E90000 - 01E9D000)
brkrsvch.dll (01EB0000 - 01ED3000)
grouph.dll (01F00000 - 01F29000)
pnph.dll (01F50000 - 01F7D000)
qdiagh.dll (01FA0000 - 01FC3000)
trgloadh.dll (01FF0000 - 02033000)
trgregh.dll (02060000 - 02092000)
TrgMgr.DLL (020B0000 - 020DF000)
OLEACC.dll (74C80000 - 74CAC000)
MSVCP60.dll (76080000 - 760E5000)
WINSPOOL.DRV (73000000 - 73026000)
rasapi32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
NETAPI32.dll (5B860000 - 5B8B5000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll (76E80000 - 76E8E000)
WINMM.dll (76B40000 - 76B6D000)
FILET.DLL (02A40000 - 02A66000)
TIMERT.DLL (02B80000 - 02BA7000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
mlang.dll (75CF0000 - 75D81000)
gdql_d.dll (02E10000 - 0301F000)
comdlg32.dll (763B0000 - 763F9000)
MPR.dll (71B20000 - 71B32000)
MSACM32.dll (77BE0000 - 77BF5000)
MSVFW32.dll (75A70000 - 75A91000)
AVICAP32.dll (73B80000 - 73B92000)
SXS.DLL (7E720000 - 7E7D0000)
Iphlpapi.dll (76D60000 - 76D79000)
DSPROCT.DLL (03240000 - 03266000)
PSAPI.DLL (76BF0000 - 76BFB000)
DSWNHNT.DLL (03380000 - 033B6000)
mswsock.dll (71A50000 - 71A8F000)
DNSAPI.dll (76F20000 - 76F47000)
mdnsNSP.dll (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)

PID 2020 - C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

Xerinous · « **Reply #88 on:** August 08, 2010, 09:41:22 PM »

-------------------------------------------------------------------------------
ntdll.dll    (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll    (77F10000 - 77F59000)
SHLWAPI.dll    (77F60000 - 77FD6000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll    (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
IMM32.DLL    (76390000 - 763AD000)
SHELL32.dll    (7C9C0000 - 7D1D7000)
comctl32.dll (773D0000 - 774D3000)
NTMARTA.DLL    (77690000 - 776B1000)
ole32.dll    (774E0000 - 7761D000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll    (76F60000 - 76F8C000)
netapi32.dll (5B860000 - 5B8B5000)
SETUPAPI.dll (77920000 - 77A13000)
appHelp.dll    (77B40000 - 77B62000)
CLBCATQ.DLL    (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
OLEAUT32.dll (77120000 - 771AB000)
VERSION.dll    (77C00000 - 77C08000)
rsaenh.dll (68000000 - 68036000)
urlmon.dll (00B20000 - 00C48000)
iertutil.dll (3DFD0000 - 3E015000)

PID 616   - C:\Program Files\Citrix\ICA Client\pnagent.exe
-------------------------------------------------------------------------------
ntdll.dll    (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll    (77F10000 - 77F59000)
SHELL32.dll    (7C9C0000 - 7D1D7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll    (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll    (77F60000 - 77FD6000)
COMCTL32.dll (5D090000 - 5D12A000)
ICALOGON.dll (66240000 - 6624B000)
VERSION.dll    (77C00000 - 77C08000)
ole32.dll    (774E0000 - 7761D000)
IMM32.DLL    (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
wininet.dll    (3D930000 - 3DA01000)
Normaliz.dll (008B0000 - 008B9000)
iertutil.dll (3DFD0000 - 3E015000)
pnagenUI.DLL (008D0000 - 008F1000)
msctfime.ime (755C0000 - 755EE000)
ws2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll    (71AA0000 - 71AA8000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
NETAPI32.dll (5B860000 - 5B8B5000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll    (76E80000 - 76E8E000)
WINMM.dll    (76B40000 - 76B6D000)
USERENV.dll    (769C0000 - 76A74000)
mswsock.dll    (71A50000 - 71A8F000)
urlmon.dll (78130000 - 78258000)
OLEAUT32.dll (77120000 - 771AB000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
mdnsNSP.dll    (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)

PID 2480 - C:\Documents and Settings\Timothy Donovan\Desktop\radixgui.exe
-------------------------------------------------------------------------------
ntdll.dll    (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll    (77F10000 - 77F59000)
comdlg32.dll (763B0000 - 763F9000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll    (77FE0000 - 77FF1000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll    (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll    (77F60000 - 77FD6000)
ole32.dll    (774E0000 - 7761D000)
VERSION.dll    (77C00000 - 77C08000)
IMM32.DLL    (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
wintrust.dll (76C30000 - 76C5E000)
CRYPT32.dll    (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
sfc.dll    (76BB0000 - 76BB5000)
sfc_os.dll (76C60000 - 76C8A000)
NTMARTA.DLL    (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll    (76F60000 - 76F8C000)
msctfime.ime (755C0000 - 755EE000)
DisasmEngineDLL.dll (10000000 - 10021000)
xpsp2res.dll (01F10000 - 021D5000)
rsaenh.dll (68000000 - 68036000)
userenv.dll    (769C0000 - 76A74000)
netapi32.dll (5B860000 - 5B8B5000)
cryptnet.dll (75E60000 - 75E73000)
PSAPI.DLL    (76BF0000 - 76BFB000)
SensApi.dll    (722B0000 - 722B5000)
WINHTTP.dll    (4D4F0000 - 4D549000)
Cabinet.dll    (75150000 - 75163000)
ws2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll    (71AA0000 - 71AA8000)
mswsock.dll    (71A50000 - 71A8F000)
hnetcfg.dll    (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
RASAPI32.DLL (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll    (76E80000 - 76E8E000)
WINMM.dll    (76B40000 - 76B6D000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
mdnsNSP.dll    (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)

PID 3336 - C:\Program Files\McAfee Security Scan\1.0.150\McUICnt.exe
-------------------------------------------------------------------------------
ntdll.dll    (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
VERSION.dll    (77C00000 - 77C08000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll    (77F10000 - 77F59000)
ole32.dll    (774E0000 - 7761D000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll    (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
SHLWAPI.dll    (77F60000 - 77FD6000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll    (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
IMM32.DLL    (76390000 - 763AD000)
SHELL32.dll    (7C9C0000 - 7D1D7000)
comctl32.dll (773D0000 - 774D3000)
psapi.dll    (76BF0000 - 76BFB000)
rsaenh.dll (68000000 - 68036000)
xpsp2res.dll (00BC0000 - 00E85000)
userenv.dll    (769C0000 - 76A74000)
netapi32.dll (5B860000 - 5B8B5000)
cryptnet.dll (75E60000 - 75E73000)
SensApi.dll    (722B0000 - 722B5000)
WINHTTP.dll    (4D4F0000 - 4D549000)
WLDAP32.dll    (76F60000 - 76F8C000)
Cabinet.dll    (75150000 - 75163000)
ws2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll    (71AA0000 - 71AA8000)
mswsock.dll    (71A50000 - 71A8F000)
hnetcfg.dll    (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
RASAPI32.DLL (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
rtutils.dll    (76E80000 - 76E8E000)
WINMM.dll    (76B40000 - 76B6D000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
mdnsNSP.dll    (64000000 - 64025000)
rasadhlp.dll (76FC0000 - 76FC6000)
SecurityScanner.dll (10000000 - 10069000)
WININET.dll    (3D930000 - 3DA01000)
Normaliz.dll (01160000 - 01169000)
iertutil.dll (3DFD0000 - 3E015000)
msctfime.ime (755C0000 - 755EE000)
UxTheme.dll    (5AD70000 - 5ADA8000)
McBrwsr2.dll (62400000 - 62468000)
urlmon.dll (78130000 - 78258000)
McUtil.dll (62600000 - 62643000)
SETUPAPI.dll (77920000 - 77A13000)
MispLF.dll (62500000 - 62538000)
MSIMG32.dll    (76380000 - 76385000)
CLBCATQ.DLL    (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
ieframe.dll    (3E1C0000 - 3E78D000)
NTMARTA.DLL    (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
---- Check ended at 8.8.2010 21:22:52 ----

They're getting longer...scary...

Dr Jay · « **Reply #89 on:** August 09, 2010, 11:23:27 PM »

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Note: If the scan freezes for more than 30 minutes, stop the scan, and report back to me.

Computer Hope Forum

News:

Author Topic: Can't run programs or connect to internet (Read 72996 times)

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Xerinous

Re: Can't run programs or connect to internet

Dr Jay

Re: Can't run programs or connect to internet