Part 2a
This has run to over 900,000 characters so this will be a lot of files.
Get back to me if this is not the right way.
GMER 1.0.15.14972 -
http://www.gmer.net
Rootkit scan 2009-07-05 13:12:41
Windows 6.0.6002 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAllocateVirtualMemory [0x9D4F5B94]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAlpcConnectPort [0x9D4F5516]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAssignProcessToJobObject [0x9D4F5586]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwConnectPort [0x9D4F55DA]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateFile [0x9D4F5640]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcess [0x9D4F572E]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcessEx [0x9D4F57BA]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThread [0x9D4F584A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDebugActiveProcess [0x9D4F5980]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDuplicateObject [0x9D4F59D4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwLoadDriver [0x9D4F5A3A]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenKey [0x9D4F5A8C]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenSection [0x9D4F5AE4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenThread [0x9D4F5B3C]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwProtectVirtualMemory [0x9D4F5BFA]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRestoreKey [0x9D4F5C58]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwResumeThread [0x9D4F5CB6]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSecureConnectPort [0x9D4F5D74]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSetValueKey [0x9D4F5D08]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSuspendProcess [0x9D4F5DDE]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSystemDebugControl [0x9D4F5E30]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwTerminateProcess [0x9D4F5E90]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwWriteVirtualMemory [0x9D4F5EF4]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThreadEx [0x9D4F58EC]
SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateUserProcess [0x9D4F56BE]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 131 820BD874 4 Bytes [94, 5B, 4F, 9D] {XCHG ESP, EAX; POP EBX; DEC EDI; POPF }
.text ntkrnlpa.exe!KeSetEvent + 13D 820BD880 4 Bytes [16, 55, 4F, 9D] {PUSH SS; PUSH EBP; DEC EDI; POPF }
.text ntkrnlpa.exe!KeSetEvent + 191 820BD8D4 4 Bytes [86, 55, 4F, 9D] {XCHG [EBP+0x4f], DL; POPF }
.text ntkrnlpa.exe!KeSetEvent + 1C1 820BD904 4 Bytes [DA, 55, 4F, 9D] {FICOM DWORD [EBP+0x4f]; POPF }
.text ntkrnlpa.exe!KeSetEvent + 1D9 820BD91C 4 Bytes [40, 56, 4F, 9D] {INC EAX; PUSH ESI; DEC EDI; POPF }
.text ...
? C:\Windows\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FC40F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC10F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FCA0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FCD0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD00F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[504] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD30F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FCD0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FCA0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC70F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FD00F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WININET.dll!InternetOpenUrlA 769CF3D4 6 Bytes JMP 5FC10F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WININET.dll!InternetOpenUrlW 76A16DD7 6 Bytes JMP 5FC40F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FD30F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD60F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD90F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!Shell_NotifyIconW 75948626 6 Bytes JMP 5FBB0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteExW 7595C135 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteEx 75B09FE2 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!ShellExecuteA 75B0A07D 6 Bytes JMP 5F250F5A
.text C:\Program Files\ATK Hotkey\Hcontrol.exe[672] SHELL32.dll!Shell_NotifyIcon 75B0B81D 6 Bytes JMP 5FB80F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtLoadDriver 76EE4A64 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtLoadDriver + 4 76EE4A68 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtSuspendProcess 76EE54B4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ntdll.dll!NtSuspendProcess + 4 76EE54B8 2 Bytes [38, 5F]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!TerminateProcess 76AE18EF 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateProcessW 76AE1BF3 6 Bytes JMP 5F220F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateProcessA 76AE1C28 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!WriteProcessMemory 76AE1CB8 6 Bytes JMP 5F100F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!VirtualProtect 76AE1DC3 6 Bytes JMP 5F940F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileExW 76AF0211 6 Bytes JMP 5FB20F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileW 76AF0299 6 Bytes JMP 5FAC0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!DeviceIoControl 76B05077 6 Bytes JMP 5FBE0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadLibraryExW 76B09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadLibraryW 76B09362 6 Bytes JMP 5F160F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadLibraryA 76B094DC 6 Bytes JMP 5F130F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!GetVolumeInformationW 76B0D7FE 6 Bytes JMP 5F5E0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!TerminateThread 76B241F7 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!LoadResource 76B26ADB 6 Bytes JMP 5FA60F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!GetProcAddress 76B2903B 6 Bytes JMP 5F580F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!TlsGetValue 76B29E3B 6 Bytes JMP 5FB50F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!WriteFile 76B2A9C1 6 Bytes JMP 5FC70F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!VirtualAlloc 76B2AD55 6 Bytes JMP 5F910F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateFileW 76B2AECB 6 Bytes JMP 5F850F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateThread 76B2C90E 6 Bytes JMP 5F8E0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateRemoteThread 76B2C935 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateRemoteThread + 4 76B2C939 2 Bytes [05, 5F]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateFileA 76B2CE5F 6 Bytes JMP 5F880F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateDirectoryW 76B2D166 6 Bytes JMP 5FC40F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!GetVolumeInformationA 76B31297 6 Bytes JMP 5F5B0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileA 76B32433 6 Bytes JMP 5FA90F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateToolhelp32Snapshot 76B366A7 6 Bytes JMP 5F8B0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CreateDirectoryA 76B370F4 6 Bytes JMP 5FC10F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!DebugActiveProcess 76B69A61 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!CopyFileExA 76B719F9 6 Bytes JMP 5FAF0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!WinExec 76B75CF7 6 Bytes JMP 5F310F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] kernel32.dll!SetThreadContext 76B7794A 6 Bytes JMP 5FCA0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!OpenSCManagerA 76422D93 6 Bytes JMP 5F970F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueA 764230C8 6 Bytes JMP 5F790F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegCreateKeyExA 764239AB 6 Bytes JMP 5F610F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegSetValueExA 76423BEC 6 Bytes JMP 5F730F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!OpenSCManagerW 76427137 6 Bytes JMP 5F9A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyA 764289C7 6 Bytes JMP 5F670F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueW 764332D4 6 Bytes JMP 5F7C0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegSetValueExW 76433D5A 6 Bytes JMP 5F760F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegCreateKeyExW 764341F1 6 Bytes JMP 5F640F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueExA 76437A9D 6 Bytes JMP 5F7F0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyExA 76437C42 6 Bytes JMP 5F6D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyW 7643E2B5 6 Bytes JMP 5F6A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegQueryValueExW 7644765E 6 Bytes JMP 5F820F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!RegOpenKeyExW 76447BA1 6 Bytes JMP 5F700F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!CreateServiceW 76449EB4 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!LsaRemoveAccountRights 7646B569 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] ADVAPI32.dll!CreateServiceA 764872A1 6 Bytes JMP 5F4C0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!RegisterRawInputDevices 756A6161 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!RegisterRawInputDevices + 4 756A6165 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!SetWindowsHookExA 756A6322 6 Bytes JMP 5F190F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetAsyncKeyState 756A863C 6 Bytes JMP 5F430F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!SetWindowsHookExW 756A87AD 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!SetWinEventHook 756A9F3A 6 Bytes JMP 5F520F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!ShowWindow 756ACA10 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!ShowWindow + 4 756ACA14 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetWindowTextA 756AF63C 6 Bytes JMP 5F9D0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetWindowTextW 756B2069 6 Bytes JMP 5FA00F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!GetKeyState 756B8CB1 6 Bytes JMP 5F400F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!DdeConnect 756E9A1F 6 Bytes JMP 5F460F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] USER32.dll!EndTask 756EAD32 6 Bytes JMP 5F340F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] WS2_32.dll!socket 76FF36D1 6 Bytes JMP 5FCD0F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] WS2_32.dll!bind 76FF652F 6 Bytes JMP 5FD00F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] WS2_32.dll!listen 76FF8CD7 6 Bytes JMP 5FD30F5A
.text C:\Program Files\ATK Hotkey\ASLDRSrv.exe[788] SHELL32.dll!ShellExecuteW 75909725 6 Bytes JMP 5F280F5A
Similar Threads
