Hi,
My laptop (running Windows XP Professional Version Service Pack 2) is experiencing a heavy, relentless viral infection--although the effects so far are limited to website redirects, opening of additional windows (both in Firefox and my user profile folder at startup), and net speeds roughly 1/3 of what's possible. Additionally, I am being blocked from installing programs such as Spybot, AVG, and from updating virus definitions in several antivirus programs...
Posting in multiple parts due to length
Malwarebytes log:
Database version: 8388
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
12/17/2011 5:22:23 PM
mbam-log-2011-12-17 (17-22-23).txt
Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 263567
Time elapsed: 35 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Rootkit.0Access) -> Delete on reboot.
GMER log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-17 16:46:46
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120821AS rev.7.24
Running: q90eu4v7.exe; Driver: C:\DOCUME~1\CHRISW~1\LOCALS~1\Temp\pgliipoc.sys
---- Kernel code sections - GMER 1.0.15 ----
? kvgxbx.sys The system cannot find the file specified. !
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43A8 1 Byte [1E]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43C8 2 Bytes [50, 03]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43DD 2 Bytes [54, 03]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43E5 1 Byte [BD]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43EF 2 Bytes [64, 03]
.text ...
.text fltMgr.sys!FltSetCallbackDataDirty + 2 F73F48F4 35 Bytes [15, 8C, BD, 3F, F7, 56, 8A, ...]
.text fltMgr.sys!FltClearCallbackDataDirty + 10 F73F4918 48 Bytes [8A, CB, FF, 15, 88, BD, 3F, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 14 F73F494A 63 Bytes [8B, 75, 08, 6A, 32, 83, C6, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 54 F73F498A 272 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 165 F73F4A9B 11 Bytes [40, D8, 89, 58, 10, 33, C0, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 171 F73F4AA7 6 Bytes [1C, C0, EB, 05, B8, 0D]
.text fltMgr.sys!FltRequestOperationStatusCallback + 178 F73F4AAE 56 Bytes [00, C0, 5E, 5B, C9, C2, 0C, ...]
.text ...
.text fltMgr.sys!FltSupportsStreamContexts + 2 F73F5A62 10 Bytes [FF, 6A, 02, C7, 43, 68, 9A, ...] {JMP FAR DWORD [EDX+0x2]; MOV DWORD [EBX+0x68], 0xc000009a}
.text fltMgr.sys!FltSupportsStreamContexts + D F73F5A6D 32 Bytes [4E, 14, 5A, C7, 45, E8, 01, ...]
.text fltMgr.sys!FltReferenceContext + 6 F73F5A8E 203 Bytes [4E, 14, 6A, 02, 5A, E8, A4, ...]
.text fltMgr.sys!FltReferenceContext + D2 F73F5B5A 294 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltDeleteFileContext + A F73F5C82 21 Bytes [7D, 08, 8B, 4D, 10, 83, 21, ...]
.text fltMgr.sys!FltDeleteFileContext + 20 F73F5C98 24 Bytes [FF, FF, FF, 75, 0C, 8B, F0, ...]
.text fltMgr.sys!FltDeleteFileContext + 39 F73F5CB1 132 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
.text fltMgr.sys!FltAllocateContext + 4C F73F5D36 64 Bytes [55, 8B, EC, 8B, 45, 10, 85, ...]
.text fltMgr.sys!FltAllocateContext + 8D F73F5D77 50 Bytes [70, 10, 51, FF, 15, 30, C0, ...]
.text fltMgr.sys!FltAllocateContext + C0 F73F5DAA 30 Bytes [EC, 0F, B7, 45, 0C, 53, 56, ...]
.text fltMgr.sys!FltAllocateContext + DF F73F5DC9 13 Bytes [00, 00, 8B, 4D, 10, 8B, 5D, ...]
.text fltMgr.sys!FltAllocateContext + ED F73F5DD7 41 Bytes [00, 83, C1, 28, EB, 2D, 0F, ...]
.text fltMgr.sys!FltGetVolumeContext + 25 F73F5E01 111 Bytes [74, 04, 3B, C8, 72, 1D, 8B, ...]
.text fltMgr.sys!FltGetVolumeContext + 95 F73F5E71 39 Bytes [8B, C6, EB, 11, 8B, 45, 18, ...]
.text fltMgr.sys!FltGetInstanceContext + 1D F73F5E99 37 Bytes [18, 68, 70, C1, 3F, F7, E8, ...]
.text fltMgr.sys!FltGetInstanceContext + 43 F73F5EBF 91 Bytes [50, FF, 15, A8, BD, 3F, F7, ...]
.text fltMgr.sys!FltGetInstanceContext + 9F F73F5F1B 1 Byte [75]
.text fltMgr.sys!FltGetInstanceContext + 9F F73F5F1B 28 Bytes [75, 0C, 8D, 8E, 20, 02, 00, ...]
.text fltMgr.sys!FltGetInstanceContext + BC F73F5F38 57 Bytes [6A, 14, 68, 80, C1, 3F, F7, ...]
.text fltMgr.sys!FltGetContexts + 37 F73F5F73 7 Bytes [89, 38, C7, 45, E0, 25, 02]
.text fltMgr.sys!FltGetContexts + 3F F73F5F7B 27 Bytes [C0, EB, 12, 8D, 48, 24, 33, ...]
.text fltMgr.sys!FltGetContexts + 5C F73F5F98 7 Bytes [00, 8B, 45, E0, E8, E2, 5C] {ADD [EBX-0x1d171fbb], CL; POP ESP}
.text fltMgr.sys!FltGetContexts + 65 F73F5FA1 18 Bytes [C2, 08, 00, 8B, 75, 08, 8D, ...] {RET 0x8; MOV ESI, [EBP+0x8]; LEA ECX, [ESI+0x3c]; CALL [0xf73fbdb4]; MOV CL, [EBP-0x19]}
.text fltMgr.sys!FltGetContexts + 78 F73F5FB4 36 Bytes [15, 88, BD, 3F, F7, C3, CC, ...]
.text ...
.text fltMgr.sys!FltReleaseContexts + 20 F73F60D0 38 Bytes [76, 0C, EB, C4, 8B, 46, 0C, ...]
.text fltMgr.sys!FltReleaseContext + 10 F73F60F8 82 Bytes [8B, 4D, F4, 41, 83, F9, 06, ...]
.text fltMgr.sys!FltDeleteContext + 49 F73F614B 41 Bytes [08, 83, 20, 00, 6A, 01, 50, ...]
.text fltMgr.sys!FltDeleteContext + 73 F73F6175 13 Bytes [8B, B7, F0, C0, 3F, F7, 03, ...] {MOV ESI, [EDI-0x8c03f10]; ADD ESI, [EBP+0x8]; MOV EAX, [ESI]; TEST EAX, EAX}
.text fltMgr.sys!FltDeleteContext + 81 F73F6183 144 Bytes [0C, 83, C0, D8, 50, E8, 95, ...]
.text fltMgr.sys!FltSetVolumeContext + 2A F73F6214 5 Bytes [57, E8, 06, 4C, 01]
.text fltMgr.sys!FltSetVolumeContext + 30 F73F621A 56 Bytes [EB, 5C, 8B, 7E, 04, B1, 01, ...]
.text fltMgr.sys!FltSetVolumeContext + 69 F73F6253 28 Bytes [8D, 9F, 20, 02, 00, 00, 53, ...]
.text fltMgr.sys!FltSetVolumeContext + 86 F73F6270 132 Bytes CALL F740B2E7 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
.text fltMgr.sys!FltSetVolumeContext + 10B F73F62F5 38 Bytes [E7, 6A, 01, 8D, 87, 20, 02, ...]
.text ...
.text fltMgr.sys!FltDeleteVolumeContext + 48 F73F639A 2 Bytes [8B, 46]
.text fltMgr.sys!FltDeleteVolumeContext + 4B F73F639D 87 Bytes [FF, 30, 8D, 46, E0, 50, 8D, ...]
.text fltMgr.sys!FltDeleteVolumeContext + A3 F73F63F5 18 Bytes [7D, DC, 00, 74, 08, FF, 75, ...]
.text fltMgr.sys!FltDeleteVolumeContext + B6 F73F6408 116 Bytes [C3, CC, CC, CC, CC, CC, 6A, ...]
.text fltMgr.sys!FltSetInstanceContext + 52 F73F647E 40 Bytes [88, 45, E0, 8B, CB, FF, 15, ...]
.text fltMgr.sys!FltSetInstanceContext + A6 F73F64D2 57 Bytes [00, FF, 15, B4, BD, 3F, F7, ...]
.text fltMgr.sys!FltSetInstanceContext + E0 F73F650C 7 Bytes [78, 0C, 02, 74, 0A, B8, 0D]
.text fltMgr.sys!FltSetInstanceContext + E8 F73F6514 6 Bytes [00, C0, E9, B8, 00, 00]
.text fltMgr.sys!FltSetInstanceContext + 115 F73F6541 57 Bytes [15, 28, BE, 3F, F7, 83, 65, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 2D F73F657B 35 Bytes [48, 24, 33, D2, 42, F0, 0F, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 51 F73F659F 9 Bytes [07, 83, C0, 28, 89, 03, EB, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 5C F73F65AA 26 Bytes [89, 77, 74, 80, 4E, 22, 01, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 77 F73F65C5 44 Bytes [00, C0, 83, 4D, FC, FF, E8, ...]
.text fltMgr.sys!FltDeleteInstanceContext + A4 F73F65F2 1 Byte [E0]
.text ...
.text fltMgr.sys!FltDeleteStreamContext + 26 F73F68D4 8 Bytes [00, C0, 83, 4D, FC, FF, E8, ...]
.text fltMgr.sys!FltDeleteStreamContext + 2F F73F68DD 19 Bytes [00, 00, 8B, 45, DC, E8, 9C, ...] {ADD [EAX], AL; MOV EAX, [EBP-0x24]; CALL 0x53a6; RET 0x1c; CMP BYTE [EBP-0x19], 0x0; JZ 0x28}
.text fltMgr.sys!FltDeleteStreamContext + 43 F73F68F1 14 Bytes [4D, E0, 83, C1, 28, FF, 15, ...] {DEC EBP; LOOPNZ 0xffffffffffffff86; SHR DWORD [EAX], 0xff; ADC EAX, 0xf73fbdb4; MOV CL, [EBP-0x1a]}
.text fltMgr.sys!FltSetStreamHandleContext + 2 F73F6900 29 Bytes [15, 88, BD, 3F, F7, 83, 7D, ...]
.text fltMgr.sys!FltSetStreamHandleContext + 20 F73F691E 3 Bytes CALL F740AE22 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
.text fltMgr.sys!FltDeleteStreamHandleContext + 1 F73F6939 124 Bytes [48, D8, 66, 83, 79, 0C, 08, ...]
.text fltMgr.sys!FltDeleteStreamHandleContext + 7E F73F69B6 12 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x14]}
.text fltMgr.sys!FltDeleteStreamHandleContext + 8C F73F69C4 72 Bytes [D8, 66, 83, 79, 0C, 10, 74, ...]
.text fltMgr.sys!FltDeleteStreamHandleContext + D5 F73F6A0D 30 Bytes [6A, 00, FF, 75, 0C, FF, 76, ...]
.text fltMgr.sys!FltDeleteStreamHandleContext + F4 F73F6A2C 31 Bytes [FF, FF, 75, 10, 8B, F8, E8, ...]
.text ...
.text fltMgr.sys!FltGetIrpName + 109 F73F6EC7 3 Bytes [3B, D1, 57] {CMP EDX, ECX; PUSH EDI}
.text fltMgr.sys!FltGetIrpName + 10D F73F6ECB 2 Bytes [8F, 3E]
.text fltMgr.sys!FltGetIrpName + 112 F73F6ED0 65 Bytes [0F, 84, 0F, 02, 00, 00, 83, ...]
.text fltMgr.sys!FltGetIrpName + 154 F73F6F12 2 Bytes [85, F8] {TEST EAX, EDI}
.text fltMgr.sys!FltGetIrpName + 159 F73F6F17 57 Bytes [85, C0, 0F, 84, F0, 02, 00, ...]
.text ...
.text fltMgr.sys!FltUninitializeOplock + 53 F73F80FD 25 Bytes [FF, 15, AC, BD, 3F, F7, F7, ...]
.text fltMgr.sys!FltCheckOplock + 13 F73F8117 54 Bytes [F7, 56, 8B, 75, FC, 53, 56, ...]
.text fltMgr.sys!FltCheckOplock + 4A F73F814E 76 Bytes [4E, 18, 8B, 45, 0C, 89, 48, ...]
.text fltMgr.sys!FltCheckOplock + 97 F73F819B 21 Bytes JMP F8D08121
.text fltMgr.sys!FltCheckOplock + AD F73F81B1 132 Bytes [05, 80, F0, 3F, F7, 88, 51, ...]
.text fltMgr.sys!FltCheckOplock + 132 F73F8236 175 Bytes [6B, 00, 00, 00, 5C, 00, 44, ...]
.text fltMgr.sys!FltAllocateCallbackData + 50 F73F82E6 8 Bytes [43, 0C, 40, 89, 46, 0C, 8D, ...]
.text fltMgr.sys!FltAllocateCallbackData + 59 F73F82EF 8 Bytes [50, 8D, 46, 10, 50, E8, CD, ...]
.text fltMgr.sys!FltAllocateCallbackData + 62 F73F82F8 83 Bytes [00, 89, 45, E4, 85, C0, 0F, ...]
.text fltMgr.sys!FltAllocateCallbackData + B6 F73F834C 90 Bytes [08, 89, 50, 04, 89, 41, 04, ...]
.text fltMgr.sys!FltAllocateCallbackData + 111 F73F83A7 14 Bytes [89, 4D, C0, 8B, 50, 04, 89, ...] {MOV [EBP-0x40], ECX; MOV EDX, [EAX+0x4]; MOV [EBP-0x44], EDX; MOV [EDX], ECX; MOV [ECX+0x4], EDX}
.text ...
.text fltMgr.sys!FltFreeCallbackData + 1D F73F867F 42 Bytes [4B, E4, 89, 48, 18, 8B, 4B, ...]
.text fltMgr.sys!FltFreeCallbackData + 48 F73F86AA 60 Bytes [4E, 0C, 89, 48, 10, EB, 3C, ...]
.text fltMgr.sys!FltReuseCallbackData + 1F F73F86E7 38 Bytes [74, 04, 83, 49, 08, 10, 8B, ...]
.text fltMgr.sys!FltReuseCallbackData + 46 F73F870E 8 Bytes [4E, 18, 8B, 46, 28, 6A, 00, ...]
.text fltMgr.sys!FltReuseCallbackData + 4F F73F8717 11 Bytes [8B, 4E, 1C, 6A, 00, FF, 75, ...] {MOV ECX, [ESI+0x1c]; PUSH 0x0; PUSH DWORD [EBP+0x10]; MOV [EAX+0x4], ECX}
.text fltMgr.sys!FltReuseCallbackData + 5C F73F8724 2 Bytes [F4, BD]
.text fltMgr.sys!FltReuseCallbackData + 60 F73F8728 23 Bytes [56, FF, 15, 18, BE, 3F, F7, ...]
.text ...
.text fltMgr.sys!FltPerformSynchronousIo + 5A F73F8986 7 Bytes [08, D2, FF, FF, 5E, 5D, C2]
.text fltMgr.sys!FltPerformSynchronousIo + 62 F73F898E 33 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltPerformSynchronousIo + 89 F73F89B5 3 Bytes [8B, 7D, 18] {MOV EDI, [EBP+0x18]}
.text fltMgr.sys!FltPerformSynchronousIo + 8D F73F89B9 28 Bytes [46, 60, 8B, 46, 64, 8A, 40, ...]
.text fltMgr.sys!FltPerformSynchronousIo + AA F73F89D6 70 Bytes [BB, FF, FF, 89, 07, 83, 3F, ...]
.text fltMgr.sys!FltPerformAsynchronousIo + 23 F73F8A1D 12 Bytes [FF, 75, 14, FF, 75, 0C, 56, ...] {PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0xc]; PUSH ESI; CALL 0xfffffffffffffe2f}
.text fltMgr.sys!FltPerformAsynchronousIo + 30 F73F8A2A 4 Bytes [45, FC, 8B, 45]
.text fltMgr.sys!FltPerformAsynchronousIo + 35 F73F8A2F 44 Bytes [5F, 5E, 5B, C9, C2, 14, 00, ...]
.text fltMgr.sys!FltPerformAsynchronousIo + 62 F73F8A5C 90 Bytes [48, 20, 89, 4D, EC, 8B, 4E, ...]
.text fltMgr.sys!FltPerformAsynchronousIo + BD F73F8AB7 44 Bytes [8B, D8, 3B, DF, 7D, 10, FF, ...]
.text ...
.text fltMgr.sys!FltReadFile + 1 F73F8B1B 2 Bytes [48, 3C]
.text fltMgr.sys!FltReadFile + 4 F73F8B1E 18 Bytes [49, 28, 8B, 49, 2C, 83, 4D, ...]
.text fltMgr.sys!FltReadFile + 17 F73F8B31 52 Bytes [4E, 08, 57, 33, FF, 89, 45, ...]
.text fltMgr.sys!FltReadFile + 4C F73F8B66 1 Byte [10]
.text fltMgr.sys!FltReadFile + 4C F73F8B66 58 Bytes [10, 89, 46, 0C, 56, 8B, D8, ...]
.text ...
.text fltMgr.sys!FltWriteFile + A F73F8C62 12 Bytes [10, 3B, C6, 74, 07, 8B, 18, ...]
.text fltMgr.sys!FltWriteFile + 17 F73F8C6F 2 Bytes [5F, 38]
.text fltMgr.sys!FltWriteFile + 1A F73F8C72 19 Bytes [47, 3C, 39, 75, 24, 89, 45, ...]
.text fltMgr.sys!FltWriteFile + 2E F73F8C86 29 Bytes [1C, D1, E8, A8, 01, 75, 0C, ...]
.text fltMgr.sys!FltWriteFile + 6B F73F8CC3 68 Bytes [F8, EB, 06, 89, 75, F4, 89, ...]
.text ...
.text fltMgr.sys!FltAcquireResourceExclusive + 4 F73F8DA6 28 Bytes [18, 8B, 40, 04, EB, 06, 8B, ...]
.text fltMgr.sys!FltAcquireResourceShared + 1 F73F8DC3 135 Bytes [45, 1C, D1, E8, A8, 01, 75, ...]
.text fltMgr.sys!FltAcquirePushLockShared + 21 F73F8E4B 215 Bytes [06, 8B, 46, 08, 83, 08, 01, ...]
.text fltMgr.sys!FltReleasePushLock + C9 F73F8F23 14 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] {POP EBP; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text fltMgr.sys!FltReleasePushLock + D8 F73F8F32 5 Bytes [15, AC, BD, 3F, F7] {ADC EAX, 0xf73fbdac}
.text fltMgr.sys!FltReleasePushLock + DE F73F8F38 23 Bytes [4D, 08, 6A, 02, 5A, 33, C0, ...]
.text fltMgr.sys!FltReleasePushLock + F6 F73F8F50 9 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP}
.text fltMgr.sys!FltReleasePushLock + 100 F73F8F5A 58 Bytes [EC, 56, FF, 15, AC, BD, 3F, ...]
.text ...
.text fltMgr.sys!FltSendMessage + 56 F73F916A 1 Byte [55]
.text fltMgr.sys!FltSendMessage + 56 F73F916A 21 Bytes [55, 8B, EC, 8B, 45, 08, 53, ...]
.text fltMgr.sys!FltSendMessage + 6C F73F9180 86 Bytes [4F, 58, 8D, 50, 40, 3B, CA, ...]
.text fltMgr.sys!FltSendMessage + C3 F73F91D7 48 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
.text fltMgr.sys!FltSendMessage + F4 F73F9208 5 Bytes [75, D4, 89, 75, C4] {JNZ 0xffffffffffffffd6; MOV [EBP-0x3c], ESI}
.text ...
.text fltMgr.sys!FltGetFileNameInformation F73F9EF4 11 Bytes [02, 00, 00, 0F, 8C, FF, 00, ...]
.text fltMgr.sys!FltGetFileNameInformation + C F73F9F00 1 Byte [47]
.text fltMgr.sys!FltGetFileNameInformation + C F73F9F00 118 Bytes [47, 08, 3B, 81, C8, 02, 00, ...]
.text fltMgr.sys!FltGetFileNameInformation + 83 F73F9F77 22 Bytes [75, F4, FF, 75, FC, E8, 01, ...]
.text fltMgr.sys!FltGetFileNameInformation + 9A F73F9F8E 114 Bytes [F0, 09, 47, 28, 33, C0, 83, ...]
.text ...
.text fltMgr.sys!FltDecodeParameters + 2 F73FA12C 8 Bytes CALL F7409B8D fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
.text fltMgr.sys!FltDecodeParameters + B F73FA135 22 Bytes [F0, 85, F6, 7C, 1F, FF, 75, ...]
.text fltMgr.sys!FltDecodeParameters + 22 F73FA14C 21 Bytes [48, 30, 8B, 55, 10, 89, 0A, ...]
.text fltMgr.sys!FltDecodeParameters + 38 F73FA162 26 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltDecodeParameters + 53 F73FA17D 5 Bytes [B8, 9A, 00, 00, C0] {MOV EAX, 0xc000009a}
.text ...
.text fltMgr.sys!FltLockUserBuffer + 3A F73FA274 70 Bytes [50, 0C, 8B, 4D, 10, 85, C9, ...]
.text fltMgr.sys!FltLockUserBuffer + 82 F73FA2BC 48 Bytes [C6, 45, E7, 00, 8D, 45, D4, ...]
.text fltMgr.sys!FltLockUserBuffer + B3 F73FA2ED 21 Bytes [00, 8B, 4D, DC, 3B, CB, 0F, ...]
.text fltMgr.sys!FltLockUserBuffer + C9 F73FA303 60 Bytes [31, 8B, 45, D8, FF, 30, FF, ...]
.text fltMgr.sys!FltLockUserBuffer + 106 F73FA340 8 Bytes [BF, 3F, F7, EB, 23, 83, 65, ...]
.text ...
.text fltMgr.sys!FltRetainSwappedBufferMdlAddress + B F73FA875 109 Bytes [4A, 14, 89, 48, 14, EB, 09, ...]
.text fltMgr.sys!FltRetainSwappedBufferMdlAddress + 79 F73FA8E3 155 Bytes [89, 4D, F8, 88, 4D, FF, 8B, ...]
.text fltMgr.sys!FltCompletePendedPreOperation + F F73FA97F 47 Bytes [4B, 14, 33, D2, 42, E8, B3, ...]
.text fltMgr.sys!FltCompletePendedPreOperation + 3F F73FA9AF 11 Bytes [46, 08, 56, 89, 70, 34, E8, ...] {INC ESI; OR [ESI-0x77], DL; JO 0x3a; CALL 0xffffffffffffacc1}
.text fltMgr.sys!FltCompletePendedPreOperation + 4B F73FA9BB 2 Bytes [45, F8] {INC EBP; CLC }
.text fltMgr.sys!FltCompletePendedPreOperation + 4F F73FA9BF 65 Bytes [F8, 5F, 5E, 5B, C9, C2, 0C, ...]
.text fltMgr.sys!FltCompletePendedPreOperation + 91 F73FAA01 97 Bytes [20, 8B, 4D, 0C, 89, 48, 4C, ...]
.text fltMgr.sys!FltCompletePendedPostOperation + 4D F73FAA63 29 Bytes [FF, 55, 8B, EC, 51, 51, 8B, ...]
.text fltMgr.sys!FltCompletePendedPostOperation + 6B F73FAA81 6 Bytes [46, 20, 33, FF, 57, 57] {INC ESI; AND [EBX], DH; CALL [EDI+0x57]}
.text fltMgr.sys!FltCompletePendedPostOperation + 72 F73FAA88 78 Bytes [45, FC, 57, 8D, 45, 08, 50, ...]
.text fltMgr.sys!FltAllocatePoolAlignedWithTag + 1 F73FAAD7 2 Bytes [45, 08]
.text fltMgr.sys!FltAllocatePoolAlignedWithTag + 4 F73FAADA 1 Byte [00]
.text fltMgr.sys!FltAllocatePoolAlignedWithTag + 4 F73FAADA 9 Bytes [00, 8B, 5D, FC, 89, 43, 04, ...]
.text fltMgr.sys!FltFreePoolAlignedWithTag + C F73FAB3A 2 Bytes [71, 5C] {JNO 0x5e}
.text fltMgr.sys!FltFreePoolAlignedWithTag + F F73FAB3D 42 Bytes [FE, 07, FF, 75, 14, 76, 21, ...]
.text fltMgr.sys!FltFreePoolAlignedWithTag + 3A F73FAB68 16 Bytes [0C, FF, 15, E4, BE, 3F, F7, ...] {OR AL, 0xff; ADC EAX, 0xf73fbee4; POP ESI; POP EBP; RET 0x10; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text fltMgr.sys!FltFreePoolAlignedWithTag + 4B F73FAB79 61 Bytes [CC, 8B, FF, 55, 8B, EC, 8B, ...]
.text fltMgr.sys!FltFreePoolAlignedWithTag + 89 F73FABB7 62 Bytes [00, 33, F6, 89, 75, D8, C6, ...]
.text ...
.text fltMgr.sys!FltCancelIo + 1D F73FADE3 72 Bytes [32, C0, EB, 07, 50, FF, 15, ...]
.text fltMgr.sys!FltIsIoCanceled + 12 F73FAE2C 59 Bytes [EC, 8B, 45, 08, F6, 00, 01, ...]
.text fltMgr.sys!FltCbdqDisable + 2 F73FAE68 37 Bytes [D7, 5F, 5E, 5D, C2, 08, 00, ...]
.text fltMgr.sys!FltCbdqEnable + 2 F73FAE8E 37 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
.text fltMgr.sys!FltCbdqEnable + 28 F73FAEB4 71 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
.text fltMgr.sys!FltCbdqEnable + 70 F73FAEFC 13 Bytes [55, 8B, EC, 8B, 45, 0C, FF, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0xc]; PUSH DWORD [EAX+0x44]; MOV EAX, [EBP+0x8]; PUSH EAX}
.text fltMgr.sys!FltCbdqEnable + 7E F73FAF0A 55 Bytes [50, 2C, 5D, C2, 08, 00, CC, ...]
.text fltMgr.sys!FltCbdqEnable + B6 F73FAF42 63 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
.text ...
.text fltMgr.sys!FltCbdqInsertIo + 3B F73FAFCB 13 Bytes [F8, 85, FF, 7D, 08, FF, 76, ...] {CLC ; TEST EDI, EDI; JGE 0xd; PUSH DWORD [ESI+0x24]; CALL 0x2c7}
.text fltMgr.sys!FltCbdqRemoveIo + 1 F73FAFD9 31 Bytes [C7, 5F, 5E, 5D, C2, 10, 00, ...]
.text fltMgr.sys!FltCbdqRemoveIo + 21 F73FAFF9 51 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
.text fltMgr.sys!FltCbdqRemoveNextIo + 21 F73FB02D 47 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
.text fltMgr.sys!FltSetCancelCompletion + 1D F73FB05D 61 Bytes [C1, A4, 89, 48, 44, 89, 50, ...]
.text fltMgr.sys!FltDoCompletionProcessingWhenSafe + 30 F73FB09C 101 Bytes [08, 02, 75, 3C, 38, 48, 21, ...]
.text fltMgr.sys!FltAllocateDeferredIoWorkItem + E F73FB104 475 Bytes [68, 00, ED, 3F, F7, E8, 52, ...]
.text fltMgr.sys!FltObjectDereference + 5C F73FB2E0 33 Bytes [76, 14, 56, FF, 15, E0, BF, ...]
.text fltMgr.sys!FltObjectDereference + 7E F73FB302 34 Bytes [EC, 8B, 45, 08, 8B, 00, 56, ...]
.text fltMgr.sys!FltObjectDereference + A1 F73FB325 2 Bytes [FF, 55]
.text fltMgr.sys!FltObjectDereference + A4 F73FB328 87 Bytes [EC, 8B, 45, 08, 8B, 08, 85, ...]
.text fltMgr.sys!FltObjectDereference + FC F73FB380 7 Bytes [00, CC, CC, CC, CC, CC, 8B]
.text ...
.text fltMgr.sys!FltIs32bitProcess + 8 F73FB68C 47 Bytes [8B, 11, F6, C2, 01, 56, 75, ...]
.text fltMgr.sys!FltGetRequestorProcessId + 6 F73FB6BC 43 Bytes [15, F4, BD, 3F, F7, 5E, C3, ...]
.text fltMgr.sys!FltGetRequestorProcessId + 32 F73FB6E8 45 Bytes [D8, 74, EC, 8B, C2, 83, E3, ...]
.text fltMgr.sys!FltGetRequestorProcessId + 60 F73FB716 2 Bytes [F2, 64]
.text fltMgr.sys!FltGetRequestorProcessId + 63 F73FB719 102 Bytes [B6, 05, 51, 00, 00, 00, 33, ...]
.text fltMgr.sys!FltGetRequestorProcessId + CA F73FB780 17 Bytes [7B, 4C, 8B, 07, 83, F8, 01, ...] {JNP 0x4e; MOV EAX, [EDI]; CMP EAX, 0x1; JNZ 0xe; MOV ESI, [EDI+0x8]; JMP 0x1a; CMP EAX, 0x2}
.text ...
PAGE fltMgr.sys!FltAttachVolume + 7 F73FF0F3 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolume + C F73FF0F8 19 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGE fltMgr.sys!FltAttachVolume + 20 F73FF10C 12 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 7 F73FF119 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 12 F73FF124 14 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 21 F73FF133 20 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 36 F73FF148 62 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 75 F73FF187 16 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...] {CALL [EBP-0x75]; IN AL, DX ; PUSH EBX; PUSH ESI; PUSH EDI; PUSH DWORD [EBP+0xc]; CALL [0xf73fc034]}
PAGE ...
PAGE fltMgr.sys!FltDetachVolume + 63 F73FF705 53 Bytes [39, 7D, E0, 7C, 09, 8B, 45, ...]
PAGE fltMgr.sys!FltDetachVolume + 9A F73FF73C 40 Bytes [E0, 8B, 75, 0C, 8B, 7E, 28, ...]
PAGE fltMgr.sys!FltDetachVolume + C7 F73FF769 121 Bytes [89, 45, E0, 3B, C3, 0F, 8C, ...]
PAGE fltMgr.sys!FltDetachVolume + 141 F73FF7E3 22 Bytes [74, 0A, 8B, CE, FF, 15, 94, ...]
PAGE fltMgr.sys!FltDetachVolume + 158 F73FF7FA 18 Bytes [48, 04, 89, 4D, C0, 89, 03, ...]
PAGE ...
PAGE fltMgr.sys!FltGetVolumeFromInstance + 1E F7400CB8 43 Bytes [8D, 46, 0C, 89, 40, 04, 89, ...]
PAGE fltMgr.sys!FltGetFilterFromInstance + 22 F7400CE4 65 Bytes [89, 18, 33, C0, 5F, 5E, 5B, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 3D F7400D27 110 Bytes [00, 89, 75, E0, C7, 45, E8, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + AC F7400D96 275 Bytes [00, 00, CC, CC, CC, CC, CC, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 1C0 F7400EAA 50 Bytes [45, 08, 8B, 40, 18, 56, 8B, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 225 F7400F0F 11 Bytes [74, 56, 48, 74, 3F, 48, 74, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 231 F7400F1B 19 Bytes JMP F740111C fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
PAGE fltMgr.sys!FltEnumerateVolumes + F F7400F2F 143 Bytes [00, 00, 3B, C6, 0F, 85, E4, ...]
PAGE fltMgr.sys!FltEnumerateVolumes + 9F F7400FBF 34 Bytes [03, 8B, 4D, 08, 66, 89, 46, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 16 F7400FE2 38 Bytes [45, 10, 0F, B7, C3, 03, C6, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 3D F7401009 47 Bytes [46, 08, 66, 89, 5E, 0A, 66, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 6D F7401039 93 Bytes [F8, 8B, 4D, 08, 66, 89, 46, ...]
PAGE fltMgr.sys!FltEnumerateInstances + CB F7401097 62 Bytes [45, F8, 50, FF, 15, 24, C0, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 10A F74010D6 12 Bytes [50, 66, 89, 4D, FA, FF, 15, ...]
PAGE ...
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2 F74011D2 39 Bytes [15, AC, BD, 3F, F7, 6A, 01, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2C F74011FC 14 Bytes [FF, 45, FC, 83, 45, 0C, 04, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 3B F740120B 25 Bytes [14, 77, 1D, FF, 75, 08, E8, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 55 F7401225 38 Bytes [4D, FC, 83, 6D, 0C, 04, 8B, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 7C F740124C 72 Bytes [14, 76, 16, 8B, 45, 10, 8D, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 23 F7401295 52 Bytes [5E, 30, 53, FF, 15, A8, BD, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 58 F74012CA 57 Bytes [45, 08, 8B, 36, 3B, F7, 75, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 93 F7401305 7 Bytes [10, FF, 75, FC, E8, E6, FB]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 9B F740130D 45 Bytes [FF, FF, 75, FC, 8B, F0, E8, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + CA F740133C 2 Bytes [A8, BD] {TEST AL, 0xbd}
PAGE ...
PAGE fltMgr.sys!FltGetFilterFromName + 5F F74015F9 49 Bytes [15, B0, BD, 3F, F7, 0F, B7, ...]
PAGE fltMgr.sys!FltGetFilterFromName + 91 F740162B 100 Bytes JMP 82E60932
PAGE fltMgr.sys!FltGetVolumeInstanceFromName + 12 F7401690 120 Bytes [47, F4, 89, 45, FC, 6A, 01, ...]
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 5 F7401713 6 Bytes [FF, 75, 10, 8B, 45, 08] {PUSH DWORD [EBP+0x10]; MOV EAX, [EBP+0x8]}
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + C F740171A 34 Bytes [75, 0C, FF, 70, 14, E8, 7A, ...]
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 2F F740173D 11 Bytes [75, 0C, 8D, 46, 4C, 6A, 01, ...] {JNZ 0xe; LEA EAX, [ESI+0x4c]; PUSH 0x1; PUSH EAX; MOV [EBP+0xc], EAX}
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 3B F7401749 40 Bytes [15, A8, BD, 3F, F7, 8D, 9E, ...]
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 64 F7401772 83 Bytes [8D, 46, 2C, 50, FF, 15, E0, ...]
PAGE fltMgr.sys!FltGetLowerInstance + 34 F74017C6 3 Bytes [FF, 75, 0C] {PUSH DWORD [EBP+0xc]}
PAGE fltMgr.sys!FltGetLowerInstance + 38 F74017CA 2 Bytes [15, 34]
PAGE fltMgr.sys!FltGetLowerInstance + 3B F74017CD 52 Bytes [3F, F7, 8B, 1D, 38, C0, 3F, ...]
PAGE fltMgr.sys!FltGetUpperInstance + 2 F7401802 7 Bytes [8B, F7, 75, D1, B8, 0D, 00]
PAGE fltMgr.sys!FltGetUpperInstance + A F740180A 57 Bytes [C0, 5F, 5E, 5B, 5D, C2, 0C, ...]
PAGE fltMgr.sys!FltGetUpperInstance + 44 F7401844 62 Bytes [55, 8B, EC, 51, 83, 65, FC, ...]
PAGE fltMgr.sys!FltGetTopInstance + 15 F7401883 109 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 15 F74018F1 53 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 4B F7401927 20 Bytes [00, 53, 56, 57, FF, 15, AC, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 60 F740193C 12 Bytes [08, FF, 15, A8, BD, 3F, F7, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 6D F7401949 20 Bytes [8B, 37, EB, 0F, 8D, 5E, F4, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 82 F740195E 49 Bytes [75, ED, 33, DB, C7, 45, FC, ...]
PAGE ...
PAGE fltMgr.sys!FltGetFilterInformation + 4B F74019ED 11 Bytes [5F, 89, 18, 8B, 45, FC, 5E, ...]
PAGE fltMgr.sys!FltGetFilterInformation + 57 F74019F9 58 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE fltMgr.sys!FltGetFilterInformation + 92 F7401A34 31 Bytes [15, B4, BD, 3F, F7, FF, 15, ...]
PAGE fltMgr.sys!FltGetFilterInformation + B2 F7401A54 9 Bytes [55, 8B, EC, 8B, 45, 18, 83, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x18]; AND DWORD [EAX], 0x0}
My laptop (running Windows XP Professional Version Service Pack 2) is experiencing a heavy, relentless viral infection--although the effects so far are limited to website redirects, opening of additional windows (both in Firefox and my user profile folder at startup), and net speeds roughly 1/3 of what's possible. Additionally, I am being blocked from installing programs such as Spybot, AVG, and from updating virus definitions in several antivirus programs...
Posting in multiple parts due to length
Malwarebytes log:
Database version: 8388
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
12/17/2011 5:22:23 PM
mbam-log-2011-12-17 (17-22-23).txt
Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 263567
Time elapsed: 35 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Rootkit.0Access) -> Delete on reboot.
GMER log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-17 16:46:46
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120821AS rev.7.24
Running: q90eu4v7.exe; Driver: C:\DOCUME~1\CHRISW~1\LOCALS~1\Temp\pgliipoc.sys
---- Kernel code sections - GMER 1.0.15 ----
? kvgxbx.sys The system cannot find the file specified. !
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43A8 1 Byte [1E]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43C8 2 Bytes [50, 03]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43DD 2 Bytes [54, 03]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43E5 1 Byte [BD]
.text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43EF 2 Bytes [64, 03]
.text ...
.text fltMgr.sys!FltSetCallbackDataDirty + 2 F73F48F4 35 Bytes [15, 8C, BD, 3F, F7, 56, 8A, ...]
.text fltMgr.sys!FltClearCallbackDataDirty + 10 F73F4918 48 Bytes [8A, CB, FF, 15, 88, BD, 3F, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 14 F73F494A 63 Bytes [8B, 75, 08, 6A, 32, 83, C6, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 54 F73F498A 272 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 165 F73F4A9B 11 Bytes [40, D8, 89, 58, 10, 33, C0, ...]
.text fltMgr.sys!FltRequestOperationStatusCallback + 171 F73F4AA7 6 Bytes [1C, C0, EB, 05, B8, 0D]
.text fltMgr.sys!FltRequestOperationStatusCallback + 178 F73F4AAE 56 Bytes [00, C0, 5E, 5B, C9, C2, 0C, ...]
.text ...
.text fltMgr.sys!FltSupportsStreamContexts + 2 F73F5A62 10 Bytes [FF, 6A, 02, C7, 43, 68, 9A, ...] {JMP FAR DWORD [EDX+0x2]; MOV DWORD [EBX+0x68], 0xc000009a}
.text fltMgr.sys!FltSupportsStreamContexts + D F73F5A6D 32 Bytes [4E, 14, 5A, C7, 45, E8, 01, ...]
.text fltMgr.sys!FltReferenceContext + 6 F73F5A8E 203 Bytes [4E, 14, 6A, 02, 5A, E8, A4, ...]
.text fltMgr.sys!FltReferenceContext + D2 F73F5B5A 294 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltDeleteFileContext + A F73F5C82 21 Bytes [7D, 08, 8B, 4D, 10, 83, 21, ...]
.text fltMgr.sys!FltDeleteFileContext + 20 F73F5C98 24 Bytes [FF, FF, FF, 75, 0C, 8B, F0, ...]
.text fltMgr.sys!FltDeleteFileContext + 39 F73F5CB1 132 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
.text fltMgr.sys!FltAllocateContext + 4C F73F5D36 64 Bytes [55, 8B, EC, 8B, 45, 10, 85, ...]
.text fltMgr.sys!FltAllocateContext + 8D F73F5D77 50 Bytes [70, 10, 51, FF, 15, 30, C0, ...]
.text fltMgr.sys!FltAllocateContext + C0 F73F5DAA 30 Bytes [EC, 0F, B7, 45, 0C, 53, 56, ...]
.text fltMgr.sys!FltAllocateContext + DF F73F5DC9 13 Bytes [00, 00, 8B, 4D, 10, 8B, 5D, ...]
.text fltMgr.sys!FltAllocateContext + ED F73F5DD7 41 Bytes [00, 83, C1, 28, EB, 2D, 0F, ...]
.text fltMgr.sys!FltGetVolumeContext + 25 F73F5E01 111 Bytes [74, 04, 3B, C8, 72, 1D, 8B, ...]
.text fltMgr.sys!FltGetVolumeContext + 95 F73F5E71 39 Bytes [8B, C6, EB, 11, 8B, 45, 18, ...]
.text fltMgr.sys!FltGetInstanceContext + 1D F73F5E99 37 Bytes [18, 68, 70, C1, 3F, F7, E8, ...]
.text fltMgr.sys!FltGetInstanceContext + 43 F73F5EBF 91 Bytes [50, FF, 15, A8, BD, 3F, F7, ...]
.text fltMgr.sys!FltGetInstanceContext + 9F F73F5F1B 1 Byte [75]
.text fltMgr.sys!FltGetInstanceContext + 9F F73F5F1B 28 Bytes [75, 0C, 8D, 8E, 20, 02, 00, ...]
.text fltMgr.sys!FltGetInstanceContext + BC F73F5F38 57 Bytes [6A, 14, 68, 80, C1, 3F, F7, ...]
.text fltMgr.sys!FltGetContexts + 37 F73F5F73 7 Bytes [89, 38, C7, 45, E0, 25, 02]
.text fltMgr.sys!FltGetContexts + 3F F73F5F7B 27 Bytes [C0, EB, 12, 8D, 48, 24, 33, ...]
.text fltMgr.sys!FltGetContexts + 5C F73F5F98 7 Bytes [00, 8B, 45, E0, E8, E2, 5C] {ADD [EBX-0x1d171fbb], CL; POP ESP}
.text fltMgr.sys!FltGetContexts + 65 F73F5FA1 18 Bytes [C2, 08, 00, 8B, 75, 08, 8D, ...] {RET 0x8; MOV ESI, [EBP+0x8]; LEA ECX, [ESI+0x3c]; CALL [0xf73fbdb4]; MOV CL, [EBP-0x19]}
.text fltMgr.sys!FltGetContexts + 78 F73F5FB4 36 Bytes [15, 88, BD, 3F, F7, C3, CC, ...]
.text ...
.text fltMgr.sys!FltReleaseContexts + 20 F73F60D0 38 Bytes [76, 0C, EB, C4, 8B, 46, 0C, ...]
.text fltMgr.sys!FltReleaseContext + 10 F73F60F8 82 Bytes [8B, 4D, F4, 41, 83, F9, 06, ...]
.text fltMgr.sys!FltDeleteContext + 49 F73F614B 41 Bytes [08, 83, 20, 00, 6A, 01, 50, ...]
.text fltMgr.sys!FltDeleteContext + 73 F73F6175 13 Bytes [8B, B7, F0, C0, 3F, F7, 03, ...] {MOV ESI, [EDI-0x8c03f10]; ADD ESI, [EBP+0x8]; MOV EAX, [ESI]; TEST EAX, EAX}
.text fltMgr.sys!FltDeleteContext + 81 F73F6183 144 Bytes [0C, 83, C0, D8, 50, E8, 95, ...]
.text fltMgr.sys!FltSetVolumeContext + 2A F73F6214 5 Bytes [57, E8, 06, 4C, 01]
.text fltMgr.sys!FltSetVolumeContext + 30 F73F621A 56 Bytes [EB, 5C, 8B, 7E, 04, B1, 01, ...]
.text fltMgr.sys!FltSetVolumeContext + 69 F73F6253 28 Bytes [8D, 9F, 20, 02, 00, 00, 53, ...]
.text fltMgr.sys!FltSetVolumeContext + 86 F73F6270 132 Bytes CALL F740B2E7 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
.text fltMgr.sys!FltSetVolumeContext + 10B F73F62F5 38 Bytes [E7, 6A, 01, 8D, 87, 20, 02, ...]
.text ...
.text fltMgr.sys!FltDeleteVolumeContext + 48 F73F639A 2 Bytes [8B, 46]
.text fltMgr.sys!FltDeleteVolumeContext + 4B F73F639D 87 Bytes [FF, 30, 8D, 46, E0, 50, 8D, ...]
.text fltMgr.sys!FltDeleteVolumeContext + A3 F73F63F5 18 Bytes [7D, DC, 00, 74, 08, FF, 75, ...]
.text fltMgr.sys!FltDeleteVolumeContext + B6 F73F6408 116 Bytes [C3, CC, CC, CC, CC, CC, 6A, ...]
.text fltMgr.sys!FltSetInstanceContext + 52 F73F647E 40 Bytes [88, 45, E0, 8B, CB, FF, 15, ...]
.text fltMgr.sys!FltSetInstanceContext + A6 F73F64D2 57 Bytes [00, FF, 15, B4, BD, 3F, F7, ...]
.text fltMgr.sys!FltSetInstanceContext + E0 F73F650C 7 Bytes [78, 0C, 02, 74, 0A, B8, 0D]
.text fltMgr.sys!FltSetInstanceContext + E8 F73F6514 6 Bytes [00, C0, E9, B8, 00, 00]
.text fltMgr.sys!FltSetInstanceContext + 115 F73F6541 57 Bytes [15, 28, BE, 3F, F7, 83, 65, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 2D F73F657B 35 Bytes [48, 24, 33, D2, 42, F0, 0F, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 51 F73F659F 9 Bytes [07, 83, C0, 28, 89, 03, EB, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 5C F73F65AA 26 Bytes [89, 77, 74, 80, 4E, 22, 01, ...]
.text fltMgr.sys!FltDeleteInstanceContext + 77 F73F65C5 44 Bytes [00, C0, 83, 4D, FC, FF, E8, ...]
.text fltMgr.sys!FltDeleteInstanceContext + A4 F73F65F2 1 Byte [E0]
.text ...
.text fltMgr.sys!FltDeleteStreamContext + 26 F73F68D4 8 Bytes [00, C0, 83, 4D, FC, FF, E8, ...]
.text fltMgr.sys!FltDeleteStreamContext + 2F F73F68DD 19 Bytes [00, 00, 8B, 45, DC, E8, 9C, ...] {ADD [EAX], AL; MOV EAX, [EBP-0x24]; CALL 0x53a6; RET 0x1c; CMP BYTE [EBP-0x19], 0x0; JZ 0x28}
.text fltMgr.sys!FltDeleteStreamContext + 43 F73F68F1 14 Bytes [4D, E0, 83, C1, 28, FF, 15, ...] {DEC EBP; LOOPNZ 0xffffffffffffff86; SHR DWORD [EAX], 0xff; ADC EAX, 0xf73fbdb4; MOV CL, [EBP-0x1a]}
.text fltMgr.sys!FltSetStreamHandleContext + 2 F73F6900 29 Bytes [15, 88, BD, 3F, F7, 83, 7D, ...]
.text fltMgr.sys!FltSetStreamHandleContext + 20 F73F691E 3 Bytes CALL F740AE22 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
.text fltMgr.sys!FltDeleteStreamHandleContext + 1 F73F6939 124 Bytes [48, D8, 66, 83, 79, 0C, 08, ...]
.text fltMgr.sys!FltDeleteStreamHandleContext + 7E F73F69B6 12 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x14]}
.text fltMgr.sys!FltDeleteStreamHandleContext + 8C F73F69C4 72 Bytes [D8, 66, 83, 79, 0C, 10, 74, ...]
.text fltMgr.sys!FltDeleteStreamHandleContext + D5 F73F6A0D 30 Bytes [6A, 00, FF, 75, 0C, FF, 76, ...]
.text fltMgr.sys!FltDeleteStreamHandleContext + F4 F73F6A2C 31 Bytes [FF, FF, 75, 10, 8B, F8, E8, ...]
.text ...
.text fltMgr.sys!FltGetIrpName + 109 F73F6EC7 3 Bytes [3B, D1, 57] {CMP EDX, ECX; PUSH EDI}
.text fltMgr.sys!FltGetIrpName + 10D F73F6ECB 2 Bytes [8F, 3E]
.text fltMgr.sys!FltGetIrpName + 112 F73F6ED0 65 Bytes [0F, 84, 0F, 02, 00, 00, 83, ...]
.text fltMgr.sys!FltGetIrpName + 154 F73F6F12 2 Bytes [85, F8] {TEST EAX, EDI}
.text fltMgr.sys!FltGetIrpName + 159 F73F6F17 57 Bytes [85, C0, 0F, 84, F0, 02, 00, ...]
.text ...
.text fltMgr.sys!FltUninitializeOplock + 53 F73F80FD 25 Bytes [FF, 15, AC, BD, 3F, F7, F7, ...]
.text fltMgr.sys!FltCheckOplock + 13 F73F8117 54 Bytes [F7, 56, 8B, 75, FC, 53, 56, ...]
.text fltMgr.sys!FltCheckOplock + 4A F73F814E 76 Bytes [4E, 18, 8B, 45, 0C, 89, 48, ...]
.text fltMgr.sys!FltCheckOplock + 97 F73F819B 21 Bytes JMP F8D08121
.text fltMgr.sys!FltCheckOplock + AD F73F81B1 132 Bytes [05, 80, F0, 3F, F7, 88, 51, ...]
.text fltMgr.sys!FltCheckOplock + 132 F73F8236 175 Bytes [6B, 00, 00, 00, 5C, 00, 44, ...]
.text fltMgr.sys!FltAllocateCallbackData + 50 F73F82E6 8 Bytes [43, 0C, 40, 89, 46, 0C, 8D, ...]
.text fltMgr.sys!FltAllocateCallbackData + 59 F73F82EF 8 Bytes [50, 8D, 46, 10, 50, E8, CD, ...]
.text fltMgr.sys!FltAllocateCallbackData + 62 F73F82F8 83 Bytes [00, 89, 45, E4, 85, C0, 0F, ...]
.text fltMgr.sys!FltAllocateCallbackData + B6 F73F834C 90 Bytes [08, 89, 50, 04, 89, 41, 04, ...]
.text fltMgr.sys!FltAllocateCallbackData + 111 F73F83A7 14 Bytes [89, 4D, C0, 8B, 50, 04, 89, ...] {MOV [EBP-0x40], ECX; MOV EDX, [EAX+0x4]; MOV [EBP-0x44], EDX; MOV [EDX], ECX; MOV [ECX+0x4], EDX}
.text ...
.text fltMgr.sys!FltFreeCallbackData + 1D F73F867F 42 Bytes [4B, E4, 89, 48, 18, 8B, 4B, ...]
.text fltMgr.sys!FltFreeCallbackData + 48 F73F86AA 60 Bytes [4E, 0C, 89, 48, 10, EB, 3C, ...]
.text fltMgr.sys!FltReuseCallbackData + 1F F73F86E7 38 Bytes [74, 04, 83, 49, 08, 10, 8B, ...]
.text fltMgr.sys!FltReuseCallbackData + 46 F73F870E 8 Bytes [4E, 18, 8B, 46, 28, 6A, 00, ...]
.text fltMgr.sys!FltReuseCallbackData + 4F F73F8717 11 Bytes [8B, 4E, 1C, 6A, 00, FF, 75, ...] {MOV ECX, [ESI+0x1c]; PUSH 0x0; PUSH DWORD [EBP+0x10]; MOV [EAX+0x4], ECX}
.text fltMgr.sys!FltReuseCallbackData + 5C F73F8724 2 Bytes [F4, BD]
.text fltMgr.sys!FltReuseCallbackData + 60 F73F8728 23 Bytes [56, FF, 15, 18, BE, 3F, F7, ...]
.text ...
.text fltMgr.sys!FltPerformSynchronousIo + 5A F73F8986 7 Bytes [08, D2, FF, FF, 5E, 5D, C2]
.text fltMgr.sys!FltPerformSynchronousIo + 62 F73F898E 33 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltPerformSynchronousIo + 89 F73F89B5 3 Bytes [8B, 7D, 18] {MOV EDI, [EBP+0x18]}
.text fltMgr.sys!FltPerformSynchronousIo + 8D F73F89B9 28 Bytes [46, 60, 8B, 46, 64, 8A, 40, ...]
.text fltMgr.sys!FltPerformSynchronousIo + AA F73F89D6 70 Bytes [BB, FF, FF, 89, 07, 83, 3F, ...]
.text fltMgr.sys!FltPerformAsynchronousIo + 23 F73F8A1D 12 Bytes [FF, 75, 14, FF, 75, 0C, 56, ...] {PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0xc]; PUSH ESI; CALL 0xfffffffffffffe2f}
.text fltMgr.sys!FltPerformAsynchronousIo + 30 F73F8A2A 4 Bytes [45, FC, 8B, 45]
.text fltMgr.sys!FltPerformAsynchronousIo + 35 F73F8A2F 44 Bytes [5F, 5E, 5B, C9, C2, 14, 00, ...]
.text fltMgr.sys!FltPerformAsynchronousIo + 62 F73F8A5C 90 Bytes [48, 20, 89, 4D, EC, 8B, 4E, ...]
.text fltMgr.sys!FltPerformAsynchronousIo + BD F73F8AB7 44 Bytes [8B, D8, 3B, DF, 7D, 10, FF, ...]
.text ...
.text fltMgr.sys!FltReadFile + 1 F73F8B1B 2 Bytes [48, 3C]
.text fltMgr.sys!FltReadFile + 4 F73F8B1E 18 Bytes [49, 28, 8B, 49, 2C, 83, 4D, ...]
.text fltMgr.sys!FltReadFile + 17 F73F8B31 52 Bytes [4E, 08, 57, 33, FF, 89, 45, ...]
.text fltMgr.sys!FltReadFile + 4C F73F8B66 1 Byte [10]
.text fltMgr.sys!FltReadFile + 4C F73F8B66 58 Bytes [10, 89, 46, 0C, 56, 8B, D8, ...]
.text ...
.text fltMgr.sys!FltWriteFile + A F73F8C62 12 Bytes [10, 3B, C6, 74, 07, 8B, 18, ...]
.text fltMgr.sys!FltWriteFile + 17 F73F8C6F 2 Bytes [5F, 38]
.text fltMgr.sys!FltWriteFile + 1A F73F8C72 19 Bytes [47, 3C, 39, 75, 24, 89, 45, ...]
.text fltMgr.sys!FltWriteFile + 2E F73F8C86 29 Bytes [1C, D1, E8, A8, 01, 75, 0C, ...]
.text fltMgr.sys!FltWriteFile + 6B F73F8CC3 68 Bytes [F8, EB, 06, 89, 75, F4, 89, ...]
.text ...
.text fltMgr.sys!FltAcquireResourceExclusive + 4 F73F8DA6 28 Bytes [18, 8B, 40, 04, EB, 06, 8B, ...]
.text fltMgr.sys!FltAcquireResourceShared + 1 F73F8DC3 135 Bytes [45, 1C, D1, E8, A8, 01, 75, ...]
.text fltMgr.sys!FltAcquirePushLockShared + 21 F73F8E4B 215 Bytes [06, 8B, 46, 08, 83, 08, 01, ...]
.text fltMgr.sys!FltReleasePushLock + C9 F73F8F23 14 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] {POP EBP; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text fltMgr.sys!FltReleasePushLock + D8 F73F8F32 5 Bytes [15, AC, BD, 3F, F7] {ADC EAX, 0xf73fbdac}
.text fltMgr.sys!FltReleasePushLock + DE F73F8F38 23 Bytes [4D, 08, 6A, 02, 5A, 33, C0, ...]
.text fltMgr.sys!FltReleasePushLock + F6 F73F8F50 9 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP}
.text fltMgr.sys!FltReleasePushLock + 100 F73F8F5A 58 Bytes [EC, 56, FF, 15, AC, BD, 3F, ...]
.text ...
.text fltMgr.sys!FltSendMessage + 56 F73F916A 1 Byte [55]
.text fltMgr.sys!FltSendMessage + 56 F73F916A 21 Bytes [55, 8B, EC, 8B, 45, 08, 53, ...]
.text fltMgr.sys!FltSendMessage + 6C F73F9180 86 Bytes [4F, 58, 8D, 50, 40, 3B, CA, ...]
.text fltMgr.sys!FltSendMessage + C3 F73F91D7 48 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
.text fltMgr.sys!FltSendMessage + F4 F73F9208 5 Bytes [75, D4, 89, 75, C4] {JNZ 0xffffffffffffffd6; MOV [EBP-0x3c], ESI}
.text ...
.text fltMgr.sys!FltGetFileNameInformation F73F9EF4 11 Bytes [02, 00, 00, 0F, 8C, FF, 00, ...]
.text fltMgr.sys!FltGetFileNameInformation + C F73F9F00 1 Byte [47]
.text fltMgr.sys!FltGetFileNameInformation + C F73F9F00 118 Bytes [47, 08, 3B, 81, C8, 02, 00, ...]
.text fltMgr.sys!FltGetFileNameInformation + 83 F73F9F77 22 Bytes [75, F4, FF, 75, FC, E8, 01, ...]
.text fltMgr.sys!FltGetFileNameInformation + 9A F73F9F8E 114 Bytes [F0, 09, 47, 28, 33, C0, 83, ...]
.text ...
.text fltMgr.sys!FltDecodeParameters + 2 F73FA12C 8 Bytes CALL F7409B8D fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
.text fltMgr.sys!FltDecodeParameters + B F73FA135 22 Bytes [F0, 85, F6, 7C, 1F, FF, 75, ...]
.text fltMgr.sys!FltDecodeParameters + 22 F73FA14C 21 Bytes [48, 30, 8B, 55, 10, 89, 0A, ...]
.text fltMgr.sys!FltDecodeParameters + 38 F73FA162 26 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
.text fltMgr.sys!FltDecodeParameters + 53 F73FA17D 5 Bytes [B8, 9A, 00, 00, C0] {MOV EAX, 0xc000009a}
.text ...
.text fltMgr.sys!FltLockUserBuffer + 3A F73FA274 70 Bytes [50, 0C, 8B, 4D, 10, 85, C9, ...]
.text fltMgr.sys!FltLockUserBuffer + 82 F73FA2BC 48 Bytes [C6, 45, E7, 00, 8D, 45, D4, ...]
.text fltMgr.sys!FltLockUserBuffer + B3 F73FA2ED 21 Bytes [00, 8B, 4D, DC, 3B, CB, 0F, ...]
.text fltMgr.sys!FltLockUserBuffer + C9 F73FA303 60 Bytes [31, 8B, 45, D8, FF, 30, FF, ...]
.text fltMgr.sys!FltLockUserBuffer + 106 F73FA340 8 Bytes [BF, 3F, F7, EB, 23, 83, 65, ...]
.text ...
.text fltMgr.sys!FltRetainSwappedBufferMdlAddress + B F73FA875 109 Bytes [4A, 14, 89, 48, 14, EB, 09, ...]
.text fltMgr.sys!FltRetainSwappedBufferMdlAddress + 79 F73FA8E3 155 Bytes [89, 4D, F8, 88, 4D, FF, 8B, ...]
.text fltMgr.sys!FltCompletePendedPreOperation + F F73FA97F 47 Bytes [4B, 14, 33, D2, 42, E8, B3, ...]
.text fltMgr.sys!FltCompletePendedPreOperation + 3F F73FA9AF 11 Bytes [46, 08, 56, 89, 70, 34, E8, ...] {INC ESI; OR [ESI-0x77], DL; JO 0x3a; CALL 0xffffffffffffacc1}
.text fltMgr.sys!FltCompletePendedPreOperation + 4B F73FA9BB 2 Bytes [45, F8] {INC EBP; CLC }
.text fltMgr.sys!FltCompletePendedPreOperation + 4F F73FA9BF 65 Bytes [F8, 5F, 5E, 5B, C9, C2, 0C, ...]
.text fltMgr.sys!FltCompletePendedPreOperation + 91 F73FAA01 97 Bytes [20, 8B, 4D, 0C, 89, 48, 4C, ...]
.text fltMgr.sys!FltCompletePendedPostOperation + 4D F73FAA63 29 Bytes [FF, 55, 8B, EC, 51, 51, 8B, ...]
.text fltMgr.sys!FltCompletePendedPostOperation + 6B F73FAA81 6 Bytes [46, 20, 33, FF, 57, 57] {INC ESI; AND [EBX], DH; CALL [EDI+0x57]}
.text fltMgr.sys!FltCompletePendedPostOperation + 72 F73FAA88 78 Bytes [45, FC, 57, 8D, 45, 08, 50, ...]
.text fltMgr.sys!FltAllocatePoolAlignedWithTag + 1 F73FAAD7 2 Bytes [45, 08]
.text fltMgr.sys!FltAllocatePoolAlignedWithTag + 4 F73FAADA 1 Byte [00]
.text fltMgr.sys!FltAllocatePoolAlignedWithTag + 4 F73FAADA 9 Bytes [00, 8B, 5D, FC, 89, 43, 04, ...]
.text fltMgr.sys!FltFreePoolAlignedWithTag + C F73FAB3A 2 Bytes [71, 5C] {JNO 0x5e}
.text fltMgr.sys!FltFreePoolAlignedWithTag + F F73FAB3D 42 Bytes [FE, 07, FF, 75, 14, 76, 21, ...]
.text fltMgr.sys!FltFreePoolAlignedWithTag + 3A F73FAB68 16 Bytes [0C, FF, 15, E4, BE, 3F, F7, ...] {OR AL, 0xff; ADC EAX, 0xf73fbee4; POP ESI; POP EBP; RET 0x10; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text fltMgr.sys!FltFreePoolAlignedWithTag + 4B F73FAB79 61 Bytes [CC, 8B, FF, 55, 8B, EC, 8B, ...]
.text fltMgr.sys!FltFreePoolAlignedWithTag + 89 F73FABB7 62 Bytes [00, 33, F6, 89, 75, D8, C6, ...]
.text ...
.text fltMgr.sys!FltCancelIo + 1D F73FADE3 72 Bytes [32, C0, EB, 07, 50, FF, 15, ...]
.text fltMgr.sys!FltIsIoCanceled + 12 F73FAE2C 59 Bytes [EC, 8B, 45, 08, F6, 00, 01, ...]
.text fltMgr.sys!FltCbdqDisable + 2 F73FAE68 37 Bytes [D7, 5F, 5E, 5D, C2, 08, 00, ...]
.text fltMgr.sys!FltCbdqEnable + 2 F73FAE8E 37 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
.text fltMgr.sys!FltCbdqEnable + 28 F73FAEB4 71 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
.text fltMgr.sys!FltCbdqEnable + 70 F73FAEFC 13 Bytes [55, 8B, EC, 8B, 45, 0C, FF, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0xc]; PUSH DWORD [EAX+0x44]; MOV EAX, [EBP+0x8]; PUSH EAX}
.text fltMgr.sys!FltCbdqEnable + 7E F73FAF0A 55 Bytes [50, 2C, 5D, C2, 08, 00, CC, ...]
.text fltMgr.sys!FltCbdqEnable + B6 F73FAF42 63 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
.text ...
.text fltMgr.sys!FltCbdqInsertIo + 3B F73FAFCB 13 Bytes [F8, 85, FF, 7D, 08, FF, 76, ...] {CLC ; TEST EDI, EDI; JGE 0xd; PUSH DWORD [ESI+0x24]; CALL 0x2c7}
.text fltMgr.sys!FltCbdqRemoveIo + 1 F73FAFD9 31 Bytes [C7, 5F, 5E, 5D, C2, 10, 00, ...]
.text fltMgr.sys!FltCbdqRemoveIo + 21 F73FAFF9 51 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
.text fltMgr.sys!FltCbdqRemoveNextIo + 21 F73FB02D 47 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
.text fltMgr.sys!FltSetCancelCompletion + 1D F73FB05D 61 Bytes [C1, A4, 89, 48, 44, 89, 50, ...]
.text fltMgr.sys!FltDoCompletionProcessingWhenSafe + 30 F73FB09C 101 Bytes [08, 02, 75, 3C, 38, 48, 21, ...]
.text fltMgr.sys!FltAllocateDeferredIoWorkItem + E F73FB104 475 Bytes [68, 00, ED, 3F, F7, E8, 52, ...]
.text fltMgr.sys!FltObjectDereference + 5C F73FB2E0 33 Bytes [76, 14, 56, FF, 15, E0, BF, ...]
.text fltMgr.sys!FltObjectDereference + 7E F73FB302 34 Bytes [EC, 8B, 45, 08, 8B, 00, 56, ...]
.text fltMgr.sys!FltObjectDereference + A1 F73FB325 2 Bytes [FF, 55]
.text fltMgr.sys!FltObjectDereference + A4 F73FB328 87 Bytes [EC, 8B, 45, 08, 8B, 08, 85, ...]
.text fltMgr.sys!FltObjectDereference + FC F73FB380 7 Bytes [00, CC, CC, CC, CC, CC, 8B]
.text ...
.text fltMgr.sys!FltIs32bitProcess + 8 F73FB68C 47 Bytes [8B, 11, F6, C2, 01, 56, 75, ...]
.text fltMgr.sys!FltGetRequestorProcessId + 6 F73FB6BC 43 Bytes [15, F4, BD, 3F, F7, 5E, C3, ...]
.text fltMgr.sys!FltGetRequestorProcessId + 32 F73FB6E8 45 Bytes [D8, 74, EC, 8B, C2, 83, E3, ...]
.text fltMgr.sys!FltGetRequestorProcessId + 60 F73FB716 2 Bytes [F2, 64]
.text fltMgr.sys!FltGetRequestorProcessId + 63 F73FB719 102 Bytes [B6, 05, 51, 00, 00, 00, 33, ...]
.text fltMgr.sys!FltGetRequestorProcessId + CA F73FB780 17 Bytes [7B, 4C, 8B, 07, 83, F8, 01, ...] {JNP 0x4e; MOV EAX, [EDI]; CMP EAX, 0x1; JNZ 0xe; MOV ESI, [EDI+0x8]; JMP 0x1a; CMP EAX, 0x2}
.text ...
PAGE fltMgr.sys!FltAttachVolume + 7 F73FF0F3 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolume + C F73FF0F8 19 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGE fltMgr.sys!FltAttachVolume + 20 F73FF10C 12 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 7 F73FF119 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 12 F73FF124 14 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 21 F73FF133 20 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 36 F73FF148 62 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 75 F73FF187 16 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...] {CALL [EBP-0x75]; IN AL, DX ; PUSH EBX; PUSH ESI; PUSH EDI; PUSH DWORD [EBP+0xc]; CALL [0xf73fc034]}
PAGE ...
PAGE fltMgr.sys!FltDetachVolume + 63 F73FF705 53 Bytes [39, 7D, E0, 7C, 09, 8B, 45, ...]
PAGE fltMgr.sys!FltDetachVolume + 9A F73FF73C 40 Bytes [E0, 8B, 75, 0C, 8B, 7E, 28, ...]
PAGE fltMgr.sys!FltDetachVolume + C7 F73FF769 121 Bytes [89, 45, E0, 3B, C3, 0F, 8C, ...]
PAGE fltMgr.sys!FltDetachVolume + 141 F73FF7E3 22 Bytes [74, 0A, 8B, CE, FF, 15, 94, ...]
PAGE fltMgr.sys!FltDetachVolume + 158 F73FF7FA 18 Bytes [48, 04, 89, 4D, C0, 89, 03, ...]
PAGE ...
PAGE fltMgr.sys!FltGetVolumeFromInstance + 1E F7400CB8 43 Bytes [8D, 46, 0C, 89, 40, 04, 89, ...]
PAGE fltMgr.sys!FltGetFilterFromInstance + 22 F7400CE4 65 Bytes [89, 18, 33, C0, 5F, 5E, 5B, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 3D F7400D27 110 Bytes [00, 89, 75, E0, C7, 45, E8, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + AC F7400D96 275 Bytes [00, 00, CC, CC, CC, CC, CC, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 1C0 F7400EAA 50 Bytes [45, 08, 8B, 40, 18, 56, 8B, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 225 F7400F0F 11 Bytes [74, 56, 48, 74, 3F, 48, 74, ...]
PAGE fltMgr.sys!FltGetInstanceInformation + 231 F7400F1B 19 Bytes JMP F740111C fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
PAGE fltMgr.sys!FltEnumerateVolumes + F F7400F2F 143 Bytes [00, 00, 3B, C6, 0F, 85, E4, ...]
PAGE fltMgr.sys!FltEnumerateVolumes + 9F F7400FBF 34 Bytes [03, 8B, 4D, 08, 66, 89, 46, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 16 F7400FE2 38 Bytes [45, 10, 0F, B7, C3, 03, C6, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 3D F7401009 47 Bytes [46, 08, 66, 89, 5E, 0A, 66, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 6D F7401039 93 Bytes [F8, 8B, 4D, 08, 66, 89, 46, ...]
PAGE fltMgr.sys!FltEnumerateInstances + CB F7401097 62 Bytes [45, F8, 50, FF, 15, 24, C0, ...]
PAGE fltMgr.sys!FltEnumerateInstances + 10A F74010D6 12 Bytes [50, 66, 89, 4D, FA, FF, 15, ...]
PAGE ...
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2 F74011D2 39 Bytes [15, AC, BD, 3F, F7, 6A, 01, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2C F74011FC 14 Bytes [FF, 45, FC, 83, 45, 0C, 04, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 3B F740120B 25 Bytes [14, 77, 1D, FF, 75, 08, E8, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 55 F7401225 38 Bytes [4D, FC, 83, 6D, 0C, 04, 8B, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 7C F740124C 72 Bytes [14, 76, 16, 8B, 45, 10, 8D, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 23 F7401295 52 Bytes [5E, 30, 53, FF, 15, A8, BD, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 58 F74012CA 57 Bytes [45, 08, 8B, 36, 3B, F7, 75, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 93 F7401305 7 Bytes [10, FF, 75, FC, E8, E6, FB]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 9B F740130D 45 Bytes [FF, FF, 75, FC, 8B, F0, E8, ...]
PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + CA F740133C 2 Bytes [A8, BD] {TEST AL, 0xbd}
PAGE ...
PAGE fltMgr.sys!FltGetFilterFromName + 5F F74015F9 49 Bytes [15, B0, BD, 3F, F7, 0F, B7, ...]
PAGE fltMgr.sys!FltGetFilterFromName + 91 F740162B 100 Bytes JMP 82E60932
PAGE fltMgr.sys!FltGetVolumeInstanceFromName + 12 F7401690 120 Bytes [47, F4, 89, 45, FC, 6A, 01, ...]
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 5 F7401713 6 Bytes [FF, 75, 10, 8B, 45, 08] {PUSH DWORD [EBP+0x10]; MOV EAX, [EBP+0x8]}
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + C F740171A 34 Bytes [75, 0C, FF, 70, 14, E8, 7A, ...]
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 2F F740173D 11 Bytes [75, 0C, 8D, 46, 4C, 6A, 01, ...] {JNZ 0xe; LEA EAX, [ESI+0x4c]; PUSH 0x1; PUSH EAX; MOV [EBP+0xc], EAX}
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 3B F7401749 40 Bytes [15, A8, BD, 3F, F7, 8D, 9E, ...]
PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 64 F7401772 83 Bytes [8D, 46, 2C, 50, FF, 15, E0, ...]
PAGE fltMgr.sys!FltGetLowerInstance + 34 F74017C6 3 Bytes [FF, 75, 0C] {PUSH DWORD [EBP+0xc]}
PAGE fltMgr.sys!FltGetLowerInstance + 38 F74017CA 2 Bytes [15, 34]
PAGE fltMgr.sys!FltGetLowerInstance + 3B F74017CD 52 Bytes [3F, F7, 8B, 1D, 38, C0, 3F, ...]
PAGE fltMgr.sys!FltGetUpperInstance + 2 F7401802 7 Bytes [8B, F7, 75, D1, B8, 0D, 00]
PAGE fltMgr.sys!FltGetUpperInstance + A F740180A 57 Bytes [C0, 5F, 5E, 5B, 5D, C2, 0C, ...]
PAGE fltMgr.sys!FltGetUpperInstance + 44 F7401844 62 Bytes [55, 8B, EC, 51, 83, 65, FC, ...]
PAGE fltMgr.sys!FltGetTopInstance + 15 F7401883 109 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 15 F74018F1 53 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 4B F7401927 20 Bytes [00, 53, 56, 57, FF, 15, AC, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 60 F740193C 12 Bytes [08, FF, 15, A8, BD, 3F, F7, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 6D F7401949 20 Bytes [8B, 37, EB, 0F, 8D, 5E, F4, ...]
PAGE fltMgr.sys!FltGetBottomInstance + 82 F740195E 49 Bytes [75, ED, 33, DB, C7, 45, FC, ...]
PAGE ...
PAGE fltMgr.sys!FltGetFilterInformation + 4B F74019ED 11 Bytes [5F, 89, 18, 8B, 45, FC, 5E, ...]
PAGE fltMgr.sys!FltGetFilterInformation + 57 F74019F9 58 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
PAGE fltMgr.sys!FltGetFilterInformation + 92 F7401A34 31 Bytes [15, B4, BD, 3F, F7, FF, 15, ...]
PAGE fltMgr.sys!FltGetFilterInformation + B2 F7401A54 9 Bytes [55, 8B, EC, 8B, 45, 18, 83, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x18]; AND DWORD [EAX], 0x0}