PDA

View Full Version : Trojan/Rustok-N Removal?



bighman
2009-08-24, 18:31
Wow. I have this damn thing in my computer and Malware and Sypbot and my AntiVirus programs will not work. Can someone please help me? I searched and have the following to post.. I did download the DDS and Gmer to my desktop and await any help..here is the DDS txt

DS (Ver_09-07-30.01) - NTFSx86
Run by harry at 9:21:05.20 on Mon 08/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1513 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\SpyNoMore\SNM.exe
D:\WINDOWS\system32\msdesk.exe
D:\WINDOWS\msgdop.exe
D:\WINDOWS\system32\SNDVOL32.EXE
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\harry\Desktop\dds.com
D:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?ui=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\vstplu~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "d:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
mRun: [SNM] d:\program files\spynomore\SNM.exe /startup
mRun: [MS Desktop] d:\windows\system32\msdesk.exe
mExplorerRun: [Lsass Service] d:\documents and settings\harry\application data\microsoft\windows\lsass.exe
StartupFolder: d:\docume~1\harry\startm~1\programs\startup\datewi~1.lnk - d:\program files\bizware magic datewise\DATEwise3.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\vstplu~1\spybot~1\SDHelper.dll
Trusted Zone: beatport.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553525000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.26,85.255.112.73
TCP: {66A5B27F-5CAD-4B1B-BECE-F550FD5CE025} = 85.255.112.26,85.255.112.73
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\harry\applic~1\mozilla\firefox\profiles\a525am3d.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
FF - HiddenExtension: Internal security: No Registry Reference - d:\program files\mozilla firefox\extensions\{4A0EE8BE-5C35-43C0-B5F9-897371B13595}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2009-8-24 130936]
R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-8-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-8-17 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-8-17 185089]
R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2009-8-17 55656]
R2 EpmPsd;Acer EPM Power Scheme Driver;d:\windows\system32\drivers\epm-psd.sys [2007-4-14 4096]
R2 EpmShd;Acer EPM System Hardware Driver;d:\windows\system32\drivers\epm-shd.sys [2007-4-14 78208]
R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-8-24 348752]
R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-8-24 1097096]
S3 a8djavs;a8djavs;d:\windows\system32\drivers\a8djavs.sys [2009-4-17 25600]
S3 a8djusb;a8djusb;d:\windows\system32\drivers\a8djusb.sys [2009-4-17 85504]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-4-7 1684736]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\drivers\lv321av.sys --> d:\windows\system32\drivers\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [2007-4-14 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\drivers\mausbcv.sys --> d:\windows\system32\drivers\mausbcv.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-08-24 03:50 30,208 a------- d:\windows\system32\msdesk.exe
2009-08-24 03:50 30,208 a------- d:\windows\msgdop.exe
2009-08-24 03:27 1,152 a------- d:\windows\system32\windrv.sys
2009-08-24 03:27 <DIR> --d----- d:\program files\SpyNoMore
2009-08-24 03:16 34,296 a------- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-24 03:16 17,144 a------- d:\windows\system32\drivers\mbam.sys
2009-08-24 03:16 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-08-24 03:10 159,600 a------- d:\windows\system32\drivers\pctgntdi.sys
2009-08-24 03:10 130,936 a------- d:\windows\system32\drivers\PCTCore.sys
2009-08-24 03:10 73,840 a------- d:\windows\system32\drivers\PCTAppEvent.sys
2009-08-24 03:09 64,392 a------- d:\windows\system32\drivers\pctplsg.sys
2009-08-24 03:09 <DIR> --d----- d:\program files\Spyware Doctor
2009-08-24 03:09 <DIR> --d----- d:\docume~1\harry\applic~1\PC Tools
2009-08-24 03:09 <DIR> --d----- d:\docume~1\alluse~1\applic~1\PC Tools
2009-08-24 03:06 <DIR> --d----- d:\docume~1\harry\applic~1\GetRightToGo
2009-08-17 12:07 55,656 a------- d:\windows\system32\drivers\avgntflt.sys
2009-08-17 12:07 <DIR> --d----- d:\program files\Avira
2009-08-17 12:07 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avira
2009-08-11 00:25 <DIR> --d----- d:\program files\common files\Windows Live

==================== Find3M ====================

2007-10-13 13:58 167 ac------ d:\documents and settings\harry\udownload.dat
2004-02-04 20:53 24,070,405 a------- d:\documents and settings\harry\nero6303.exe
2004-01-31 20:54 331,776 ac------ d:\windows\inf\pdfinst2.exe

============= FINISH: 9:21:27.45 ===============

bighman
2009-08-24, 21:20
here is the HJK info

Logfile of HijackThis v1.99.1
Scan saved at 12:14:03, on 8/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\SpyNoMore\SNM.exe
D:\WINDOWS\system32\msdesk.exe
D:\WINDOWS\msgdop.exe
D:\WINDOWS\system32\svchost.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Documents and Settings\harry\My Documents\Downloads\Applications\This.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?ui=1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM] "D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SNM] D:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MS Desktop] D:\WINDOWS\system32\msdesk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} (Java Plug-in 1.4.2_15) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A5B27F-5CAD-4B1B-BECE-F550FD5CE025}: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

bighman
2009-08-24, 21:30
and hijack:
Logfile of HijackThis v1.99.1
Scan saved at 12:14:03, on 8/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\SpyNoMore\SNM.exe
D:\WINDOWS\system32\msdesk.exe
D:\WINDOWS\msgdop.exe
D:\WINDOWS\system32\svchost.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Documents and Settings\harry\My Documents\Downloads\Applications\This.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?ui=1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM] "D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SNM] D:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MS Desktop] D:\WINDOWS\system32\msdesk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} (Java Plug-in 1.4.2_15) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A5B27F-5CAD-4B1B-BECE-F550FD5CE025}: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

bighman
2009-08-24, 21:37
whoops double post
================

Admin edit:

FYI for future reference. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. ;)

Blade81
2009-08-26, 22:26
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

bighman
2009-08-29, 05:52
thanks for the info...i changed my passwords on another comp..please help me clean it, thks

Blade81
2009-08-29, 10:14
Hi,

Ok, please run DDS that you seem to have there and post back both its reports.

Also, download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

bighman
2009-08-29, 11:20
DDS

DDS (Ver_09-07-30.01) - NTFSx86
Run by harry at 2:15:00.89 on Sat 08/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1512 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\harry\Desktop\dds.com
D:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?ui=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [braviax] d:\windows\system32\braviax.exe
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "d:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [SNM] d:\program files\spynomore\SNM.exe /startup
mRun: [MS Desktop] d:\windows\system32\msdesk.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
mRun: [braviax] d:\windows\system32\braviax.exe
mExplorerRun: [Lsass Service] d:\documents and settings\harry\application data\microsoft\windows\lsass.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Trusted Zone: beatport.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553525000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.26,85.255.112.73
TCP: {66A5B27F-5CAD-4B1B-BECE-F550FD5CE025} = 85.255.112.26,85.255.112.73
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;d:\windows\system32\drivers\ikfilesec.sys [2009-8-26 42376]
R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-8-25 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-8-25 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-8-25 185089]
R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2009-8-17 55656]
R2 EpmPsd;Acer EPM Power Scheme Driver;d:\windows\system32\drivers\epm-psd.sys [2007-4-14 4096]
R2 EpmShd;Acer EPM System Hardware Driver;d:\windows\system32\drivers\epm-shd.sys [2007-4-14 78208]
R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-8-26 356920]
R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-8-26 1072008]
S1 IKSysFlt;System Filter Driver;d:\windows\system32\drivers\iksysflt.sys [2009-8-26 66952]
S1 IKSysSec;System Security Driver;d:\windows\system32\drivers\iksyssec.sys [2009-8-26 81288]
S3 a8djavs;a8djavs;d:\windows\system32\drivers\a8djavs.sys [2009-4-17 25600]
S3 a8djusb;a8djusb;d:\windows\system32\drivers\a8djusb.sys [2009-4-17 85504]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-4-7 1684736]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\drivers\lv321av.sys --> d:\windows\system32\drivers\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [2007-4-14 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\drivers\mausbcv.sys --> d:\windows\system32\drivers\mausbcv.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-08-28 14:37 58,880 a------- d:\documents and settings\harry\file.exe
2009-08-28 14:37 11,264 a------- d:\windows\system32\braviax.VIR
2009-08-26 11:20 81,288 a------- d:\windows\system32\drivers\iksyssec.sys
2009-08-26 11:20 66,952 a------- d:\windows\system32\drivers\iksysflt.sys
2009-08-26 11:20 42,376 a------- d:\windows\system32\drivers\ikfilesec.sys
2009-08-26 11:20 29,576 a------- d:\windows\system32\drivers\kcom.sys
2009-08-26 11:20 <DIR> --d----- d:\program files\Spyware Doctor
2009-08-26 11:20 <DIR> --d----- d:\docume~1\harry\applic~1\PC Tools
2009-08-25 10:27 34,296 a------- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-25 10:27 17,144 a------- d:\windows\system32\drivers\mbam.sys
2009-08-25 10:27 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-08-25 03:47 <DIR> --d----- d:\program files\Avira
2009-08-25 03:47 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avira
2009-08-25 01:59 <DIR> --d----- d:\program files\fluffy
2009-08-24 03:27 1,152 a------- d:\windows\system32\windrv.sys
2009-08-24 03:06 <DIR> --d----- d:\docume~1\harry\applic~1\GetRightToGo
2009-08-17 12:07 55,656 a------- d:\windows\system32\drivers\avgntflt.sys
2009-08-11 00:25 <DIR> --d----- d:\program files\common files\Windows Live

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- d:\windows\system32\deploytk.dll
2007-10-13 13:58 167 ac------ d:\documents and settings\harry\udownload.dat
2004-02-04 20:53 24,070,405 a------- d:\documents and settings\harry\nero6303.exe
2004-01-31 20:54 331,776 ac------ d:\windows\inf\pdfinst2.exe

============= FINISH: 2:15:28.54 ===============

Gmer log will be next got to scan first

bighman
2009-08-29, 12:49
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 03:46:30
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT BAFD8D76 ZwCreateKey
SSDT BAFD8D6C ZwCreateThread
SSDT BAFD8D7B ZwDeleteKey
SSDT BAFD8D85 ZwDeleteValueKey
SSDT BAFD8D8A ZwLoadKey
SSDT BAFD8D58 ZwOpenProcess
SSDT BAFD8D5D ZwOpenThread
SSDT BAFD8D94 ZwReplaceKey
SSDT BAFD8D8F ZwRestoreKey
SSDT BAFD8D80 ZwSetValueKey
SSDT BAFD8D67 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? D:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 04580001
.text D:\WINDOWS\RTHDCPL.EXE[148] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\RTHDCPL.EXE[148] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008F0001
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C90001
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01990001
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01390001
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01430001
.text D:\WINDOWS\system32\csrss.exe[660] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\csrss.exe[660] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01390001
.text D:\WINDOWS\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A

bighman
2009-08-29, 12:51
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\services.exe[728] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00960001
.text D:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E10001
.text D:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B90001
.text D:\WINDOWS\system32\svchost.exe[880] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\svchost.exe[880] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B30001
.text D:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D70001
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] USER32.dll!SetWindowsHookExA

bighman
2009-08-29, 12:52
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D20001
.text D:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1048] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\System32\svchost.exe[1048] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 025D0001
.text D:\WINDOWS\System32\svchost.exe[1048] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\System32\svchost.exe[1048] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Spyware Doctor\pctsTray.exe[1108] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 03B80001
.text D:\Program Files\Spyware Doctor\pctsTray.exe[1108] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0044A815 D:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text D:\Program Files\Spyware Doctor\pctsTray.exe[1108] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Spyware Doctor\pctsTray.exe[1108] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 063C0001
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1124] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00730001
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Spyware Doctor\pctsAuxs.exe[1148] USER32.dll!SetWindowsHookExA

bighman
2009-08-29, 12:53
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B60001
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1208] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A80001
.text D:\WINDOWS\system32\svchost.exe[1288] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\svchost.exe[1288] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00710001
.text D:\WINDOWS\system32\svchost.exe[1336] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\svchost.exe[1336] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Spyware Doctor\pctsSvc.exe[1412] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0044A801 D:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\System32\svchost.exe[1460] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00860001
.text D:\WINDOWS\System32\svchost.exe[1460] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text D:\WINDOWS\System32\svchost.exe[1460] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\System32\svchost.exe[1460] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01250001
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1492] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01280001
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[1572] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01390001
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1580] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\Explorer.EXE[1584] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\Explorer.EXE[1584] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 012B0001
.text D:\WINDOWS\Explorer.EXE[1584] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\Explorer.EXE[1584] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A

bighman
2009-08-29, 12:54
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\hkcmd.exe[1672] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\hkcmd.exe[1672] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F20001
.text D:\WINDOWS\system32\hkcmd.exe[1672] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\hkcmd.exe[1672] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\igfxpers.exe[1748] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\igfxpers.exe[1748] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F90001
.text D:\WINDOWS\system32\igfxpers.exe[1748] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\igfxpers.exe[1748] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01060001
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\WDBtnMgr.exe[1804] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\spoolsv.exe[1828] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\spoolsv.exe[1828] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A90001
.text D:\WINDOWS\system32\spoolsv.exe[1828] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\spoolsv.exe[1828] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00FE0001
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe[2188] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\System32\alg.exe[3040] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\System32\alg.exe[3040] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 006D0001
.text D:\WINDOWS\System32\alg.exe[3040] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text D:\WINDOWS\System32\alg.exe[3040] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\System32\alg.exe[3040] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A

bighman
2009-08-29, 12:55
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\wscntfy.exe[3152] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\wscntfy.exe[3152] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 009E0001
.text D:\WINDOWS\system32\wscntfy.exe[3152] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text D:\WINDOWS\system32\wscntfy.exe[3152] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\wscntfy.exe[3152] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C60001
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[3520] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 003C0001
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes CALL 7170003D
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Documents and Settings\harry\Desktop\gmer.exe[3816] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A

---- Services - GMER 1.0.15 ----

Service D:\WINDOWS\system32\drivers\gxvxclyxgwrqppjhbaitliqlalkiifiplrdyw.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxclyxgwrqppjhbaitliqlalkiifiplrdyw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxclyxgwrqppjhbaitliqlalkiifiplrdyw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxckrwospxnivjoetobiuwyeilvwehrymfc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcveekkdqwbwnxypuyadrfqqhtqmxfkqgi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxclyxgwrqppjhbaitliqlalkiifiplrdyw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxclyxgwrqppjhbaitliqlalkiifiplrdyw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxckrwospxnivjoetobiuwyeilvwehrymfc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcveekkdqwbwnxypuyadrfqqhtqmxfkqgi.dll

---- EOF - GMER 1.0.15 ----

Blade81
2009-08-29, 13:18
Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

D:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

bighman
2009-08-29, 16:13
ComboFix 09-08-28.05 - harry 08/29/2009 6:59.6.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1581 [GMT -6:00]
Running from: d:\documents and settings\harry\My Documents\Downloads\Applications\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\Installer\189a2.msi
c:\windows\Installer\2232b9.msi
c:\windows\Installer\2232c0.msi
c:\windows\Installer\2232c7.msi
d:\$recycle.bin\S-1-5-21-1898654667-887474324-1671327827-1000
D:\Autorun.inf
d:\documents and settings\harry\Application Data\FunWebProducts
d:\documents and settings\harry\Application Data\FunWebProducts\Data\harry\avatar.dat
d:\documents and settings\harry\Application Data\FunWebProducts\Data\harry\zbucks.dat
d:\documents and settings\harry\Application Data\rhcrv5j0e3fe
d:\documents and settings\harry\file.exe
d:\program files\Mozilla Firefox\extensions\{4A0EE8BE-5C35-43C0-B5F9-897371B13595}
d:\program files\Mozilla Firefox\extensions\{4A0EE8BE-5C35-43C0-B5F9-897371B13595}\chrome.manifest
d:\program files\Mozilla Firefox\extensions\{4A0EE8BE-5C35-43C0-B5F9-897371B13595}\chrome\content\_cfg.js
d:\program files\Mozilla Firefox\extensions\{4A0EE8BE-5C35-43C0-B5F9-897371B13595}\chrome\content\overlay.xul
d:\program files\Mozilla Firefox\extensions\{4A0EE8BE-5C35-43C0-B5F9-897371B13595}\install.rdf
d:\program files\WinPCap
d:\program files\WinPCap\daemon_mgm.exe
d:\program files\WinPCap\npf_mgm.exe
d:\program files\WinPCap\rpcapd.exe
d:\recycler\S-1-5-21-1220945662-515967899-1801674531-1003
d:\windows\system32\404Fix.exe
d:\windows\system32\drivers\gxvxclyxgwrqppjhbaitliqlalkiifiplrdyw.sys
d:\windows\system32\dumphive.exe
d:\windows\system32\gxvxccount
d:\windows\system32\IEDFix.C.exe
d:\windows\system32\IEDFix.exe
d:\windows\system32\mnlyqqep.ini
d:\windows\system32\Process.exe
d:\windows\system32\SrchSTS.exe
d:\windows\system32\tmp.reg
d:\windows\system32\VACFix.exe
d:\windows\system32\VCCLSID.exe
d:\windows\system32\WS2Fix.exe
d:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gxvxcserv.sys
-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-28 20:37 . 2009-08-28 20:37 11264 ----a-w- d:\windows\system32\braviax.VIR
2009-08-26 17:20 . 2008-06-11 03:22 81288 ----a-w- d:\windows\system32\drivers\iksyssec.sys
2009-08-26 17:20 . 2008-06-02 21:19 29576 ----a-w- d:\windows\system32\drivers\kcom.sys
2009-08-26 17:20 . 2008-06-02 21:19 66952 ----a-w- d:\windows\system32\drivers\iksysflt.sys
2009-08-26 17:20 . 2008-06-02 21:19 42376 ----a-w- d:\windows\system32\drivers\ikfilesec.sys
2009-08-26 17:20 . 2009-08-26 17:20 -------- d-----w- d:\program files\Spyware Doctor
2009-08-26 17:20 . 2009-08-26 17:20 -------- d-----w- d:\documents and settings\harry\Application Data\PC Tools
2009-08-26 07:43 . 2009-08-26 07:43 152576 ----a-w- d:\documents and settings\harry\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-25 16:27 . 2009-08-25 17:01 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-25 16:27 . 2008-06-19 23:48 34296 ----a-w- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-25 16:27 . 2008-06-19 23:47 17144 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-25 09:47 . 2009-03-30 16:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys
2009-08-25 09:47 . 2009-02-13 18:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys
2009-08-25 09:47 . 2009-02-13 18:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys
2009-08-25 09:47 . 2009-08-25 09:47 -------- d-----w- d:\program files\Avira
2009-08-25 09:47 . 2009-08-25 09:47 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2009-08-25 07:59 . 2009-08-25 08:01 -------- d-----w- d:\program files\fluffy
2009-08-24 09:27 . 2009-08-24 09:27 1152 ----a-w- d:\windows\system32\windrv.sys
2009-08-24 09:06 . 2009-08-24 09:09 -------- d-----w- d:\documents and settings\harry\Application Data\GetRightToGo
2009-08-17 18:07 . 2009-07-28 22:33 55656 ----a-w- d:\windows\system32\drivers\avgntflt.sys
2009-08-11 06:25 . 2009-08-11 06:25 -------- d-----w- d:\program files\Common Files\Windows Live
2009-08-11 06:18 . 2009-08-11 06:18 15240 ----a-w- d:\documents and settings\harry\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 12:38 . 2007-09-11 17:39 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-26 17:13 . 2008-05-13 17:42 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 07:43 . 2009-01-08 17:48 -------- d-----w- d:\program files\Java
2009-08-25 06:54 . 2008-05-03 16:25 -------- d-----w- d:\program files\Common Files\PC Tools
2009-08-24 15:43 . 2008-10-21 18:14 -------- d-----w- d:\program files\BizWare Magic DATEwise
2009-08-22 04:15 . 2007-10-12 23:44 -------- d-----w- d:\program files\PC Tools AntiVirus
2009-08-17 18:02 . 2009-04-16 16:32 -------- d-----w- d:\documents and settings\harry\Application Data\uTorrent
2009-07-25 11:23 . 2009-01-08 17:49 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-07-14 13:08 . 2008-10-23 08:32 -------- d-----w- d:\documents and settings\harry\Application Data\Apple Computer
2009-06-19 22:55 . 2009-06-19 22:55 152576 ----a-w- d:\documents and settings\harry\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="d:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="d:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="d:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"EOUApp"="d:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 569413]
"igfxtray"="d:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="d:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [BU]
"Adobe Photo Downloader"="d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [BU]
"ISUSPM"="d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [BU]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"WD Button Manager"="WDBtnMgr.exe" - d:\windows\system32\WDBtnMgr.exe [2008-03-05 364544]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.EXE [2009-03-27 17567744]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [8/25/2009 3:47 AM 108289]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [4/7/2009 12:23 PM 1684736]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\DRIVERS\lv321av.sys --> d:\windows\system32\DRIVERS\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [4/14/2007 6:39 PM 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\DRIVERS\mausbcv.sys --> d:\windows\system32\DRIVERS\mausbcv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\Spyware Doctor\pctsAuxs.exe [8/26/2009 11:20 AM 356920]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-SNM - d:\program files\SpyNoMore\SNM.exe
HKLM-Run-MS Desktop - d:\windows\system32\msdesk.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/?ui=1
Trusted Zone: beatport.com\www
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 07:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3116)
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Intel\Wireless\Bin\EvtEng.exe
d:\program files\Intel\Wireless\Bin\S24EvMon.exe
d:\program files\Avira\AntiVir Desktop\avguard.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Intel\Wireless\Bin\RegSrvc.exe
d:\windows\system32\wscntfy.exe
d:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
d:\docume~1\harry\LOCALS~1\temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-08-29 7:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-29 13:08
ComboFix2.txt 2008-07-14 07:17
ComboFix3.txt 2008-06-28 14:51
ComboFix4.txt 2008-05-15 06:43

Pre-Run: 9,824,120,832 bytes free
Post-Run: 28,107,919,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="DJ Xp" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

183 --- E O F --- 2007-12-21 18:18


AND DDS


DDS (Ver_09-07-30.01) - NTFSx86
Run by harry at 7:09:00.06 on Sat 08/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1603 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\RTHDCPL.EXE
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\harry\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?ui=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "d:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Trusted Zone: beatport.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553525000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-8-25 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-8-25 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-8-25 185089]
R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2009-8-17 55656]
R2 EpmPsd;Acer EPM Power Scheme Driver;d:\windows\system32\drivers\epm-psd.sys [2007-4-14 4096]
R2 EpmShd;Acer EPM System Hardware Driver;d:\windows\system32\drivers\epm-shd.sys [2007-4-14 78208]
S3 a8djavs;a8djavs;d:\windows\system32\drivers\a8djavs.sys [2009-4-17 25600]
S3 a8djusb;a8djusb;d:\windows\system32\drivers\a8djusb.sys [2009-4-17 85504]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-4-7 1684736]
S3 IKFileSec;File Security Driver;d:\windows\system32\drivers\ikfilesec.sys [2009-8-26 42376]
S3 IKSysFlt;System Filter Driver;d:\windows\system32\drivers\iksysflt.sys [2009-8-26 66952]
S3 IKSysSec;System Security Driver;d:\windows\system32\drivers\iksyssec.sys [2009-8-26 81288]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\drivers\lv321av.sys --> d:\windows\system32\drivers\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [2007-4-14 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\drivers\mausbcv.sys --> d:\windows\system32\drivers\mausbcv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-8-26 356920]
S3 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-8-26 1072008]

=============== Created Last 30 ================

2009-08-29 07:07 <DIR> -cd----- d:\windows\system32\dllcache\cache
2009-08-29 06:59 <DIR> a-dshr-- D:\cmdcons
2009-08-29 06:51 229,376 a------- d:\windows\PEV.exe
2009-08-29 06:51 161,792 a------- d:\windows\SWREG.exe
2009-08-29 06:51 98,816 a------- d:\windows\sed.exe
2009-08-28 14:37 11,264 a------- d:\windows\system32\braviax.VIR
2009-08-26 11:20 81,288 a------- d:\windows\system32\drivers\iksyssec.sys
2009-08-26 11:20 66,952 a------- d:\windows\system32\drivers\iksysflt.sys
2009-08-26 11:20 42,376 a------- d:\windows\system32\drivers\ikfilesec.sys
2009-08-26 11:20 29,576 a------- d:\windows\system32\drivers\kcom.sys
2009-08-26 11:20 <DIR> --d----- d:\program files\Spyware Doctor
2009-08-26 11:20 <DIR> --d----- d:\docume~1\harry\applic~1\PC Tools
2009-08-25 10:27 34,296 a------- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-25 10:27 17,144 a------- d:\windows\system32\drivers\mbam.sys
2009-08-25 10:27 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-08-25 03:47 <DIR> --d----- d:\program files\Avira
2009-08-25 03:47 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avira
2009-08-25 01:59 <DIR> --d----- d:\program files\fluffy
2009-08-24 03:27 1,152 a------- d:\windows\system32\windrv.sys
2009-08-24 03:06 <DIR> --d----- d:\docume~1\harry\applic~1\GetRightToGo
2009-08-17 12:07 55,656 a------- d:\windows\system32\drivers\avgntflt.sys
2009-08-11 00:25 <DIR> --d----- d:\program files\common files\Windows Live

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- d:\windows\system32\deploytk.dll
2007-10-13 13:58 167 ac------ d:\documents and settings\harry\udownload.dat
2004-02-04 20:53 24,070,405 a------- d:\documents and settings\harry\nero6303.exe
2004-01-31 20:54 331,776 ac------ d:\windows\inf\pdfinst2.exe

============= FINISH: 7:09:16.70 ===============

Blade81
2009-08-29, 16:47
Hi,

Post also contents of attach.txt, please.

bighman
2009-08-29, 18:05
DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by harry at 9:02:16.98 on Sat 08/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1564 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\WINDOWS\RTHDCPL.EXE
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\harry\My Documents\Downloads\Applications\Malware Apps\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?ui=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "d:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Trusted Zone: beatport.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553525000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-8-25 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-8-25 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-8-25 185089]
R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2009-8-17 55656]
R2 EpmPsd;Acer EPM Power Scheme Driver;d:\windows\system32\drivers\epm-psd.sys [2007-4-14 4096]
R2 EpmShd;Acer EPM System Hardware Driver;d:\windows\system32\drivers\epm-shd.sys [2007-4-14 78208]
S3 a8djavs;a8djavs;d:\windows\system32\drivers\a8djavs.sys [2009-4-17 25600]
S3 a8djusb;a8djusb;d:\windows\system32\drivers\a8djusb.sys [2009-4-17 85504]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-4-7 1684736]
S3 IKFileSec;File Security Driver;d:\windows\system32\drivers\ikfilesec.sys [2009-8-26 42376]
S3 IKSysFlt;System Filter Driver;d:\windows\system32\drivers\iksysflt.sys [2009-8-26 66952]
S3 IKSysSec;System Security Driver;d:\windows\system32\drivers\iksyssec.sys [2009-8-26 81288]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\drivers\lv321av.sys --> d:\windows\system32\drivers\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [2007-4-14 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\drivers\mausbcv.sys --> d:\windows\system32\drivers\mausbcv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-8-26 356920]
S3 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-8-26 1072008]

=============== Created Last 30 ================

2009-08-29 07:07 <DIR> -cd----- d:\windows\system32\dllcache\cache
2009-08-29 06:59 <DIR> a-dshr-- D:\cmdcons
2009-08-29 06:51 229,376 a------- d:\windows\PEV.exe
2009-08-29 06:51 161,792 a------- d:\windows\SWREG.exe
2009-08-29 06:51 98,816 a------- d:\windows\sed.exe
2009-08-28 14:37 11,264 a------- d:\windows\system32\braviax.VIR
2009-08-26 11:20 81,288 a------- d:\windows\system32\drivers\iksyssec.sys
2009-08-26 11:20 66,952 a------- d:\windows\system32\drivers\iksysflt.sys
2009-08-26 11:20 42,376 a------- d:\windows\system32\drivers\ikfilesec.sys
2009-08-26 11:20 29,576 a------- d:\windows\system32\drivers\kcom.sys
2009-08-26 11:20 <DIR> --d----- d:\program files\Spyware Doctor
2009-08-26 11:20 <DIR> --d----- d:\docume~1\harry\applic~1\PC Tools
2009-08-25 10:27 34,296 a------- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-25 10:27 17,144 a------- d:\windows\system32\drivers\mbam.sys
2009-08-25 10:27 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-08-25 03:47 <DIR> --d----- d:\program files\Avira
2009-08-25 03:47 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avira
2009-08-25 01:59 <DIR> --d----- d:\program files\fluffy
2009-08-24 03:27 1,152 a------- d:\windows\system32\windrv.sys
2009-08-24 03:06 <DIR> --d----- d:\docume~1\harry\applic~1\GetRightToGo
2009-08-17 12:07 55,656 a------- d:\windows\system32\drivers\avgntflt.sys
2009-08-11 00:25 <DIR> --d----- d:\program files\common files\Windows Live

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- d:\windows\system32\deploytk.dll
2007-10-13 13:58 167 ac------ d:\documents and settings\harry\udownload.dat
2004-02-04 20:53 24,070,405 a------- d:\documents and settings\harry\nero6303.exe
2004-01-31 20:54 331,776 ac------ d:\windows\inf\pdfinst2.exe

============= FINISH: 9:02:34.56 ===============


Attach log:
DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/15/2007 1:03:32 PM
System Uptime: 8/29/2009 7:03:06 AM (2 hours ago)

Motherboard: Acer | | Grapevine
Processor: Genuine Intel(R) CPU T2250 @ 1.73GHz | U1 | 1729/133mhz
Processor: Genuine Intel(R) CPU T2250 @ 1.73GHz | U1 | 1728/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 53 GiB total, 31.002 GiB free.
D: is FIXED (NTFS) - 52 GiB total, 26.176 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_00901025&REV_02\4&6B16D5B&0&08F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_00901025&REV_02\4&6B16D5B&0&08F0
Service: bcm4sbxp

Class GUID: {72631E54-78A4-11D0-BCF7-00AA00B7B32A}
Description: Microsoft ACPI-Compliant Control Method Battery
Device ID: ACPI\PNP0C0A\1
Manufacturer: Microsoft
Name: Microsoft ACPI-Compliant Control Method Battery
PNP Device ID: ACPI\PNP0C0A\1
Service: CmBatt

==== System Restore Points ===================

RP528: 8/15/2009 10:37:11 PM - System Checkpoint
RP529: 8/25/2009 1:06:08 AM - System Checkpoint
RP530: 8/26/2009 1:33:56 AM - System Checkpoint
RP531: 8/26/2009 1:43:30 AM - Installed Java(TM) 6 Update 15
RP532: 8/27/2009 2:14:36 PM - System Checkpoint
RP533: 8/28/2009 4:48:50 PM - System Checkpoint

==== Installed Programs ======================

Acer eDataSecurity Management
Acer eDataSecurity Management 1.00.23
Acer eNet Management
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Apple Mobile Device Support
Apple Software Update
Ares 2.0.8
Avira AntiVir Personal - Free Antivirus
Cool Edit Pro v1.2a
Driver Detective
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
HP Product Detection
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Java(TM) 6 Update 15
jZip
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mEoU
mHelp
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIWA
Mixed In Key 3
mLogView
mMHouse
Mp3tag v2.41
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
mWlsSafe
mXML
mZConfig
Native Instruments - Audio 8 DJ Driver
Native Instruments Service Center
Native Instruments Traktor DJ Studio 3
Native Instruments Traktor Scratch
Nero 6 Ultra Edition
NI Service Center
NVIDIA Drivers
Paint.NET v3.36
QuickTime
Realtek High Definition Audio Driver
Scratch LIVE 1.8.2 (18221)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shuangs WAV to MP3 Converter 2.2
SMSC IrCC V5.1.3600.5 SP2
Spelling Dictionaries Support For Adobe Reader 9
Spyware Doctor 6.0
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VistaBootPRO 3.1
WD Diagnostics
WDCSAM Driver
WebFldrs XP
Winamp (remove only)
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (12/05/2006 1.0.0007.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781

==== Event Viewer Messages From Past Week ========

8/29/2009 6:51:49 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
8/29/2009 6:51:35 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
8/27/2009 12:38:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IKSysFlt IKSysSec
8/26/2009 8:26:15 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0018DE377D94. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/25/2009 12:56:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/25/2009 12:56:01 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 12:56:01 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 12:56:01 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 12:56:01 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 12:56:01 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 12:48:40 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/25/2009 12:47:41 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
8/25/2009 1:07:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/25/2009 1:04:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
8/25/2009 1:01:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/25/2009 1:01:19 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/24/2009 9:43:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
8/24/2009 9:43:01 AM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

bighman
2009-08-29, 18:06
sorry but I re-scanned and re-posted the DDS to get the Attach file...

Blade81
2009-08-29, 18:15
Hi again,

Open notepad and copy/paste the text in the quotebox below into it:



File::
d:\windows\system32\braviax.VIR
Folder::
d:\documents and settings\harry\Application Data\uTorrent
DDS::
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log (attach.txt is not needed now) and above mentioned ComboFix resultant log.

bighman
2009-08-29, 21:57
here is a DDS log


DDS (Ver_09-07-30.01) - NTFSx86
Run by harry at 12:55:19.85 on Sat 08/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1264 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\WINDOWS\RTHDCPL.EXE
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Java\jre6\bin\java.exe
D:\Documents and Settings\harry\My Documents\Downloads\Applications\Malware Apps\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?ui=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "d:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Trusted Zone: beatport.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553525000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-8-25 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-8-25 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-8-25 185089]
R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2009-8-17 55656]
R2 EpmPsd;Acer EPM Power Scheme Driver;d:\windows\system32\drivers\epm-psd.sys [2007-4-14 4096]
R2 EpmShd;Acer EPM System Hardware Driver;d:\windows\system32\drivers\epm-shd.sys [2007-4-14 78208]
S3 a8djavs;a8djavs;d:\windows\system32\drivers\a8djavs.sys [2009-4-17 25600]
S3 a8djusb;a8djusb;d:\windows\system32\drivers\a8djusb.sys [2009-4-17 85504]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-4-7 1684736]
S3 IKFileSec;File Security Driver;d:\windows\system32\drivers\ikfilesec.sys [2009-8-26 42376]
S3 IKSysFlt;System Filter Driver;d:\windows\system32\drivers\iksysflt.sys [2009-8-26 66952]
S3 IKSysSec;System Security Driver;d:\windows\system32\drivers\iksyssec.sys [2009-8-26 81288]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\drivers\lv321av.sys --> d:\windows\system32\drivers\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [2007-4-14 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\drivers\mausbcv.sys --> d:\windows\system32\drivers\mausbcv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-8-26 356920]
S3 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-8-26 1072008]

=============== Created Last 30 ================

2009-08-29 09:55 <DIR> --ds---- D:\ComboFix
2009-08-29 07:07 <DIR> -cd----- d:\windows\system32\dllcache\cache
2009-08-29 06:59 <DIR> a-dshr-- D:\cmdcons
2009-08-29 06:51 229,376 a------- d:\windows\PEV.exe
2009-08-29 06:51 161,792 a------- d:\windows\SWREG.exe
2009-08-29 06:51 98,816 a------- d:\windows\sed.exe
2009-08-26 11:20 81,288 a------- d:\windows\system32\drivers\iksyssec.sys
2009-08-26 11:20 66,952 a------- d:\windows\system32\drivers\iksysflt.sys
2009-08-26 11:20 42,376 a------- d:\windows\system32\drivers\ikfilesec.sys
2009-08-26 11:20 29,576 a------- d:\windows\system32\drivers\kcom.sys
2009-08-26 11:20 <DIR> --d----- d:\program files\Spyware Doctor
2009-08-26 11:20 <DIR> --d----- d:\docume~1\harry\applic~1\PC Tools
2009-08-25 10:27 34,296 a------- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-25 10:27 17,144 a------- d:\windows\system32\drivers\mbam.sys
2009-08-25 10:27 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-08-25 03:47 <DIR> --d----- d:\program files\Avira
2009-08-25 03:47 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avira
2009-08-25 01:59 <DIR> --d----- d:\program files\fluffy
2009-08-24 03:27 1,152 a------- d:\windows\system32\windrv.sys
2009-08-24 03:06 <DIR> --d----- d:\docume~1\harry\applic~1\GetRightToGo
2009-08-17 12:07 55,656 a------- d:\windows\system32\drivers\avgntflt.sys
2009-08-11 00:25 <DIR> --d----- d:\program files\common files\Windows Live

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- d:\windows\system32\deploytk.dll
2007-10-13 13:58 167 ac------ d:\documents and settings\harry\udownload.dat
2004-02-04 20:53 24,070,405 a------- d:\documents and settings\harry\nero6303.exe
2004-01-31 20:54 331,776 ac------ d:\windows\inf\pdfinst2.exe

============= FINISH: 12:55:53.82 ===============



and the combo log

ComboFix 09-08-28.05 - harry 08/29/2009 9:56.7.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1618 [GMT -6:00]
Running from: d:\documents and settings\harry\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\harry\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"d:\windows\system32\braviax.VIR"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\harry\Application Data\uTorrent
d:\documents and settings\harry\Application Data\uTorrent\dht.dat
d:\documents and settings\harry\Application Data\uTorrent\resume.dat
d:\documents and settings\harry\Application Data\uTorrent\resume.dat.old
d:\documents and settings\harry\Application Data\uTorrent\rss.dat
d:\documents and settings\harry\Application Data\uTorrent\settings.dat
d:\documents and settings\harry\Application Data\uTorrent\settings.dat.old
d:\documents and settings\harry\Application Data\uTorrent\UK #1 Bhangra Hits [Pao-Bhangra.com][Hub][Oct 05].torrent
d:\windows\system32\braviax.VIR

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))
.

2009-08-26 17:20 . 2008-06-11 03:22 81288 ----a-w- d:\windows\system32\drivers\iksyssec.sys
2009-08-26 17:20 . 2008-06-02 21:19 29576 ----a-w- d:\windows\system32\drivers\kcom.sys
2009-08-26 17:20 . 2008-06-02 21:19 66952 ----a-w- d:\windows\system32\drivers\iksysflt.sys
2009-08-26 17:20 . 2008-06-02 21:19 42376 ----a-w- d:\windows\system32\drivers\ikfilesec.sys
2009-08-26 17:20 . 2009-08-26 17:20 -------- d-----w- d:\program files\Spyware Doctor
2009-08-26 17:20 . 2009-08-26 17:20 -------- d-----w- d:\documents and settings\harry\Application Data\PC Tools
2009-08-26 07:43 . 2009-08-26 07:43 152576 ----a-w- d:\documents and settings\harry\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-25 16:27 . 2009-08-25 17:01 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-25 16:27 . 2008-06-19 23:48 34296 ----a-w- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-25 16:27 . 2008-06-19 23:47 17144 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-25 09:47 . 2009-03-30 16:33 96104 ----a-w- d:\windows\system32\drivers\avipbb.sys
2009-08-25 09:47 . 2009-02-13 18:29 22360 ----a-w- d:\windows\system32\drivers\avgntmgr.sys
2009-08-25 09:47 . 2009-02-13 18:17 45416 ----a-w- d:\windows\system32\drivers\avgntdd.sys
2009-08-25 09:47 . 2009-08-25 09:47 -------- d-----w- d:\program files\Avira
2009-08-25 09:47 . 2009-08-25 09:47 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2009-08-25 07:59 . 2009-08-25 08:01 -------- d-----w- d:\program files\fluffy
2009-08-24 09:27 . 2009-08-24 09:27 1152 ----a-w- d:\windows\system32\windrv.sys
2009-08-24 09:06 . 2009-08-24 09:09 -------- d-----w- d:\documents and settings\harry\Application Data\GetRightToGo
2009-08-17 18:07 . 2009-07-28 22:33 55656 ----a-w- d:\windows\system32\drivers\avgntflt.sys
2009-08-11 06:25 . 2009-08-11 06:25 -------- d-----w- d:\program files\Common Files\Windows Live
2009-08-11 06:18 . 2009-08-11 06:18 15240 ----a-w- d:\documents and settings\harry\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 12:38 . 2007-09-11 17:39 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-26 17:13 . 2008-05-13 17:42 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 07:43 . 2009-01-08 17:48 -------- d-----w- d:\program files\Java
2009-08-25 06:54 . 2008-05-03 16:25 -------- d-----w- d:\program files\Common Files\PC Tools
2009-08-24 15:43 . 2008-10-21 18:14 -------- d-----w- d:\program files\BizWare Magic DATEwise
2009-08-22 04:15 . 2007-10-12 23:44 -------- d-----w- d:\program files\PC Tools AntiVirus
2009-07-25 11:23 . 2009-01-08 17:49 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-07-14 13:08 . 2008-10-23 08:32 -------- d-----w- d:\documents and settings\harry\Application Data\Apple Computer
2009-06-19 22:55 . 2009-06-19 22:55 152576 ----a-w- d:\documents and settings\harry\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-29_13.04.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-08-28 20:45 58800 d:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-08-29 13:08 58800 d:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-08-29 13:08 392626 d:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-08-28 20:45 392626 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="d:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="d:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="d:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"EOUApp"="d:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 569413]
"igfxtray"="d:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="d:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [BU]
"Adobe Photo Downloader"="d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [BU]
"ISUSPM"="d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [BU]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"WD Button Manager"="WDBtnMgr.exe" - d:\windows\system32\WDBtnMgr.exe [2008-03-05 364544]
"RTHDCPL"="RTHDCPL.EXE" - d:\windows\RTHDCPL.EXE [2009-03-27 17567744]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Ares\\Ares.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [8/25/2009 3:47 AM 108289]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [4/7/2009 12:23 PM 1684736]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\DRIVERS\lv321av.sys --> d:\windows\system32\DRIVERS\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [4/14/2007 6:39 PM 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\DRIVERS\mausbcv.sys --> d:\windows\system32\DRIVERS\mausbcv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\Spyware Doctor\pctsAuxs.exe [8/26/2009 11:20 AM 356920]

--- Other Services/Drivers In Memory ---

*Deregistered* - wdyafakj
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/?ui=1
Trusted Zone: beatport.com\www
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 09:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-29 10:00
ComboFix-quarantined-files.txt 2009-08-29 16:00
ComboFix2.txt 2009-08-29 13:08
ComboFix3.txt 2008-07-14 07:17
ComboFix4.txt 2008-06-28 14:51
ComboFix5.txt 2009-08-29 15:55

Pre-Run: 28,108,300,288 bytes free
Post-Run: 28,096,512,000 bytes free

131 --- E O F --- 2007-12-21 18:18

I'm running the ksper scanner and did it wrong the first time it wouldnt save out the log..anways it said it found two threats...i'll post the findings when the scan is done

bighman
2009-08-30, 01:02
Here is the KAS report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 29, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 29, 2009 20:15:31
Records in database: 2705419
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 58413
Threats found: 4
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 01:21:40


File name / Threat / Threats count
D:\Documents and Settings\harry\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-1d993038 Infected: Exploit.Java.ByteVerify 1
D:\Documents and Settings\harry\My Documents\Downloads\Applications\ZwinkySetup2.3.50.45.ZJman000.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.fh 1
D:\QooBox\Quarantine\D\Documents and Settings\harry\file.exe.vir Infected: Trojan-Dropper.Win32.FrauDrop.jo 1
D:\System Volume Information\_restore{0C8F5786-58E9-4A3D-A8ED-D49E3DD4E0D8}\RP532\A0218957.dll Infected: Trojan.Win32.Agent2.kit 1
D:\System Volume Information\_restore{0C8F5786-58E9-4A3D-A8ED-D49E3DD4E0D8}\RP533\A0219150.exe Infected: Trojan-Dropper.Win32.FrauDrop.jo 1

Selected area has been scanned.

Blade81
2009-08-30, 01:14
Hi,

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete these files if found:
D:\Documents and Settings\harry\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-1d993038
D:\Documents and Settings\harry\My Documents\Downloads\Applications\ZwinkySetup2.3.50.45.ZJman000.exe

How's the system running?

bighman
2009-08-30, 02:34
so after the show hidden files do I run a scan again? which scan to find those files?

Blade81
2009-08-30, 11:08
Delete those two files manually if you find them. No need to run scanner again :)

bighman
2009-08-31, 22:52
ok so I found and deleted those files and so thats it, I'm good? :)

If so,,,,thank you very much! I appreciate your help...is there is a place where I can donate?

Blade81
2009-09-01, 10:07
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



We need to re hide system files. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.


Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /u in the runbox and click OK


Next we remove all used tools.

Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You may delete DDS too.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.


hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo HopSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!). Both providers have support forums that help with configuration related questions.



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:


is there is a place where I can donate?
If you want to make a donation it can be made here (http://www.spybot.info/en/donate/index.html) :)

bighman
2009-09-02, 18:13
I want to thank you once again. The comp is running very smoothly and its faster. Also noticed that I had 9gb remaining of space and after everything I now have 26gb's of space!! Wow that was a bad infection.

Blade81
2009-09-02, 19:40
You're welcome and glad to hear that cleaning process had positive impact on your system :)

Since this issue appears to be resolved ... this Topic has been closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.