Ran into another faked anti-virus program:
FreeFixer log below. I've highlighted the bad items in red. Hope this helps you with the removal.
FreeFixer v0.50 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-12-10 02:49
Registry Startups (3 whitelisted)
HKCU\..\Run, Internet Security 2010 = C:\Program Files\InternetSecurity2010\IS2010.exe
Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
Recently created/modified files
0 minutes, c:\Program Files\InternetSecurity2010\IS2010.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\O1EF052R\SetupIS2010[1].exe
Wednesday, 9 December 2009
Friday, 13 November 2009
Koobface "Locks" Computer With Captcha
Koobface is still going strong. Here you can see it in action. It "locks" the computer and asks the user to solve a captcha:
I've pasted the FreeFixer log from the infected system. Everything is malware except freefixer.exe:
I've pasted the FreeFixer log from the infected system. Everything is malware except freefixer.exe:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-14 01:55
Registry Startups (3 whitelisted)
HKLM\..\Run, sysldtray = c:\windows\ld15.exe
HKLM\..\Run, Captcha7 = rundll "C:\Program Files\captcha.dll",captcha
HKLM\..\Run, sysfbtray = c:\windows\freddy73.exe
Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
c:\windows\freddy73.exe
Recently created/modified files
8 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\WEGR55JE\v2googlecheck[1].exe
8 minutes, c:\Program Files\captcha.dll
8 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\v2captcha[1].exe
20 minutes, c:\WINDOWS\zwer_1258158897.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\v2googlecheck[1].exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\v2captcha[1].exe
20 minutes, c:\WINDOWS\freddy73.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\O1EF052R\fb[1].73.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\get[1].exe
21 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\ff2ie[1].exe
21 minutes, c:\WINDOWS\ld15.exe
End of FreeFixer log
Control Center Rogue
Yet another rogue. This one is promoted as a free video. If you install the "video", you will get the Control Center Rogue. It claims to detect lots of viruses on a clean system. It also replaces the default shell with cc.exe.
If you got this infection and want to start your default shell (explorer.exe) again, just press Ctrl + shift + ESC and the Task Manager will pop up. Open the File menu and select New Task. Type in explorer.exe and press enter. Now you can start FreeFixer to remove the ControlCenter malware. I've marked the malware files in red in the FreeFixer log below:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-14 00:30
Shell settings
HKCU\..\Winlogon, Shell = C:\Documents and Settings\roger\Application Data\CC\cc.exe
Registry Startups (3 whitelisted)
HKCU\..\Run, agent.exe = C:\Documents and Settings\roger\Application Data\CC\agent.exe
Processes (18 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\Documents and Settings\roger\Application Data\CC\agent.exe
C:\Documents and Settings\roger\Application Data\CC\cc.exe
End of FreeFixer log
If you got this infection and want to start your default shell (explorer.exe) again, just press Ctrl + shift + ESC and the Task Manager will pop up. Open the File menu and select New Task. Type in explorer.exe and press enter. Now you can start FreeFixer to remove the ControlCenter malware. I've marked the malware files in red in the FreeFixer log below:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-14 00:30
Shell settings
HKCU\..\Winlogon, Shell = C:\Documents and Settings\roger\Application Data\CC\cc.exe
Registry Startups (3 whitelisted)
HKCU\..\Run, agent.exe = C:\Documents and Settings\roger\Application Data\CC\agent.exe
Processes (18 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\Documents and Settings\roger\Application Data\CC\agent.exe
C:\Documents and Settings\roger\Application Data\CC\cc.exe
End of FreeFixer log
Thursday, 12 November 2009
AntiAID
Another day, another faked anti-virus program. Today it's called AntiAID and claims to detect a bunch of malware on a clean computer:
I've pasted a FreeFixer log below and highlighted the malware files in red:
I've pasted a FreeFixer log below and highlighted the malware files in red:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-12 10:22
Registry Startups (3 whitelisted)
HKCU\..\Run, 8enyqcv1.exe = C:\WINDOWS\system32\8enyqcv1.exe
HKCU\..\Run, AntiAID = C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe -min
Processes (20 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\8enyqcv1.exe
C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe
Recently created/modified files (29 whitelisted)
-123 minutes, c:\Program Files\AntiAID Software\AntiAID\AntiAID.exe
End of FreeFixer log
Wednesday, 11 November 2009
SystemWarrior Malware
Ran into a new faked anti-virus program today called System Warrior. It claims to have found lots of malware on a clean system:
I've pasted the FreeFixer log from the infected system below, and marked the malware items in red. Hopefully this will help you to remove SystemWarrior:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-11 14:51
Registry Startups (3 whitelisted)
HKLM\..\Run, SystemWarrior = "C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe" -min
HKCU\..\Run, zrn6.tmp.exe = C:\WINDOWS\system32\zrn6.tmp.exe
Processes (21 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\zrn6.tmp.exe
C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe
Recently created/modified files (16 whitelisted)
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\Uninstall.exe
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe
0 minutes, c:\WINDOWS\system32\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\tbg5.tmp.exe
End of FreeFixer log
I've pasted the FreeFixer log from the infected system below, and marked the malware items in red. Hopefully this will help you to remove SystemWarrior:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-11 14:51
Registry Startups (3 whitelisted)
HKLM\..\Run, SystemWarrior = "C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe" -min
HKCU\..\Run, zrn6.tmp.exe = C:\WINDOWS\system32\zrn6.tmp.exe
Processes (21 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\zrn6.tmp.exe
C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe
Recently created/modified files (16 whitelisted)
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\Uninstall.exe
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe
0 minutes, c:\WINDOWS\system32\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\tbg5.tmp.exe
End of FreeFixer log
Monday, 9 November 2009
AntiMalware Rogue
Friday, 6 November 2009
BlockProtector
Ran into a new faked anti-virus program today. This time it's called BlockProtector and claims to have found 700+ "SPYWARE Objects":
Here's a FreeFixer log from the infected system. I've marked the malware files with red:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-06 22:55
Registry Startups (3 whitelisted)
HKLM\..\Run, BlockProtector.exe = C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
HKCU\..\Run, gdm1F.tmp.exe = C:\WINDOWS\system32\gdm1F.tmp.exe
Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\gdm1F.tmp.exe
C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
Application modules (85 whitelisted)
C:\WINDOWS\system32\MSVCR71.dll
Recently created/modified files (27 whitelisted)
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\update\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.exe
End of FreeFixer log
Here's a FreeFixer log from the infected system. I've marked the malware files with red:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-06 22:55
Registry Startups (3 whitelisted)
HKLM\..\Run, BlockProtector.exe = C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
HKCU\..\Run, gdm1F.tmp.exe = C:\WINDOWS\system32\gdm1F.tmp.exe
Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\gdm1F.tmp.exe
C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
Application modules (85 whitelisted)
C:\WINDOWS\system32\MSVCR71.dll
Recently created/modified files (27 whitelisted)
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\update\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.exe
End of FreeFixer log
Tuesday, 3 November 2009
McAfee + Adobe Reader 9
Monday, 2 November 2009
BlockScanner Rogue
Ran into a new rogue today called BlockScanner:
Here's a FreeFixer log which shows what modifications the Block Scanner software did on the infected computer:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-02 13:03
Registry Startups (3 whitelisted)
HKLM\..\Run, 0079dcbc.exe = C:\WINDOWS\system32\0079dcbc.exe
HKCU\..\Run, goz21.tmp.exe = C:\WINDOWS\system32\goz21.tmp.exe
HKCU\..\Run, BlockScanner = C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe -min
Processes (20 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\goz21.tmp.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\nqn22.tmp.exe
C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe
Recently created/modified files (1 whitelisted)
3 minutes, c:\Program Files\BlockScanner Software\BlockScanner\uninstall.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nsu20.tmp\nsProcess.dll
3 minutes, c:\WINDOWS\system32\goz21.tmp.exe
3 minutes, c:\WINDOWS\system32\0079dcbc.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nqn22.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\goz21.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\rew1E.tmp.exe
..
Here's a FreeFixer log which shows what modifications the Block Scanner software did on the infected computer:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-02 13:03
Registry Startups (3 whitelisted)
HKLM\..\Run, 0079dcbc.exe = C:\WINDOWS\system32\0079dcbc.exe
HKCU\..\Run, goz21.tmp.exe = C:\WINDOWS\system32\goz21.tmp.exe
HKCU\..\Run, BlockScanner = C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe -min
Processes (20 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\goz21.tmp.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\nqn22.tmp.exe
C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe
Recently created/modified files (1 whitelisted)
3 minutes, c:\Program Files\BlockScanner Software\BlockScanner\uninstall.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nsu20.tmp\nsProcess.dll
3 minutes, c:\WINDOWS\system32\goz21.tmp.exe
3 minutes, c:\WINDOWS\system32\0079dcbc.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nqn22.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\goz21.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\rew1E.tmp.exe
..
Sunday, 1 November 2009
My Favorite Screeshots
Wednesday, 28 October 2009
Windows Police Pro
Another day, another rogue. This one is called Windows Police Pro:
Here's a FreeFixer log from the infected computer. Malware files appear in red:
Here's a FreeFixer log from the infected computer. Malware files appear in red:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:28
Registry Startups (3 whitelisted)
HKCU\..\Run, inixs = C:\WINDOWS\system32\minix32.exe
Processes (18 whitelisted)
C:\WINDOWS\system32\minix32.exe
C:\Program Files\FreeFixer\freefixer.exe
Recently created/modified files (18 whitelisted)
2 minutes, c:\WINDOWS\system32\pump.exe
3 minutes, c:\WINDOWS\svchast.exe
3 minutes, c:\WINDOWS\system32\plugie.dll
3 minutes, c:\Program Files\Windows Police Pro\Windows Police Pro.exe
3 minutes, c:\Program Files\Windows Police Pro\msvcr80.dll
3 minutes, c:\Program Files\Windows Police Pro\msvcp80.dll
3 minutes, c:\Program Files\Windows Police Pro\msvcm80.dll
Tuesday, 27 October 2009
Active Security rogue
Another rogue, dubbed Active Security:
Here's a FreeFixer log of the infected system. Malware files appear in red:
Here's a FreeFixer log of the infected system. Malware files appear in red:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 17:57
Registry Startups (3 whitelisted)
HKCU\..\Run, wow64main.exe = C:\DOCUME~1\roger\LOCALS~1\Temp\wow64main.exe
HKCU\..\Run, Active Security = "C:\Program Files\Active Security\asecurity.exe" -noscan
Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\wow64main.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Active Security\asecurity.exe
..
EnumPageFiles missing in Windows 2000
Seems like the EnumPageFiles documentation at MSDN is incorrect. EnumPageFiles should be available starting with Windows 2000 Pro, but there's no export with that name in psapi.dll.
This is a dump of the functions available in psapi.dll on my Windows 2000 Pro machine (No service pack installed):
No EnumPageFiles export. But what if I install service pack 4? Will EnumPageFiles be available there? The answer is no, psapi.dll is not updated while installing the service pack.
When running an application linking to the unavailable EnumPageFiles you will see an error message saying:
Do you know of some other method of enumerating the paging files?
This is a dump of the functions available in psapi.dll on my Windows 2000 Pro machine (No service pack installed):
C:\Program Files\Microsoft Visual Studio 8\VC>dumpbin /exports c:\tmp\dump\psapi.dll
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file c:\tmp\dump\psapi.dll
File Type: DLL
Section contains the following exports for PSAPI.DLL
00000000 characteristics
37EC8753 time date stamp Sat Sep 25 10:26:59 1999
0.00 version
1 ordinal base
19 number of functions
19 number of names
ordinal hint RVA name
1 0 00001CDE EmptyWorkingSet
2 1 00001226 EnumDeviceDrivers
3 2 00001981 EnumProcessModules
4 3 00003106 EnumProcesses
5 4 00001106 GetDeviceDriverBaseNameA
6 5 00001789 GetDeviceDriverBaseNameW
7 6 00001728 GetDeviceDriverFileNameA
8 7 000016D8 GetDeviceDriverFileNameW
9 8 0000185E GetMappedFileNameA
10 9 000017E1 GetMappedFileNameW
11 A 00001BD4 GetModuleBaseNameA
12 B 00001B7E GetModuleBaseNameW
13 C 00001B1D GetModuleFileNameExA
14 D 00001AC7 GetModuleFileNameExW
15 E 00001C35 GetModuleInformation
16 F 00003233 GetProcessMemoryInfo
17 10 00003351 GetWsChanges
18 11 00003317 InitializeProcessForWsWatch
19 12 00001D42 QueryWorkingSet
Summary
4000 .data
1000 .reloc
1000 .rsrc
4000 .text
No EnumPageFiles export. But what if I install service pack 4? Will EnumPageFiles be available there? The answer is no, psapi.dll is not updated while installing the service pack.
When running an application linking to the unavailable EnumPageFiles you will see an error message saying:
The procedure entry point EnumPageFilesA could not be located in the dynamic link library PSAPI.DLL.
The Win2k work-around
You can get the paging files from the registry by reading "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, PagingFiles".Do you know of some other method of enumerating the paging files?
Friday, 23 October 2009
SecurityTool Rogue
Ran into a new rogue today called "Security Tool":
This program was installed by exploiting a security hole in an unpatched Windows XP installation. Below is a FreeFixer log to show what files appeared on the infected computer:
This program was installed by exploiting a security hole in an unpatched Windows XP installation. Below is a FreeFixer log to show what files appeared on the infected computer:
FreeFixer v0.47 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-10-23 14:45
Registry Startups
HKLM\..\Run, sysgif32 = C:\WINDOWS\Temp\wpv511255703227.exe
HKLM\..\Run, restorer64_a = C:\WINDOWS\system32\restorer64_a.exe
HKLM\..\Run, 60306520 = C:\DOCUME~1\ALLUSE~1\APPLIC~1\60306520\60306520.exe
HKLM\..\Run, PromoReg = C:\WINDOWS\Temp\_ex-08.exe
HKLM\..\Run, Antivirus Pro 2010 = "C:\Program\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
HKLM\..\Run, Regedit32 = C:\WINDOWS\system32\regedit.exe (file is missing)
HKCU\..\Run, restorer64_a = C:\Documents and Settings\Roger\restorer64_a.exe
HKCU\..\Run, mserv = C:\Documents and Settings\Roger\Application Data\seres.exe
HKCU\..\Run, svchost = C:\Documents and Settings\Roger\Application Data\svcst.exe
Autostart shortcuts
zavupd32.exe, , C:\Documents and Settings\Roger\Start-meny\Program\Autostart\zavupd32.exe
Recently created/modified files
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN6.tmp
15 minutes, c:\WINDOWS\system32\dllcache\agp440.sys
15 minutes, c:\WINDOWS\system32\drivers\AGP440.SYS
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN5.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\TMP13.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\2B6JEHAV\win[1].exe
42 minutes, c:\WINDOWS\system32\_scui.cpl
42 minutes, c:\Program\AntivirusPro_2010\Uninstall.exe
42 minutes, c:\Program\AntivirusPro_2010\wscui.cpl
42 minutes, c:\Program\AntivirusPro_2010\htmlayout.dll
42 minutes, c:\Program\AntivirusPro_2010\pthreadVC2.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
42 minutes, c:\Program\AntivirusPro_2010\AVEngn.dll
42 minutes, c:\Program\AntivirusPro_2010\AntivirusPro_2010.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\lizkavd.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\G5ER0HM3\Install[1].exe
44 minutes, c:\Documents and Settings\All Users\Application Data\60306520\60306520.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\svcst.exe
44 minutes, c:\WINDOWS\Temp\_ex-08.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\seres.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN12.tmp
44 minutes, c:\Documents and Settings\Roger\restorer64_a.exe
45 minutes, c:\WINDOWS\system32\restorer64_a.exe
45 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\10.tmp
45 minutes, c:\WINDOWS\Temp\wpv791256209457.exe
45 minutes, c:\WINDOWS\Temp\wpv651256085323.exe
45 minutes, c:\WINDOWS\Temp\wpv511255703227.exe
Wednesday, 21 October 2009
Antivirus Pro 2010 Rogue
Monday, 21 September 2009
Total Security rogue
Friday, 14 August 2009
Thursday, 13 August 2009
Advanced Virus Remover Rogue
Ran into this rogue anti-virus program a few days ago:
Today I ran into this rogue again. I captured a FreeFixer log where you can see the modifications Advanced Virus Remover did on the infected computer:
Update October 27, 2009
Today I ran into this rogue again. I captured a FreeFixer log where you can see the modifications Advanced Virus Remover did on the infected computer:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:15
System policies
HKCU\..\policies\system, DisableTaskMgr = 1
Transport service providers (3 whitelisted)
{3F8DAED5-1A15-44C0-A465-27536D3B3C98} - C:\WINDOWS\system32\winhelper.dll
{6DBCA3F0-ACCF-4F0E-8998-F976BB4FA56D} - C:\WINDOWS\system32\winhelper.dll
Registry Startups (3 whitelisted)
HKLM\..\Run, winupdate.exe = C:\WINDOWS\system32\winupdate.exe
HKCU\..\Run, Advanced Virus Remover = C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Application modules (70 whitelisted)
C:\WINDOWS\system32\winhelper.dll
Recently created/modified files
1 minute, c:\Program Files\AdvancedVirusRemover\PAVRM.exe
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\SetupAdvancedVirusRemover[1].exe
1 minute, c:\WINDOWS\system32\winhelper.dll
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\dfghfghgfj[1].dll
1 minute, c:\WINDOWS\system32\winupdate.exe
..
Tuesday, 11 August 2009
Wednesday, 15 July 2009
Most annoying error ever?
Monday, 13 July 2009
Darn, my VMware virtual machine was detected
Thursday, 9 July 2009
Antivirus Plus
Ran into the good old rogue Antivirus Plus application today:
Today I ran into AntiVirus plus again. I capped a FreeFixer log so you can see what changes this rogue antivirus program did:
Update October 27, 2009
Today I ran into AntiVirus plus again. I capped a FreeFixer log so you can see what changes this rogue antivirus program did:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:06
Registry Startups (3 whitelisted)
HKLM\..\Run, AntiVirus Plus = C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe
HKCU\..\Run, AntiVirus Plus = C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe
Autostart shortcuts
AntiVirus Plus.lnk, , C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe
AntiVirus Plus.lnk, , C:\Program Files\AntiVirus Plus\AntiVirus Plus.70155.exe
HOSTS file
78.159.125.60 us.search.yahoo.com
78.159.125.60 uk.search.yahoo.com
78.159.125.60 search.yahoo.com
78.159.125.60 www.google.com.br
78.159.125.60 www.google.it
78.159.125.60 www.google.es
78.159.125.60 www.google.co.jp
78.159.125.60 www.google.com.mx
78.159.125.60 www.google.ca
78.159.125.60 www.google.com.au
78.159.125.60 www.google.nl
78.159.125.60 www.google.co.za
78.159.125.60 www.google.be
78.159.125.60 www.google.gr
78.159.125.60 www.google.at
78.159.125.60 www.google.se
78.159.125.60 www.google.ch
78.159.125.60 www.google.pt
78.159.125.60 www.google.dk
78.159.125.60 www.google.fi
78.159.125.60 www.google.ie
78.159.125.60 www.google.no
78.159.125.60 www.google.com
78.159.125.60 www.google.de
78.159.125.60 www.google.fr
78.159.125.60 www.google.co.uk
Friday, 3 July 2009
Goodbye GoogleUpdate.exe
GoogleUpdate.exe is the shared component that keeps Google Toolbar, Google Chrome and other Google products up to date. Google got a lot of critic for creating yet another process that kept running in the background.
The good news is that upcoming version of Google's software will use the Windows Task Scheduler which only run at periodic intervals, not 24/7 like GoogleUpdate.exe did.
The good news is that upcoming version of Google's software will use the Windows Task Scheduler which only run at periodic intervals, not 24/7 like GoogleUpdate.exe did.
Wednesday, 1 July 2009
Invited to the Dreamhost Private Servers
Got an invitation to the DreamHost private servers a few days ago. Basically, the invitation allows me to start a private server starting at 150MB and $5 / month. I'm currently running my sites in the shared environment and I'm happy with the response- and up-time.
Anyone tried the Dreamhost PS? And how long will 150MB last? I'm currently using around 1400 CPU seconds/day.
Anyone tried the Dreamhost PS? And how long will 150MB last? I'm currently using around 1400 CPU seconds/day.
Hey again Roger!
Last week we again sent you an email inviting you to try our still-new
DreamHost PS (Private Servers) and/or our DreamHost PS MySQL service!
But again it looks like you never checked it out at:
http://www.dreamhostps.com/
Nor did you choose to sign up by visiting:
https://panel.dreamhost.com/?tree=vserver.provision
Well, it's hard for us to understand how you couldn't give it a shot for
just $10/month (33% off). But not impossible for us to believe. What's
IMPOSSIBLE for us to believe is if you don't take advantage of this, our
final and greatest offer!
$10/month off.. forever. That's 100MB free.. meaning you can get your
very own Private Server with 150MB of ram for just FIVE dollars a month!
Awooooooga!
The main advantages of DreamHost PS are:
* You get your own PROTECTED system resources for improved stability.
* You get more flexibility than regular hosting to run any process.
* You can scale your resources on the fly, and reboot your own PS.
* It's currently only +$10/month for every 100MB of memory. ($10 off!)
* It's a completely seamless transition from our regular shared hosting.
You can also sign up for DreamHost PS MySQL, which is just like PS but
for your databases. If you get both PS and PS MySQL, you get another 20%
off both, forever!
Now, this is really our final final offer. And, it expires one week from
today (by 2009-07-05) .. sign up and we'll be able to provision you
ASAP!
Thanks one final time,
The Happy DreamHost Evite Team!
P.S. If you'd prefer not to be notified by email in the future should
you be given any more invitations, please visit our contact preferences
page here:
https://panel.dreamhost.com/id/?tab=contact
And select to not receive "DreamHost Promotions" anymore!
Monday, 29 June 2009
FreeFixer.com now using Google Trends
Google recently announced the Trends Gadget. Here's you can it in action on FreeFixer.com:
Seaport.exe is a legitimate file from Microsoft.
Here's two additional examples of the gadget in action.
freddy46.exe and reader_s.exe
Seaport.exe is a legitimate file from Microsoft.
Here's two additional examples of the gadget in action.
freddy46.exe and reader_s.exe
Friday, 26 June 2009
Spotify Invites for Sale
Sigh, some people are selling Spotify invites:
http://www.tradera.com/Spotify-Invite-NU-2st-Invite-till-basta-musik-tjansten-auktion_91492107
http://www.prylbanken.se/annons/musik_cd_lp/spotify_invite_saljes/421779/
http://www.allaannonser.se/saeljes/filmer_musik/spotify_invite.html
http://www.kopingtorget.se/index.php?action=show&show_id=1458&show_torg_namn=vasteras
http://www.eskilstunatorget.se/index.php?action=show&show_id=1846
http://www.fuska.nu/forum/trad.php?id=1810079
I've got 2 invites. Send me an email and I'll invite you. 100% free, like it was intended to be. (You have to live in Sweden, Norway, Finland, the UK, France or Spain.)
http://www.tradera.com/Spotify-Invite-NU-2st-Invite-till-basta-musik-tjansten-auktion_91492107
http://www.prylbanken.se/annons/musik_cd_lp/spotify_invite_saljes/421779/
http://www.allaannonser.se/saeljes/filmer_musik/spotify_invite.html
http://www.kopingtorget.se/index.php?action=show&show_id=1458&show_torg_namn=vasteras
http://www.eskilstunatorget.se/index.php?action=show&show_id=1846
http://www.fuska.nu/forum/trad.php?id=1810079
I've got 2 invites. Send me an email and I'll invite you. 100% free, like it was intended to be. (You have to live in Sweden, Norway, Finland, the UK, France or Spain.)
Thursday, 25 June 2009
Why does Windows create fragmented files by default?
This is wierd. My external drive got lots of free space and is completely defragmented:
Now, I'm backing up my VMware virtual machines, by copying the VMware files to the external drive. These are a bunch of 2GB files which should fit without any problem in the free space of the drive. But for some reason, these files get fragmented:
And it's not just two three fragments, it's 10.000+ fragments!
Why?
Now, I'm backing up my VMware virtual machines, by copying the VMware files to the external drive. These are a bunch of 2GB files which should fit without any problem in the free space of the drive. But for some reason, these files get fragmented:
And it's not just two three fragments, it's 10.000+ fragments!
Why?
Wednesday, 24 June 2009
Toolbar galore after installing popular applications listed on Download.com
This is how Internet Explorer might look like after installing the 20 most popular Windows applications listed on Download.com:
Tuesday, 23 June 2009
Firewall Blocked Spotify?
I've been running Spotify for quite some time now. It's a great application for streaming music. However, today the Spotify client refused to log in with the following error message:
Temporarily disabling the firewall did not help either. Anyone else having the same problem?
Update:
ChrZZ kindly suggested in the comments that resetting my Spotify password should solved the problem. I visited http://www.spotify.com/en/password-reset/ and followed the instructions, and this solved the problem.
Are you also getting the "firewall may be blocking" error? Does resetting the password solve the problem for you too? Please let me know in the comments below.
Update 2:
In the comments Mr Anonymous suggests that all you need to do is to uncheck the "remember me" checkbox. Did this solve the problem for you?
An error occuredThe thing is, I have not modified any of my firewall settings. Spotify aside, there's no problem with any of my other applications that need an internet connection. Browsing works fine, using SSH works as usual, etc.
A firewall may be blocking your Internet connection (error 110). Additionally you could try to change the currently used proxy settings.
Temporarily disabling the firewall did not help either. Anyone else having the same problem?
Update:
ChrZZ kindly suggested in the comments that resetting my Spotify password should solved the problem. I visited http://www.spotify.com/en/password-reset/ and followed the instructions, and this solved the problem.
Are you also getting the "firewall may be blocking" error? Does resetting the password solve the problem for you too? Please let me know in the comments below.
Update 2:
In the comments Mr Anonymous suggests that all you need to do is to uncheck the "remember me" checkbox. Did this solve the problem for you?
Wednesday, 17 June 2009
How to enable the security tab in Windows Explorer
The Windows NT family of operating system allows you to set various permissions on files and folders that controls what operations users are allowed to perform. For example, you might want to set up a folder on your computer and allow some users to modify the files in that folder, while other users are only allowed to read the file data. These permissions are editable from Windows Explorer, by right-clicking on a file or folder and selecting the security tab:
However, on Windows XP Home and Windows XP Pro the security tab is hidden be default if your computer has not joined a domain. To enable the security tab:
However, on Windows XP Home and Windows XP Pro the security tab is hidden be default if your computer has not joined a domain. To enable the security tab:
- Click on Start
- Choose Control Panel
- Click on Folder Options
- Select the View tab
- Uncheck "Use simple file sharing"
Labels:
security,
windows,
windows explorer,
windows xp
Tuesday, 16 June 2009
Spammers, Captcha Workers and Getafreelancer.com
This is crazy, look at the search results for captcha over at Getafreelancer.com.
From one of the job descriptions:
Here's another one:
Suppose this is how your captchas get solved over and over again. Or can large scale captcha solving like this have any legit use?
From one of the job descriptions:
i want captcha entry agents immediatly.i`ll give u a target to achieve daily,if u think u cannot fulfil this requirement plz don bid.if thigns wrk out gud,we`ll stay in a long term partnership.i`ll pay bi weekly.i will pick more than one bidder.lowest bid wins
Here's another one:
Hello
I'm Looking for large/Medium Large team to work on my online 24/7 captcha entry project. Server is very fast. Itz a long term Project.
***Rate:$0.80/k (Good Captcha Only).
***Very very Good counting.
Only Interested & serius teams BID & PM me plz.
Serius individuals can also BID & contact via PM.
Thanks_
*************************************************Happy Bidding......
Suppose this is how your captchas get solved over and over again. Or can large scale captcha solving like this have any legit use?
Monday, 15 June 2009
LastWriteTime, ChangeTime and GetFileInformationByHandleEx
Starting with Windows Vista, there's a new export available called GetFileInformationByHandleEx. You can use this function to get information about a file, in the format of a FILE_BASIC_INFO struct:
typedef struct _FILE_BASIC_INFO {What puzzles me about this struct is the two last members, LastWriteTime and ChangeTime. What is the difference between these two members? Sounds like they specify the same thing to me?
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
DWORD FileAttributes;
}FILE_BASIC_INFO, *PFILE_BASIC_INFO;
Sunday, 14 June 2009
Compare Google and Bing searches side by side with Panic.nu
How to dump DLL exports
To print the function names that a Windows dynamic link library exports (DLL), you can use the dumpbin.exe tool, which comes with Visual Studio. For example, the following command line exports all functions in kernel32.dll:
>dumpbin.exe /EXPORTS c:\windows\system32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file c:\windows\system32\kernel32.dll
File Type: DLL
Section contains the following exports for KERNEL32.dll
00000000 characteristics
49C4D12E time date stamp Sat Mar 21 12:36:14 2009
0.00 version
1 ordinal base
954 number of functions
954 number of names
ordinal hint RVA name
1 0 0000A6E4 ActivateActCtx
2 1 0003551D AddAtomA
3 2 000326F1 AddAtomW
4 3 00071DFF AddConsoleAliasA
5 4 00071DC1 AddConsoleAliasW
6 5 00059412 AddLocalAlternateComputerNameA
7 6 000592F6 AddLocalAlternateComputerNameW
8 7 0002BF11 AddRefActCtx
9 8 AddVectoredExceptionHandler (forwarded to NTDLL.RtlAddVectoredExceptionHandler)
10 9 00072451 AllocConsole
11 A 0005F6D4 AllocateUserPhysicalPages
12 B 0003597F AreFileApisANSI
13 C 0002E45A AssignProcessToJobObject
14 D 00072639 AttachConsole
15 E 0005725A BackupRead
16 F 00056340 BackupSeek
17 10 000578B5 BackupWrite
18 11 00016877 BaseCheckAppcompatCache
19 12 0006CF46 BaseCleanupAppcompatCache
20 13 0006CFCA BaseCleanupAppcompatCacheSupport
21 14 0006CE01 BaseDumpAppcompatCache
22 15 0006CD7F BaseFlushAppcompatCache
23 16 0001656D BaseInitAppcompatCache
24 17 0002B38D BaseInitAppcompatCacheSupport
25 18 000174E3 BaseProcessInitPostImport
26 19 0003838A BaseQueryModuleData
27 1A 000151C0 BaseUpdateAppcompatCache
28 1B 000195B7 BasepCheckWinSaferRestrictions
29 1C 00037AA7 Beep
30 1D 00070DBB BeginUpdateResourceA
31 1E 00070C18 BeginUpdateResourceW
32 1F 0002C03C BindIoCompletionCallback
33 20 0006C02D BuildCommDCBA
34 21 0006BFFF BuildCommDCBAndTimeoutsA
35 22 0006C05F BuildCommDCBAndTimeoutsW
36 23 0006C0B9 BuildCommDCBW
37 24 00060E36 CallNamedPipeA
38 25 00060BE7 CallNamedPipeW
39 26 00061BFF CancelDeviceWakeupRequest
40 27 000300E2 CancelIo
41 28 00063F58 CancelTimerQueueTimer
42 29 0002CC19 CancelWaitableTimer
43 2A 000127C3 ChangeTimerQueueTimer
44 2B 00061AB9 CheckNameLegalDOS8Dot3A
45 2C 00061879 CheckNameLegalDOS8Dot3W
46 2D 0005AAF2 CheckRemoteDebuggerPresent
47 2E 00067E31 ClearCommBreak
48 2F 000666BF ClearCommError
49 30 0001D3F6 CloseConsoleHandle
50 31 00009BE7 CloseHandle
51 32 0002C87D CloseProfileUserMapping
52 33 0002F611 CmdBatNotification
53 34 000679B1 CommConfigDialogA
54 35 000678BD CommConfigDialogW
55 36 00010B79 CompareFileTime
56 37 0000D117 CompareStringA
57 38 0000A3FE CompareStringW
58 39 00031463 ConnectNamedPipe
59 3A 000730FF ConsoleMenuControl
60 3B 0005B53D ContinueDebugEvent
61 3C 000383FF ConvertDefaultLocale
62 3D 0002FEDF ConvertFiberToThread
63 3E 0002FF1E ConvertThreadToFiber
64 3F 000286EE CopyFileA
65 40 0005F39C CopyFileExA
66 41 00027B32 CopyFileExW
67 42 0002F87B CopyFileW
68 43 0005989A CopyLZFile
69 44 0006C8E5 CreateActCtxA
70 45 000154FC CreateActCtxW
71 46 000741A8 CreateConsoleScreenBuffer
72 47 000217AC CreateDirectoryA
73 48 0005C213 CreateDirectoryExA
74 49 0005B5CA CreateDirectoryExW
75 4A 00032402 CreateDirectoryW
76 4B 000308B5 CreateEventA
77 4C 0000A749 CreateEventW
78 4D 0002FFB7 CreateFiber
79 4E 0002FFD7 CreateFiberEx
80 4F 00001A28 CreateFileA
81 50 0000950A CreateFileMappingA
82 51 0000943C CreateFileMappingW
83 52 00010800 CreateFileW
84 53 0006C769 CreateHardLinkA
85 54 0006C5AC CreateHardLinkW
86 55 0003138D CreateIoCompletionPort
87 56 0006C4CC CreateJobObjectA
88 57 0002CB13 CreateJobObjectW
89 58 0006C49E CreateJobSet
90 59 0002CC9B CreateMailslotA
91 5A 0002CCEC CreateMailslotW
92 5B 0003968A CreateMemoryResourceNotification
93 5C 0000E9DF CreateMutexA
94 5D 0000E957 CreateMutexW
95 5E 00060CDC CreateNamedPipeA
96 5F 0002F0DD CreateNamedPipeW
97 60 0002AC6C CreateNlsSecurityDescriptor
98 61 0001D83F CreatePipe
99 62 0000236B CreateProcessA
100 63 0001D54E CreateProcessInternalA
101 64 000197B0 CreateProcessInternalW
102 65 00080311 CreateProcessInternalWSecure
103 66 00002336 CreateProcessW
104 67 000104CC CreateRemoteThread
105 68 00012EBD CreateSemaphoreA
106 69 00010126 CreateSemaphoreW
107 6A 0006C7D4 CreateSocketHandle
108 6B 0006C28E CreateTapePartition
109 6C 000106D7 CreateThread
110 6D 0002BFE6 CreateTimerQueue
111 6E 0002117D CreateTimerQueueTimer
112 6F 00065C7F CreateToolhelp32Snapshot
113 70 00034962 CreateVirtualBuffer
114 71 00062C21 CreateWaitableTimerA
115 72 0002FB5A CreateWaitableTimerW
116 73 0000A715 DeactivateActCtx
117 74 0005B0FB DebugActiveProcess
118 75 0005B581 DebugActiveProcessStop
119 76 0005AB46 DebugBreak
120 77 0005B14E DebugBreakProcess
121 78 0005B175 DebugSetProcessKillOnExit
122 79 DecodePointer (forwarded to NTDLL.RtlDecodePointer)
123 7A DecodeSystemPointer (forwarded to NTDLL.RtlDecodeSystemPointer)
124 7B 0005D29D DefineDosDeviceA
125 7C 00021F1E DefineDosDeviceW
126 7D 0007EFED DelayLoadFailureHook
127 7E 000326C5 DeleteAtom
128 7F DeleteCriticalSection (forwarded to NTDLL.RtlDeleteCriticalSection)
129 80 0002FE8C DeleteFiber
130 81 00031EDD DeleteFileA
131 82 00031F63 DeleteFileW
132 83 00063F2B DeleteTimerQueue
133 84 00063EE4 DeleteTimerQueueEx
134 85 00021130 DeleteTimerQueueTimer
135 86 0006B21E DeleteVolumeMountPointA
136 87 0006AA70 DeleteVolumeMountPointW
137 88 00001629 DeviceIoControl
138 89 00011336 DisableThreadLibraryCalls
139 8A 0001273F DisconnectNamedPipe
140 8B 00058ABB DnsHostnameToComputerNameA
141 8C 0002CEC2 DnsHostnameToComputerNameW
142 8D 00032180 DosDateTimeToFileTime
143 8E 00062939 DosPathToSessionPathA
144 8F 0002C1F7 DosPathToSessionPathW
145 90 0001D4C5 DuplicateConsoleHandle
146 91 0000DE9E DuplicateHandle
147 92 EncodePointer (forwarded to NTDLL.RtlEncodePointer)
148 93 EncodeSystemPointer (forwarded to NTDLL.RtlEncodeSystemPointer)
149 94 00070A89 EndUpdateResourceA
150 95 000708B4 EndUpdateResourceW
151 96 EnterCriticalSection (forwarded to NTDLL.RtlEnterCriticalSection)
152 97 00038241 EnumCalendarInfoA
153 98 00076889 EnumCalendarInfoExA
154 99 000798BD EnumCalendarInfoExW
155 9A 0007989A EnumCalendarInfoW
156 9B 000768CA EnumDateFormatsA
157 9C 000768EA EnumDateFormatsExA
158 9D 000798E0 EnumDateFormatsExW
159 9E 00038811 EnumDateFormatsW
160 9F 00076928 EnumLanguageGroupLocalesA
161 A0 00079843 EnumLanguageGroupLocalesW
162 A1 0002E010 EnumResourceLanguagesA
163 A2 00060699 EnumResourceLanguagesW
164 A3 00060291 EnumResourceNamesA
165 A4 00055AE1 EnumResourceNamesW
166 A5 000600A4 EnumResourceTypesA
167 A6 000604B1 EnumResourceTypesW
168 A7 00076967 EnumSystemCodePagesA
169 A8 0007987F EnumSystemCodePagesW
170 A9 00079D19 EnumSystemGeoID
171 AA 0007690A EnumSystemLanguageGroupsA
172 AB 00079825 EnumSystemLanguageGroupsW
173 AC 00037D11 EnumSystemLocalesA
174 AD 00079864 EnumSystemLocalesW
175 AE 000768AC EnumTimeFormatsA
176 AF 000388EE EnumTimeFormatsW
177 B0 00076949 EnumUILanguagesA
178 B1 0002A8DC EnumUILanguagesW
179 B2 00058A0F EnumerateLocalComputerNamesA
180 B3 0005888F EnumerateLocalComputerNamesW
181 B4 0006C25B EraseTape
182 B5 000668D1 EscapeCommFunction
183 B6 0001CB12 ExitProcess
184 B7 0000C0F8 ExitThread
185 B8 000687D5 ExitVDM
186 B9 00032A09 ExpandEnvironmentStringsA
187 BA 000305FE ExpandEnvironmentStringsW
188 BB 00071767 ExpungeConsoleCommandHistoryA
189 BC 0007174F ExpungeConsoleCommandHistoryW
190 BD 0005FBCC ExtendVirtualBuffer
191 BE 00061D60 FatalAppExitA
192 BF 00061D12 FatalAppExitW
193 C0 00061DAE FatalExit
194 C1 00030665 FileTimeToDosDateTime
195 C2 0000E906 FileTimeToLocalFileTime
196 C3 0000E88C FileTimeToSystemTime
197 C4 00074184 FillConsoleOutputAttribute
198 C5 00074139 FillConsoleOutputCharacterA
199 C6 00074160 FillConsoleOutputCharacterW
200 C7 00030F29 FindActCtxSectionGuid
201 C8 0006CC4F FindActCtxSectionStringA
202 C9 0002FD54 FindActCtxSectionStringW
203 CA 00030D06 FindAtomA
204 CB 0002F82F FindAtomW
205 CC 0000EE77 FindClose
206 CD 00035805 FindCloseChangeNotification
207 CE 0005D483 FindFirstChangeNotificationA
208 CF 00034C1F FindFirstChangeNotificationW
209 D0 00013879 FindFirstFileA
210 D1 0005D4EA FindFirstFileExA
211 D2 0000EB1D FindFirstFileExW
212 D3 0000EF81 FindFirstFileW
213 D4 0006B399 FindFirstVolumeA
214 D5 0006AE59 FindFirstVolumeMountPointA
215 D6 00069EF1 FindFirstVolumeMountPointW
216 D7 0002D2BF FindFirstVolumeW
217 D8 00032145 FindNextChangeNotification
218 D9 00034EE1 FindNextFileA
219 DA 0000EFDA FindNextFileW
220 DB 0006AD3F FindNextVolumeA
221 DC 0006AF89 FindNextVolumeMountPointA
222 DD 0006A19D FindNextVolumeMountPointW
223 DE 0002CFAB FindNextVolumeW
224 DF 0000BF29 FindResourceA
225 E0 00035FA8 FindResourceExA
226 E1 0000AD28 FindResourceExW
227 E2 0000BC6E FindResourceW
228 E3 0002CF70 FindVolumeClose
229 E4 00035805 FindVolumeMountPointClose
230 E5 00074C5C FlushConsoleInputBuffer
231 E6 000126E1 FlushFileBuffers
232 E7 000355EC FlushInstructionCache
233 E8 000359A1 FlushViewOfFile
234 E9 00076FF1 FoldStringA
235 EA 0007A776 FoldStringW
236 EB 0002F7A8 FormatMessageA
237 EC 00034BBF FormatMessageW
238 ED 000721CD FreeConsole
239 EE 0001D6EF FreeEnvironmentStringsA
240 EF 00014B87 FreeEnvironmentStringsW
241 F0 0000AC7E FreeLibrary
242 F1 0000C210 FreeLibraryAndExitThread
243 F2 000260C2 FreeResource
244 F3 0005F702 FreeUserPhysicalPages
245 F4 00034B99 FreeVirtualBuffer
246 F5 00074B61 GenerateConsoleCtrlEvent
247 F6 000099B5 GetACP
248 F7 0005C283 GetAtomNameA
249 F8 00033117 GetAtomNameW
250 F9 0006916B GetBinaryType
251 FA 0006916B GetBinaryTypeA
252 FB 00068D0C GetBinaryTypeW
253 FC 0003850B GetCPFileNameFromRegistry
254 FD 00012F16 GetCPInfo
255 FE 00077187 GetCPInfoExA
256 FF 0007B30D GetCPInfoExW
257 100 00076AAB GetCalendarInfoA
258 101 00039050 GetCalendarInfoW
259 102 0006CCE2 GetComPlusPackageInstallStatus
260 103 00067E49 GetCommConfig
261 104 000669CD GetCommMask
262 105 00066A56 GetCommModemStatus
263 106 00066ADF GetCommProperties
264 107 00066B97 GetCommState
265 108 00022128 GetCommTimeouts
266 109 00012FBD GetCommandLineA
267 10A 00017023 GetCommandLineW
268 10B 0005E471 GetCompressedFileSizeA
269 10C 0005E349 GetCompressedFileSizeW
270 10D 000216A4 GetComputerNameA
271 10E 00058793 GetComputerNameExA
272 10F 000201F1 GetComputerNameExW
273 110 000316CF GetComputerNameW
274 111 000711F2 GetConsoleAliasA
275 112 0007168C GetConsoleAliasExesA
276 113 00071392 GetConsoleAliasExesLengthA
277 114 00071385 GetConsoleAliasExesLengthW
278 115 00071671 GetConsoleAliasExesW
279 116 000711C6 GetConsoleAliasW
280 117 00071527 GetConsoleAliasesA
281 118 000712F9 GetConsoleAliasesLengthA
282 119 000712E1 GetConsoleAliasesLengthW
283 11A 00071509 GetConsoleAliasesW
284 11B 00075213 GetConsoleCP
285 11C 000762E3 GetConsoleCharType
286 11D 00071AE7 GetConsoleCommandHistoryA
287 11E 00071945 GetConsoleCommandHistoryLengthA
288 11F 0007192D GetConsoleCommandHistoryLengthW
289 120 00071AC9 GetConsoleCommandHistoryW
290 121 000746A1 GetConsoleCursorInfo
291 122 0007593F GetConsoleCursorMode
292 123 00037C83 GetConsoleDisplayMode
293 124 000748D9 GetConsoleFontInfo
294 125 00074A01 GetConsoleFontSize
295 126 00072D59 GetConsoleHardwareState
296 127 00071E3C GetConsoleInputExeNameA
297 128 00071C11 GetConsoleInputExeNameW
298 129 00072739 GetConsoleInputWaitHandle
299 12A 00075469 GetConsoleKeyboardLayoutNameA
300 12B 00075481 GetConsoleKeyboardLayoutNameW
301 12C 0001AC50 GetConsoleMode
302 12D 000760C7 GetConsoleNlsMode
303 12E 0001AEC7 GetConsoleOutputCP
304 12F 00075505 GetConsoleProcessList
305 130 0001B963 GetConsoleScreenBufferInfo
306 131 00074769 GetConsoleSelectionInfo
307 132 00071B79 GetConsoleTitleA
308 133 0001B774 GetConsoleTitleW
309 134 00075499 GetConsoleWindow
310 135 00076CB9 GetCurrencyFormatA
311 136 0007C80A GetCurrencyFormatW
312 137 000300B1 GetCurrentActCtx
313 138 00074A8F GetCurrentConsoleFont
314 139 0003502E GetCurrentDirectoryA
315 13A 0000B917 GetCurrentDirectoryW
316 13B 0000DE95 GetCurrentProcess
317 13C 000099C0 GetCurrentProcessId
318 13D 0000998B GetCurrentThread
319 13E 000097D0 GetCurrentThreadId
320 13F 0003621E GetDateFormatA
321 140 000337A5 GetDateFormatW
322 141 00067B81 GetDefaultCommConfigA
323 142 00067A89 GetDefaultCommConfigW
324 143 0007BB81 GetDefaultSortkeySize
325 144 00061B84 GetDevicePowerState
326 145 000302F5 GetDiskFreeSpaceA
327 146 000303A3 GetDiskFreeSpaceExA
328 147 000128A3 GetDiskFreeSpaceExW
329 148 000301B7 GetDiskFreeSpaceW
330 149 0005FFAF GetDllDirectoryA
331 14A 0005FE40 GetDllDirectoryW
332 14B 000214E3 GetDriveTypeA
333 14C 0000B370 GetDriveTypeW
334 14D 0001CC93 GetEnvironmentStrings
335 14E 0001CC93 GetEnvironmentStringsA
336 14F 00012FA8 GetEnvironmentStringsW
337 150 00014B92 GetEnvironmentVariableA
338 151 0000F194 GetEnvironmentVariableW
339 152 0001AB53 GetExitCodeProcess
340 153 00021435 GetExitCodeThread
341 154 00065D07 GetExpandedNameA
342 155 00065DB4 GetExpandedNameW
343 156 000115DC GetFileAttributesA
344 157 00013851 GetFileAttributesExA
345 158 00011195 GetFileAttributesExW
346 159 0000B7EC GetFileAttributesW
347 15A 00010D0D GetFileInformationByHandle
348 15B 00010B17 GetFileSize
349 15C 00010AA9 GetFileSizeEx
350 15D 00031C4D GetFileTime
351 15E 00010EF1 GetFileType
352 15F 0005F50C GetFirmwareEnvironmentVariableA
353 160 0005F3F5 GetFirmwareEnvironmentVariableW
354 161 0001399C GetFullPathNameA
355 162 0000B8F2 GetFullPathNameW
356 163 00076982 GetGeoInfoA
357 164 00079987 GetGeoInfoW
358 165 0006C7C3 GetHandleContext
359 166 0002BDC5 GetHandleInformation
360 167 00075771 GetLargestConsoleWindowSize
361 168 GetLastError (forwarded to NTDLL.RtlGetLastWin32Error)
362 169 0007BBAB GetLinguistLangSize
363 16A 0000A874 GetLocalTime
364 16B 0000D302 GetLocaleInfoA
365 16C 00011602 GetLocaleInfoW
366 16D 0002C2E3 GetLogicalDriveStringsA
367 16E 00061437 GetLogicalDriveStringsW
368 16F 00030B1C GetLogicalDrives
369 170 00061DF7 GetLogicalProcessorInformation
370 171 000696C6 GetLongPathNameA
371 172 000133F3 GetLongPathNameW
372 173 0005FB30 GetMailslotInfo
373 174 0000B56F GetModuleFileNameA
374 175 0000B475 GetModuleFileNameW
375 176 0000B741 GetModuleHandleA
376 177 0006004E GetModuleHandleExA
377 178 0001FCC1 GetModuleHandleExW
378 179 0000E4DD GetModuleHandleW
379 17A 00060D53 GetNamedPipeHandleStateA
380 17B 00060AED GetNamedPipeHandleStateW
381 17C 000608F2 GetNamedPipeInfo
382 17D 00037975 GetNativeSystemInfo
383 17E 00068083 GetNextVDMCommand
384 17F 0001801D GetNlsSectionName
385 180 0006102C GetNumaAvailableMemory
386 181 00061072 GetNumaAvailableMemoryNode
387 182 00060EA9 GetNumaHighestNodeNumber
388 183 00060F81 GetNumaNodeProcessorMask
389 184 00060FE6 GetNumaProcessorMap
390 185 00060EF4 GetNumaProcessorNode
391 186 0002EC54 GetNumberFormatA
392 187 000344EC GetNumberFormatW
393 188 00075641 GetNumberOfConsoleFonts
394 189 000756AD GetNumberOfConsoleInputEvents
395 18A 00074821 GetNumberOfConsoleMouseButtons
396 18B 00012847 GetOEMCP
397 18C 000315CC GetOverlappedResult
398 18D 00061EF7 GetPriorityClass
399 18E 00036464 GetPrivateProfileIntA
400 18F 00032760 GetPrivateProfileIntW
401 190 00035F51 GetPrivateProfileSectionA
402 191 00032DD7 GetPrivateProfileSectionNamesA
403 192 0005CAE2 GetPrivateProfileSectionNamesW
404 193 0001EDBD GetPrivateProfileSectionW
405 194 00032B86 GetPrivateProfileStringA
406 195 0000F9FD GetPrivateProfileStringW
407 196 0005CB03 GetPrivateProfileStructA
408 197 0005CC6D GetPrivateProfileStructW
409 198 0000AE40 GetProcAddress
410 199 00021765 GetProcessAffinityMask
411 19A 0006230D GetProcessDEPPolicy
412 19B 0006226A GetProcessHandleCount
413 19C 0000AC61 GetProcessHeap
414 19D 0005F9B3 GetProcessHeaps
415 19E 00061CDD GetProcessId
416 19F 00062239 GetProcessIoCounters
417 1A0 000621FF GetProcessPriorityBoost
418 1A1 00061F5D GetProcessShutdownParameters
419 1A2 00035309 GetProcessTimes
420 1A3 00012CC3 GetProcessVersion
421 1A4 0006214C GetProcessWorkingSetSize
422 1A5 000364D9 GetProfileIntA
423 1A6 0002F8A2 GetProfileIntW
424 1A7 0005D0AF GetProfileSectionA
425 1A8 0005D0E8 GetProfileSectionW
426 1A9 00021495 GetProfileStringA
427 1AA 000213F8 GetProfileStringW
428 1AB 0000A7BD GetQueuedCompletionStatus
429 1AC 00035BE0 GetShortPathNameA
430 1AD 0001F26E GetShortPathNameW
431 1AE 00001EF2 GetStartupInfoA
432 1AF 00001E54 GetStartupInfoW
433 1B0 00012FD9 GetStdHandle
434 1B1 00038A3C GetStringTypeA
435 1B2 0007720F GetStringTypeExA
436 1B3 0000C08F GetStringTypeExW
437 1B4 0000A530 GetStringTypeW
438 1B5 00061DC0 GetSystemDEPPolicy
439 1B6 0000BFDD GetSystemDefaultLCID
440 1B7 00012852 GetSystemDefaultLangID
441 1B8 000130D8 GetSystemDefaultUILanguage
442 1B9 00014F8A GetSystemDirectoryA
443 1BA 00031DEB GetSystemDirectoryW
444 1BB 00012DF6 GetSystemInfo
445 1BC 00035370 GetSystemPowerStatus
446 1BD 00062360 GetSystemRegistryQuota
447 1BE 0000176F GetSystemTime
448 1BF 0002D37F GetSystemTimeAdjustment
449 1C0 000017E9 GetSystemTimeAsFileTime
450 1C1 00062006 GetSystemTimes
451 1C2 000212F1 GetSystemWindowsDirectoryA
452 1C3 0000ADC9 GetSystemWindowsDirectoryW
453 1C4 0002146C GetSystemWow64DirectoryA
454 1C5 0002146C GetSystemWow64DirectoryW
455 1C6 0006C302 GetTapeParameters
456 1C7 0006C1CC GetTapePosition
457 1C8 0006C39F GetTapeStatus
458 1C9 00061967 GetTempFileNameA
459 1CA 000359E7 GetTempFileNameW
460 1CB 00035DFA GetTempPathA
461 1CC 00030791 GetTempPathW
462 1CD 0003973D GetThreadContext
463 1CE 00063E71 GetThreadIOPendingFlag
464 1CF 0000A4B5 GetThreadLocale
465 1D0 0000A833 GetThreadPriority
466 1D1 00063BCF GetThreadPriorityBoost
467 1D2 0005B1C0 GetThreadSelectorEntry
468 1D3 00063E04 GetThreadTimes
469 1D4 0000934A GetTickCount
470 1D5 0003635D GetTimeFormatA
471 1D6 00034003 GetTimeFormatW
472 1D7 000350EF GetTimeZoneInformation
473 1D8 00009FB0 GetUserDefaultLCID
474 1D9 0000C004 GetUserDefaultLangID
475 1DA 00013110 GetUserDefaultUILanguage
476 1DB 000379BE GetUserGeoID
477 1DC 00068989 GetVDMCurrentDirectories
478 1DD 0001127A GetVersion
479 1DE 00012B7E GetVersionExA
480 1DF 0000AF05 GetVersionExW
481 1E0 00021BA5 GetVolumeInformationA
482 1E1 0000FA85 GetVolumeInformationW
483 1E2 0006B0A1 GetVolumeNameForVolumeMountPointA
484 1E3 0001FB88 GetVolumeNameForVolumeMountPointW
485 1E4 0002E893 GetVolumePathNameA
486 1E5 0002E5FD GetVolumePathNameW
487 1E6 0006B240 GetVolumePathNamesForVolumeNameA
488 1E7 00020D14 GetVolumePathNamesForVolumeNameW
489 1E8 00021363 GetWindowsDirectoryA
490 1E9 0000AE1B GetWindowsDirectoryW
491 1EA 0005F78C GetWriteWatch
492 1EB 000360D9 GlobalAddAtomA
493 1EC 0001010C GlobalAddAtomW
494 1ED 0000FDCD GlobalAlloc
495 1EE 0005F844 GlobalCompact
496 1EF 00030BC3 GlobalDeleteAtom
497 1F0 000360F3 GlobalFindAtomA
498 1F1 00034EC7 GlobalFindAtomW
499 1F2 0005F648 GlobalFix
500 1F3 000367A2 GlobalFlags
501 1F4 0000FCCF GlobalFree
502 1F5 0005C263 GlobalGetAtomNameA
503 1F6 0002C3CE GlobalGetAtomNameW
504 1F7 00034CE9 GlobalHandle
505 1F8 0000FFB9 GlobalLock
506 1F9 000310FA GlobalMemoryStatus
507 1FA 0001F992 GlobalMemoryStatusEx
508 1FB 00012459 GlobalReAlloc
509 1FC 00034DD1 GlobalSize
510 1FD 0005F68C GlobalUnWire
511 1FE 0005F662 GlobalUnfix
512 1FF 0000FF22 GlobalUnlock
513 200 0005F67C GlobalWire
514 201 00064C16 Heap32First
515 202 00064AD1 Heap32ListFirst
516 203 00064B7F Heap32ListNext
517 204 00064D30 Heap32Next
518 205 HeapAlloc (forwarded to NTDLL.RtlAllocateHeap)
519 206 0003614E HeapCompact
520 207 00012C56 HeapCreate
521 208 0005F8A1 HeapCreateTagsW
522 209 00010F98 HeapDestroy
523 20A 0005F870 HeapExtend
524 20B HeapFree (forwarded to NTDLL.RtlFreeHeap)
525 20C 0005F9C4 HeapLock
526 20D 0005FAFD HeapQueryInformation
527 20E 0005F8B2 HeapQueryTagW
528 20F HeapReAlloc (forwarded to NTDLL.RtlReAllocateHeap)
529 210 00039499 HeapSetInformation
530 211 HeapSize (forwarded to NTDLL.RtlSizeHeap)
531 212 0005F8C3 HeapSummary
532 213 0005F9DE HeapUnlock
533 214 0005F91F HeapUsage
534 215 0005F993 HeapValidate
535 216 0005F9F8 HeapWalk
536 217 0002AF8F InitAtomTable
537 218 00009F91 InitializeCriticalSection
538 219 0000B8C9 InitializeCriticalSectionAndSpinCount
539 21A InitializeSListHead (forwarded to NTDLL.RtlInitializeSListHead)
540 21B 00009842 InterlockedCompareExchange
541 21C 0000981A InterlockedDecrement
542 21D 0000982E InterlockedExchange
543 21E 00009856 InterlockedExchangeAdd
544 21F InterlockedFlushSList (forwarded to NTDLL.RtlInterlockedFlushSList)
545 220 00009806 InterlockedIncrement
546 221 InterlockedPopEntrySList (forwarded to NTDLL.RtlInterlockedPopEntrySList)
547 222 InterlockedPushEntrySList (forwarded to NTDLL.RtlInterlockedPushEntrySList)
548 223 00074355 InvalidateConsoleDIBits
549 224 0000BD6F IsBadCodePtr
550 225 0003596F IsBadHugeReadPtr
551 226 0000C03D IsBadHugeWritePtr
552 227 00009EA1 IsBadReadPtr
553 228 0003228B IsBadStringPtrA
554 229 0000A67C IsBadStringPtrW
555 22A 00009F19 IsBadWritePtr
556 22B 0000B87C IsDBCSLeadByte
557 22C 0007B60E IsDBCSLeadByteEx
558 22D 00013133 IsDebuggerPresent
559 22E 0006C464 IsProcessInJob
560 22F 0000AECA IsProcessorFeaturePresent
561 230 00061BC8 IsSystemResumeAutomatic
562 231 0001116B IsValidCodePage
563 232 0007752F IsValidLanguageGroup
564 233 0001C1C3 IsValidLocale
565 234 0007763B IsValidUILanguage
566 235 00015239 IsWow64Process
567 236 00038E18 LCMapStringA
568 237 0000CD48 LCMapStringW
569 238 000665FE LZClose
570 239 00066587 LZCloseFile
571 23A 000597E4 LZCopy
572 23B 000660BD LZCreateFileW
573 23C 00080311 LZDone
574 23D 00065F62 LZInit
575 23E 00066190 LZOpenFileA
576 23F 00066257 LZOpenFileW
577 240 00066379 LZRead
578 241 000662EE LZSeek
579 242 000801F6 LZStart
580 243 LeaveCriticalSection (forwarded to NTDLL.RtlLeaveCriticalSection)
581 244 00001D7B LoadLibraryA
582 245 00001D53 LoadLibraryExA
583 246 00001AF5 LoadLibraryExW
584 247 0000AEEB LoadLibraryW
585 248 0006261E LoadModule
586 249 0000A055 LoadResource
587 24A 00009A2D LocalAlloc
588 24B 0005F844 LocalCompact
589 24C 00035554 LocalFileTimeToFileTime
590 24D 00055DE6 LocalFlags
591 24E 000099CF LocalFree
592 24F 00055EE1 LocalHandle
593 250 00032E4D LocalLock
594 251 0003092F LocalReAlloc
595 252 0005F85A LocalShrink
596 253 000325EC LocalSize
597 254 00032EE1 LocalUnlock
598 255 00032391 LockFile
599 256 0002F571 LockFileEx
600 257 0000CD37 LockResource
601 258 0005F730 MapUserPhysicalPages
602 259 0005F75E MapUserPhysicalPagesScatter
603 25A 0000B9A5 MapViewOfFile
604 25B 0000B936 MapViewOfFileEx
605 25C 000653A0 Module32First
606 25D 000652E7 Module32FirstW
607 25E 00065525 Module32Next
608 25F 00065484 Module32NextW
609 260 00035EBF MoveFileA
610 261 0005E49B MoveFileExA
611 262 0003568B MoveFileExW
612 263 00021261 MoveFileW
613 264 00035EDE MoveFileWithProgressA
614 265 0001F72E MoveFileWithProgressW
615 266 00009866 MulDiv
616 267 00009C98 MultiByteToWideChar
617 268 00014FFC NlsConvertIntegerToString
618 269 00035849 NlsGetCacheUpdateCount
619 26A 00077509 NlsResetProcessLocale
620 26B 0006113A NumaVirtualQueryNode
621 26C 00011081 OpenConsoleW
622 26D 0002AD98 OpenDataFile
623 26E 000132AC OpenEventA
624 26F 000131E0 OpenEventW
625 270 00021982 OpenFile
626 271 0000BC16 OpenFileMappingA
627 272 0000BB7A OpenFileMappingW
628 273 0006C538 OpenJobObjectA
629 274 0006C3C0 OpenJobObjectW
630 275 0000EABB OpenMutexA
631 276 0000EA35 OpenMutexW
632 277 000309E9 OpenProcess
633 278 0003334F OpenProfileUserMapping
634 279 0002CA57 OpenSemaphoreA
635 27A 0002E31F OpenSemaphoreW
636 27B 0002FC08 OpenThread
637 27C 00062C90 OpenWaitableTimerA
638 27D 00062B25 OpenWaitableTimerW
639 27E 0005AD4C OutputDebugStringA
640 27F 0005B405 OutputDebugStringW
641 280 000745CD PeekConsoleInputA
642 281 000745F0 PeekConsoleInputW
643 282 00060977 PeekNamedPipe
644 283 00012792 PostQueuedCompletionStatus
645 284 0006C228 PrepareTape
646 285 0002005F PrivCopyFileExW
647 286 0005E0C1 PrivMoveFileIdentityW
648 287 00064F55 Process32First
649 288 00064E9C Process32FirstW
650 289 000650C8 Process32Next
651 28A 00065027 Process32NextW
652 28B 00013029 ProcessIdToSessionId
653 28C 0002C06E PulseEvent
654 28D 00066E45 PurgeComm
655 28E 0001637B QueryActCtxW
656 28F QueryDepthSList (forwarded to NTDLL.RtlQueryDepthSList)
657 290 0005D344 QueryDosDeviceA
658 291 00021D8D QueryDosDeviceW
659 292 0002AFC9 QueryInformationJobObject
660 293 00039608 QueryMemoryResourceNotification
661 294 0000A4C7 QueryPerformanceCounter
662 295 0002FA4E QueryPerformanceFrequency
663 296 0005C6F4 QueryWin31IniFilesMappedToRegistry
664 297 0002C092 QueueUserAPC
665 298 00030A6A QueueUserWorkItem
666 299 00012AA9 RaiseException
667 29A 00072B5D ReadConsoleA
668 29B 00074613 ReadConsoleInputA
669 29C 00074659 ReadConsoleInputExA
670 29D 0007467D ReadConsoleInputExW
671 29E 00074636 ReadConsoleInputW
672 29F 00073945 ReadConsoleOutputA
673 2A0 00073E65 ReadConsoleOutputAttribute
674 2A1 00073E19 ReadConsoleOutputCharacterA
675 2A2 00073E3F ReadConsoleOutputCharacterW
676 2A3 00073921 ReadConsoleOutputW
677 2A4 00072BAC ReadConsoleW
678 2A5 00031637 ReadDirectoryChangesW
679 2A6 00001812 ReadFile
680 2A7 0002BD0B ReadFileEx
681 2A8 0002DE61 ReadFileScatter
682 2A9 000021D0 ReadProcessMemory
683 2AA 00075BF9 RegisterConsoleIME
684 2AB 00075A09 RegisterConsoleOS2
685 2AC 00072C02 RegisterConsoleVDM
686 2AD 0001702E RegisterWaitForInputIdle
687 2AE 000211CD RegisterWaitForSingleObject
688 2AF 0002B086 RegisterWaitForSingleObjectEx
689 2B0 0005F632 RegisterWowBaseHandlers
690 2B1 00068AE9 RegisterWowExec
691 2B2 000130FF ReleaseActCtx
692 2B3 000024B7 ReleaseMutex
693 2B4 0000C04D ReleaseSemaphore
694 2B5 0005C1F1 RemoveDirectoryA
695 2B6 00036F8B RemoveDirectoryW
696 2B7 0005953C RemoveLocalAlternateComputerNameA
697 2B8 0005945B RemoveLocalAlternateComputerNameW
698 2B9 RemoveVectoredExceptionHandler (forwarded to NTDLL.RtlRemoveVectoredExceptionHandler)
699 2BA 00036C6C ReplaceFile
700 2BB 0005F2DF ReplaceFileA
701 2BC 00036C6C ReplaceFileW
702 2BD 00061BD7 RequestDeviceWakeup
703 2BE 00061B5C RequestWakeupLatency
704 2BF 0000A0DB ResetEvent
705 2C0 0005F7C5 ResetWriteWatch
706 2C1 RestoreLastError (forwarded to NTDLL.RtlRestoreLastWin32Error)
707 2C2 00032927 ResumeThread
708 2C3 RtlCaptureContext (forwarded to NTDLL.RtlCaptureContext)
709 2C4 RtlCaptureStackBackTrace (forwarded to NTDLL.RtlCaptureStackBackTrace)
710 2C5 RtlFillMemory (forwarded to NTDLL.RtlFillMemory)
711 2C6 RtlMoveMemory (forwarded to NTDLL.RtlMoveMemory)
712 2C7 RtlUnwind (forwarded to NTDLL.RtlUnwind)
713 2C8 RtlZeroMemory (forwarded to NTDLL.RtlZeroMemory)
714 2C9 00075061 ScrollConsoleScreenBufferA
715 2CA 00075085 ScrollConsoleScreenBufferW
716 2CB 000217EA SearchPathA
717 2CC 0000E77C SearchPathW
718 2CD 0007A903 SetCPGlobal
719 2CE 00076C16 SetCalendarInfoA
720 2CF 00077E5B SetCalendarInfoW
721 2D0 00059DD1 SetClientTimeZoneInformation
722 2D1 0006CCA5 SetComPlusPackageInstallStatus
723 2D2 00066ECF SetCommBreak
724 2D3 00067FEB SetCommConfig
725 2D4 00066EE7 SetCommMask
726 2D5 00066F86 SetCommState
727 2D6 0006728E SetCommTimeouts
728 2D7 00058720 SetComputerNameA
729 2D8 00058838 SetComputerNameExA
730 2D9 0005869F SetComputerNameExW
731 2DA 00058579 SetComputerNameW
732 2DB 00074BE8 SetConsoleActiveScreenBuffer
733 2DC 00075283 SetConsoleCP
734 2DD 00071B05 SetConsoleCommandHistoryMode
735 2DE 0001B2C3 SetConsoleCtrlHandler
736 2DF 0007302A SetConsoleCursor
737 2E0 00074DC4 SetConsoleCursorInfo
738 2E1 000758BF SetConsoleCursorMode
739 2E2 00074D4A SetConsoleCursorPosition
740 2E3 000731E0 SetConsoleDisplayMode
741 2E4 00075125 SetConsoleFont
742 2E5 00072E29 SetConsoleHardwareState
743 2E6 0007519F SetConsoleIcon
744 2E7 00071EE8 SetConsoleInputExeNameA
745 2E8 0001B08D SetConsoleInputExeNameW
746 2E9 00072EA9 SetConsoleKeyShortcuts
747 2EA 000757F9 SetConsoleLocalEUDC
748 2EB 0008033A SetConsoleMaximumWindowSize
749 2EC 00072F70 SetConsoleMenuClose
750 2ED 0001AF28 SetConsoleMode
751 2EE 00076219 SetConsoleNlsMode
752 2EF 00071865 SetConsoleNumberOfCommandsA
753 2F0 0007184A SetConsoleNumberOfCommandsW
754 2F1 00075A7D SetConsoleOS2OemFormat
755 2F2 000753A1 SetConsoleOutputCP
756 2F3 00073309 SetConsolePalette
757 2F4 00074CD0 SetConsoleScreenBufferSize
758 2F5 000750A9 SetConsoleTextAttribute
759 2F6 00071BA1 SetConsoleTitleA
760 2F7 0002D9CD SetConsoleTitleW
761 2F8 00074E91 SetConsoleWindowInfo
762 2F9 SetCriticalSectionSpinCount (forwarded to NTDLL.RtlSetCriticalSectionSpinCount)
763 2FA 0003610D SetCurrentDirectoryA
764 2FB 0000F38E SetCurrentDirectoryW
765 2FC 00067D51 SetDefaultCommConfigA
766 2FD 00067C59 SetDefaultCommConfigW
767 2FE 0005FDAF SetDllDirectoryA
768 2FF 0005FD19 SetDllDirectoryW
769 300 00032076 SetEndOfFile
770 301 000334A8 SetEnvironmentVariableA
771 302 0001025E SetEnvironmentVariableW
772 303 0000ACAF SetErrorMode
773 304 0000A0B7 SetEvent
774 305 00036626 SetFileApisToANSI
775 306 0001CDB6 SetFileApisToOEM
776 307 00012822 SetFileAttributesA
777 308 000314DD SetFileAttributesW
778 309 00010C2E SetFilePointer
779 30A 00021057 SetFilePointerEx
780 30B 0005D89C SetFileShortNameA
781 30C 0005D7CF SetFileShortNameW
782 30D 00031CC0 SetFileTime
783 30E 0005D779 SetFileValidData
784 30F 0005F59F SetFirmwareEnvironmentVariableA
785 310 0005F484 SetFirmwareEnvironmentVariableW
786 311 0002146C SetHandleContext
787 312 0000CD37 SetHandleCount
788 313 0002E19C SetHandleInformation
789 314 0002CAAF SetInformationJobObject
790 315 00076613 SetLastConsoleEventActive
791 316 SetLastError (forwarded to NTDLL.RtlSetLastWin32Error)
792 317 0005979B SetLocalPrimaryComputerNameA
793 318 00059585 SetLocalPrimaryComputerNameW
794 319 00055CF9 SetLocalTime
795 31A 00076A0B SetLocaleInfoA
796 31B 00077FB3 SetLocaleInfoW
797 31C 0002CDE8 SetMailslotInfo
798 31D 00061C27 SetMessageWaitingIndicator
799 31E 000313F4 SetNamedPipeHandleState
800 31F 0002C348 SetPriorityClass
801 320 00062194 SetProcessAffinityMask
802 321 000622A4 SetProcessDEPPolicy
803 322 000621C4 SetProcessPriorityBoost
804 323 0002C8FD SetProcessShutdownParameters
805 324 000303D8 SetProcessWorkingSetSize
806 325 0005FC88 SetSearchPathMode
807 326 0001D37B SetStdHandle
808 327 00061B13 SetSystemPowerState
809 328 000598E8 SetSystemTime
810 329 00059AAE SetSystemTimeAdjustment
811 32A 0006C35E SetTapeParameters
812 32B 0006C186 SetTapePosition
813 32C 00062D04 SetTermsrvAppInstallMode
814 32D 0002FA82 SetThreadAffinityMask
815 32E 00063C09 SetThreadContext
816 32F 000392E5 SetThreadExecutionState
817 330 00063EB0 SetThreadIdealProcessor
818 331 0001B8F2 SetThreadLocale
819 332 0000C1A8 SetThreadPriority
820 333 00063B94 SetThreadPriorityBoost
821 334 0001AF90 SetThreadUILanguage
822 335 00059988 SetTimeZoneInformation
823 336 0002B26E SetTimerQueueTimer
824 337 0004495D SetUnhandledExceptionFilter
825 338 00079D9C SetUserGeoID
826 339 00068854 SetVDMCurrentDirectories
827 33A 00061A55 SetVolumeLabelA
828 33B 00061501 SetVolumeLabelW
829 33C 0006B1D1 SetVolumeMountPointA
830 33D 0006A4D5 SetVolumeMountPointW
831 33E 000096A1 SetWaitableTimer
832 33F 0006680A SetupComm
833 340 000730A4 ShowConsoleCursor
834 341 000366C6 SignalObjectAndWait
835 342 0000BD09 SizeofResource
836 343 00002446 Sleep
837 344 000023A0 SleepEx
838 345 00039762 SuspendThread
839 346 00010712 SwitchToFiber
840 347 000329C2 SwitchToThread
841 348 00010BBC SystemTimeToFileTime
842 349 0002E9A9 SystemTimeToTzSpecificLocalTime
843 34A 0006C437 TerminateJobObject
844 34B 00001E1A TerminateProcess
845 34C 0001CB3B TerminateThread
846 34D 0001EFCE TermsrvAppInstallMode
847 34E 0006519A Thread32First
848 34F 0006524E Thread32Next
849 350 00012E3F TlsAlloc
850 351 00013777 TlsFree
851 352 000097E0 TlsGetValue
852 353 00009C65 TlsSetValue
853 354 00064E5C Toolhelp32ReadProcessMemory
854 355 000312ED TransactNamedPipe
855 356 00067339 TransmitCommChar
856 357 0005FC26 TrimVirtualBuffer
857 358 TryEnterCriticalSection (forwarded to NTDLL.RtlTryEnterCriticalSection)
858 359 0005A84B TzSpecificLocalTimeToSystemTime
859 35A 0005FF59 UTRegister
860 35B 000801FF UTUnRegister
861 35C 00063FCA UnhandledExceptionFilter
862 35D 000322EC UnlockFile
863 35E 0003232B UnlockFileEx
864 35F 0000BA14 UnmapViewOfFile
865 360 00075CC6 UnregisterConsoleIME
866 361 0002C008 UnregisterWait
867 362 0003006A UnregisterWaitEx
868 363 000707EA UpdateResourceA
869 364 000706E3 UpdateResourceW
870 365 00076624 VDMConsoleOperation
871 366 00068F59 VDMOperationStarted
872 367 0007BBD5 ValidateLCType
873 368 00039828 ValidateLocale
874 369 0002EFC2 VerLanguageNameA
875 36A 0002F04A VerLanguageNameW
876 36B VerSetConditionMask (forwarded to NTDLL.VerSetConditionMask)
877 36C 0001ABE6 VerifyConsoleIoHandle
878 36D 0005FEAF VerifyVersionInfoA
879 36E 0001FB26 VerifyVersionInfoW
880 36F 00009AF1 VirtualAlloc
881 370 00009B12 VirtualAllocEx
882 371 0005FC49 VirtualBufferExceptionHandler
883 372 00009B84 VirtualFree
884 373 00009BA2 VirtualFreeEx
885 374 0002B13F VirtualLock
886 375 00001AD4 VirtualProtect
887 376 00001A61 VirtualProtectEx
888 377 0000BA71 VirtualQuery
889 378 0000BA40 VirtualQueryEx
890 379 0005F69C VirtualUnlock
891 37A 0001338E WTSGetActiveConsoleSessionId
892 37B 000673C3 WaitCommEvent
893 37C 0005B458 WaitForDebugEvent
894 37D 0000A0FD WaitForMultipleObjects
895 37E 000095D8 WaitForMultipleObjectsEx
896 37F 00002530 WaitForSingleObject
897 380 00002550 WaitForSingleObjectEx
898 381 00060CA1 WaitNamedPipeA
899 382 0002C674 WaitNamedPipeW
900 383 0000A174 WideCharToMultiByte
901 384 0006250D WinExec
902 385 0001CC5D WriteConsoleA
903 386 00073505 WriteConsoleInputA
904 387 00072FE4 WriteConsoleInputVDMA
905 388 00073007 WriteConsoleInputVDMW
906 389 00073528 WriteConsoleInputW
907 38A 00073C85 WriteConsoleOutputA
908 38B 00074031 WriteConsoleOutputAttribute
909 38C 00073FE5 WriteConsoleOutputCharacterA
910 38D 0007400B WriteConsoleOutputCharacterW
911 38E 00073C61 WriteConsoleOutputW
912 38F 000354B4 WriteConsoleW
913 390 00010E27 WriteFile
914 391 0005D6D9 WriteFileEx
915 392 0002DDB5 WriteFileGather
916 393 0005CA54 WritePrivateProfileSectionA
917 394 0005CA9B WritePrivateProfileSectionW
918 395 00035D84 WritePrivateProfileStringA
919 396 0001EE4C WritePrivateProfileStringW
920 397 0005CDFB WritePrivateProfileStructA
921 398 0005CF3D WritePrivateProfileStructW
922 399 00002213 WriteProcessMemory
923 39A 0005D0CD WriteProfileSectionA
924 39B 0005D106 WriteProfileSectionW
925 39C 0005D091 WriteProfileStringA
926 39D 000332E1 WriteProfileStringW
927 39E 0006C2C8 WriteTapemark
928 39F 0006C83B ZombifyActCtx
929 3A0 000353FE _hread
930 3A1 00038B17 _hwrite
931 3A2 00034E94 _lclose
932 3A3 000365D5 _lcreat
933 3A4 00035436 _llseek
934 3A5 0005F7F2 _lopen
935 3A6 000353FE _lread
936 3A7 00038B17 _lwrite
937 3A8 00034D71 lstrcat
938 3A9 00034D71 lstrcatA
939 3AA 00010FD2 lstrcatW
940 3AB 00030D7C lstrcmp
941 3AC 00030D7C lstrcmpA
942 3AD 0000AA6C lstrcmpW
943 3AE 0000BB41 lstrcmpi
944 3AF 0000BB41 lstrcmpiA
945 3B0 0000AA36 lstrcmpiW
946 3B1 0000BEA1 lstrcpy
947 3B2 0000BEA1 lstrcpyA
948 3B3 0000BB04 lstrcpyW
949 3B4 000101B1 lstrcpyn
950 3B5 000101B1 lstrcpynA
951 3B6 0000BA8F lstrcpynW
952 3B7 0000BE56 lstrlen
953 3B8 0000BE56 lstrlenA
954 3B9 00009AA9 lstrlenW
Summary
5000 .data
6000 .reloc
66000 .rsrc
84000 .text
Subscribe to:
Posts (Atom)