Trojan/Rustok-N Removal?

[bighman]

Wow. I have this damn thing in my computer and Malware and Sypbot and my AntiVirus programs will not work. Can someone please help me? I searched and have the following to post.. I did download the DDS and Gmer to my desktop and await any help..here is the DDS txt

DS (Ver_09-07-30.01) - NTFSx86
Run by harry at 9:21:05.20 on Mon 08/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1513 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\SpyNoMore\SNM.exe
D:\WINDOWS\system32\msdesk.exe
D:\WINDOWS\msgdop.exe
D:\WINDOWS\system32\SNDVOL32.EXE
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\harry\Desktop\dds.com
D:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?ui=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\vstplu~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "d:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
mRun: [SNM] d:\program files\spynomore\SNM.exe /startup
mRun: [MS Desktop] d:\windows\system32\msdesk.exe
mExplorerRun: [Lsass Service] d:\documents and settings\harry\application data\microsoft\windows\lsass.exe
StartupFolder: d:\docume~1\harry\startm~1\programs\startup\datewi~1.lnk - d:\program files\bizware magic datewise\DATEwise3.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\vstplu~1\spybot~1\SDHelper.dll
Trusted Zone: beatport.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553525000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.26,85.255.112.73
TCP: {66A5B27F-5CAD-4B1B-BECE-F550FD5CE025} = 85.255.112.26,85.255.112.73
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\harry\applic~1\mozilla\firefox\profiles\a525am3d.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
FF - HiddenExtension: Internal security: No Registry Reference - d:\program files\mozilla firefox\extensions\{4A0EE8BE-5C35-43C0-B5F9-897371B13595}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2009-8-24 130936]
R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-8-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-8-17 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-8-17 185089]
R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2009-8-17 55656]
R2 EpmPsd;Acer EPM Power Scheme Driver;d:\windows\system32\drivers\epm-psd.sys [2007-4-14 4096]
R2 EpmShd;Acer EPM System Hardware Driver;d:\windows\system32\drivers\epm-shd.sys [2007-4-14 78208]
R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-8-24 348752]
R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-8-24 1097096]
S3 a8djavs;a8djavs;d:\windows\system32\drivers\a8djavs.sys [2009-4-17 25600]
S3 a8djusb;a8djusb;d:\windows\system32\drivers\a8djusb.sys [2009-4-17 85504]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-4-7 1684736]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\drivers\lv321av.sys --> d:\windows\system32\drivers\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [2007-4-14 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\drivers\mausbcv.sys --> d:\windows\system32\drivers\mausbcv.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-08-24 03:50 30,208 a------- d:\windows\system32\msdesk.exe
2009-08-24 03:50 30,208 a------- d:\windows\msgdop.exe
2009-08-24 03:27 1,152 a------- d:\windows\system32\windrv.sys
2009-08-24 03:27 <DIR> --d----- d:\program files\SpyNoMore
2009-08-24 03:16 34,296 a------- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-24 03:16 17,144 a------- d:\windows\system32\drivers\mbam.sys
2009-08-24 03:16 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-08-24 03:10 159,600 a------- d:\windows\system32\drivers\pctgntdi.sys
2009-08-24 03:10 130,936 a------- d:\windows\system32\drivers\PCTCore.sys
2009-08-24 03:10 73,840 a------- d:\windows\system32\drivers\PCTAppEvent.sys
2009-08-24 03:09 64,392 a------- d:\windows\system32\drivers\pctplsg.sys
2009-08-24 03:09 <DIR> --d----- d:\program files\Spyware Doctor
2009-08-24 03:09 <DIR> --d----- d:\docume~1\harry\applic~1\PC Tools
2009-08-24 03:09 <DIR> --d----- d:\docume~1\alluse~1\applic~1\PC Tools
2009-08-24 03:06 <DIR> --d----- d:\docume~1\harry\applic~1\GetRightToGo
2009-08-17 12:07 55,656 a------- d:\windows\system32\drivers\avgntflt.sys
2009-08-17 12:07 <DIR> --d----- d:\program files\Avira
2009-08-17 12:07 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avira
2009-08-11 00:25 <DIR> --d----- d:\program files\common files\Windows Live

==================== Find3M ====================

2007-10-13 13:58 167 ac------ d:\documents and settings\harry\udownload.dat
2004-02-04 20:53 24,070,405 a------- d:\documents and settings\harry\nero6303.exe
2004-01-31 20:54 331,776 ac------ d:\windows\inf\pdfinst2.exe

============= FINISH: 9:21:27.45 ===============

[bighman]

here is the HJK info

Logfile of HijackThis v1.99.1
Scan saved at 12:14:03, on 8/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\SpyNoMore\SNM.exe
D:\WINDOWS\system32\msdesk.exe
D:\WINDOWS\msgdop.exe
D:\WINDOWS\system32\svchost.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Documents and Settings\harry\My Documents\Downloads\Applications\This.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?ui=1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM] "D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SNM] D:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MS Desktop] D:\WINDOWS\system32\msdesk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} (Java Plug-in 1.4.2_15) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A5B27F-5CAD-4B1B-BECE-F550FD5CE025}: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

[bighman]

and hijack:
Logfile of HijackThis v1.99.1
Scan saved at 12:14:03, on 8/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\SpyNoMore\SNM.exe
D:\WINDOWS\system32\msdesk.exe
D:\WINDOWS\msgdop.exe
D:\WINDOWS\system32\svchost.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Documents and Settings\harry\My Documents\Downloads\Applications\This.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?ui=1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM] "D:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SNM] D:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [MS Desktop] D:\WINDOWS\system32\msdesk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\VSTPLU~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} (Java Plug-in 1.4.2_15) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A5B27F-5CAD-4B1B-BECE-F550FD5CE025}: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

[bighman]

whoops double post
================

Admin edit:

FYI for future reference. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count.

[Blade81]

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

[bighman]

thanks for the info...i changed my passwords on another comp..please help me clean it, thks

[Blade81]

Hi,

Ok, please run DDS that you seem to have there and post back both its reports.

Also, download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log in your reply.

[bighman]

DDS

DDS (Ver_09-07-30.01) - NTFSx86
Run by harry at 2:15:00.89 on Sat 08/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1512 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\WDBtnMgr.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\DOCUME~1\harry\LOCALS~1\Temp\RtkBtMnt.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\harry\Desktop\dds.com
D:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail/?ui=1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [braviax] d:\windows\system32\braviax.exe
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "d:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [igfxtray] d:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] d:\windows\system32\hkcmd.exe
mRun: [igfxpers] d:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] d:\windows\system32\NeroCheck.exe
mRun: [SNM] d:\program files\spynomore\SNM.exe /startup
mRun: [MS Desktop] d:\windows\system32\msdesk.exe
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
mRun: [braviax] d:\windows\system32\braviax.exe
mExplorerRun: [Lsass Service] d:\documents and settings\harry\application data\microsoft\windows\lsass.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Trusted Zone: beatport.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553525000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.26,85.255.112.73
TCP: {66A5B27F-5CAD-4B1B-BECE-F550FD5CE025} = 85.255.112.26,85.255.112.73
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;d:\windows\system32\drivers\ikfilesec.sys [2009-8-26 42376]
R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-8-25 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-8-25 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-8-25 185089]
R2 avgntflt;avgntflt;d:\windows\system32\drivers\avgntflt.sys [2009-8-17 55656]
R2 EpmPsd;Acer EPM Power Scheme Driver;d:\windows\system32\drivers\epm-psd.sys [2007-4-14 4096]
R2 EpmShd;Acer EPM System Hardware Driver;d:\windows\system32\drivers\epm-shd.sys [2007-4-14 78208]
R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-8-26 356920]
R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-8-26 1072008]
S1 IKSysFlt;System Filter Driver;d:\windows\system32\drivers\iksysflt.sys [2009-8-26 66952]
S1 IKSysSec;System Security Driver;d:\windows\system32\drivers\iksyssec.sys [2009-8-26 81288]
S3 a8djavs;a8djavs;d:\windows\system32\drivers\a8djavs.sys [2009-4-17 25600]
S3 a8djusb;a8djusb;d:\windows\system32\drivers\a8djusb.sys [2009-4-17 85504]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2009-4-7 1684736]
S3 lv321av;Logitech USB PC Camera (VC0321);d:\windows\system32\drivers\lv321av.sys --> d:\windows\system32\drivers\lv321av.sys [?]
S3 MADFU;MADFU;d:\windows\system32\drivers\MADFU.sys [2007-4-14 16512]
S3 MAUSBML;Service for M-Audio Conectiv (WDM);d:\windows\system32\drivers\mausbcv.sys --> d:\windows\system32\drivers\mausbcv.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-08-28 14:37 58,880 a------- d:\documents and settings\harry\file.exe
2009-08-28 14:37 11,264 a------- d:\windows\system32\braviax.VIR
2009-08-26 11:20 81,288 a------- d:\windows\system32\drivers\iksyssec.sys
2009-08-26 11:20 66,952 a------- d:\windows\system32\drivers\iksysflt.sys
2009-08-26 11:20 42,376 a------- d:\windows\system32\drivers\ikfilesec.sys
2009-08-26 11:20 29,576 a------- d:\windows\system32\drivers\kcom.sys
2009-08-26 11:20 <DIR> --d----- d:\program files\Spyware Doctor
2009-08-26 11:20 <DIR> --d----- d:\docume~1\harry\applic~1\PC Tools
2009-08-25 10:27 34,296 a------- d:\windows\system32\drivers\mbamcatchme.sys
2009-08-25 10:27 17,144 a------- d:\windows\system32\drivers\mbam.sys
2009-08-25 10:27 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-08-25 03:47 <DIR> --d----- d:\program files\Avira
2009-08-25 03:47 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avira
2009-08-25 01:59 <DIR> --d----- d:\program files\fluffy
2009-08-24 03:27 1,152 a------- d:\windows\system32\windrv.sys
2009-08-24 03:06 <DIR> --d----- d:\docume~1\harry\applic~1\GetRightToGo
2009-08-17 12:07 55,656 a------- d:\windows\system32\drivers\avgntflt.sys
2009-08-11 00:25 <DIR> --d----- d:\program files\common files\Windows Live

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- d:\windows\system32\deploytk.dll
2007-10-13 13:58 167 ac------ d:\documents and settings\harry\udownload.dat
2004-02-04 20:53 24,070,405 a------- d:\documents and settings\harry\nero6303.exe
2004-01-31 20:54 331,776 ac------ d:\windows\inf\pdfinst2.exe

============= FINISH: 2:15:28.54 ===============

Gmer log will be next got to scan first

[bighman]

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 03:46:30
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT BAFD8D76 ZwCreateKey
SSDT BAFD8D6C ZwCreateThread
SSDT BAFD8D7B ZwDeleteKey
SSDT BAFD8D85 ZwDeleteValueKey
SSDT BAFD8D8A ZwLoadKey
SSDT BAFD8D58 ZwOpenProcess
SSDT BAFD8D5D ZwOpenThread
SSDT BAFD8D94 ZwReplaceKey
SSDT BAFD8D8F ZwRestoreKey
SSDT BAFD8D80 ZwSetValueKey
SSDT BAFD8D67 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? D:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\RTHDCPL.EXE[148] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\RTHDCPL.EXE[148] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 04580001
.text D:\WINDOWS\RTHDCPL.EXE[148] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\RTHDCPL.EXE[148] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008F0001
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Java\jre6\bin\jusched.exe[236] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C90001
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[408] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[484] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01990001
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01390001
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Java\jre6\bin\jqs.exe[652] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\csrss.exe[660] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\csrss.exe[660] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01430001
.text D:\WINDOWS\system32\csrss.exe[660] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\csrss.exe[660] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\winlogon.exe[684] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01390001
.text D:\WINDOWS\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A

[bighman]

.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\services.exe[728] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00960001
.text D:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\lsass.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E10001
.text D:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B90001
.text D:\WINDOWS\system32\svchost.exe[880] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\svchost.exe[880] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B30001
.text D:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D70001
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[972] USER32.dll!SetWindowsHookExA