Display object code? optional. Break on process initialization? checked; no others checked. Prompt on all exception breakpoints? checked. StartService OpenService CreateService DeleteFile GetProcAddress CreateFile LoadLibrary LdrpInitializeProcess@20 - 0x0701 +0x77F75707 Delete the HDSPOOF.INI file (if present). Remove breakpoints on entry. Set IsDebuggerPresent flag to 0. +0x0041A418 Exception. Code starts @ 0x0041A46. Set a one-shot breakpoint @ 0x0041B770 <0x0041C137>. -0x0041B770 Set a one-shot breakpoint @ 0x0041C137. +0x0041C144 Run to here and check the zero box and uncheck the carry and overflow boxes. +0x0041C170 Run to here and set a one-shot breakpoint @ 0x0041CB17 <0x0041CB17>. +0x0041CBCB Run to here, set a one-shot breakpoint @ 0x0041D7CA and continue <0x0041D7CA>. +0x0041D7D5 Check the zero box and uncheck the carry and overflow boxes and set a one-shot breakpoint @ 0x0041E183. -0x0041E183 Continue. +0x0041F542 Exception. Set a one-shot breakpoint @ 0x0041FEF5 <0x00420899>. -0x0041FEF5 Set a one-shot breakpoint @ 0x00420899. +0x004208C6 Run to here, check the zero box and uncheck the carry and overflow boxes and set a one-shot breakpoint @ 0x00420A2B <0x00422761>. -0x00420A33 Run to here and set a one-shot breakpoint @ 0x004213E4. -0x004213E7 Run to here and set a one-shot breakpoint @ 0x00421D8E. -0x00421DBA Run to here and set a one-shot breakpoint @ 0x00422761. +0x00422787 Run to here, change contents of top DWORD on stack to 0 and set a one-shot breakpoint @ 0x00423132. -0x00423132 Set a one-shot breakpoint @ 0x00424E87. -0x00424E87 Set a one-shot breakpoint @ 0x00424EF2. Check ESI+0x8. -0x00424EF2 Set a one-shot breakpoint @ 0x00424F05. -0x00424F05 Set a one-shot breakpoint @ 0x00424F23. -0x00424F31 Run to here and set a one-shot breakpoint @ 0x00424FC9. Loop starts. -0x00424FC9 Set a one-shot breakpoint @ 0x0042501E. -0x00425060 Run to here, then continue. +0x00405B76 Exception. Set a one-shot breakpoint @ 0x00418EB0 <0x00418ED3>. -0x00418ED2 Run to here and single-step. Set a one-shot breakpoint @ 0x00418ED3. -0x77FB4DC6 Calls ZwContinue which means the exception was caught! Single-step. +0x00418ED3 Run to 0x00418F31. Sets up PECompact2 thunk code. -0x00418F5B Run to here. Calls PECompact2 thunk code. +0x00418F7B Run to here and single-step. +0x00405B60 Start of real program!