Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: google redirects search results

  1. #1
    Junior Member
    Join Date
    Feb 2010
    Posts
    11

    Default google redirects search results

    google redirects my search results from the website to ad websites whenever i click on it. none of my virus programs detect anything wrong although i'm sure something must be.
    also, whenever i log on i get an error from 'login.exe' and 'system 32'. not sure if that is relevant but still?

    HijackThis File:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:21:21 PM, on 2/24/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\KADxMain.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AVG\AVG9\avgscanx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071015
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071015
    F2 - REG:system.ini: Shell=Explorer.exe logon.exe
    O2 - BHO: (no name) - {0226F6A4-1CAC-401D-B968-51A499B1DA35} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: GoToAssist - C:\WINDOWS\
    O20 - Winlogon Notify: ljJYPfdE - C:\WINDOWS\
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8018 bytes

    my itunes also does not work because it has detected a problem with my audio configuration, but thats not true because my sound works fine on youtube. ?

    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
    Last edited by tashi; 2010-02-25 at 01:43. Reason: Merged two posts as per forum FAQ, link provided ;-)

  2. #2
    Junior Member
    Join Date
    Feb 2010
    Posts
    11

    Default

    hello? i dont mean to bother but it's been four days. bump

    please help... my computer now has ads that randomly pop up and my AVG constantly shows pop-ups about 'virus detected!' and 'threat blocked'. yet, neither AVG nor spybot find anything.

    hello?!?!? my computer now has something called 'antivirus xp 2010' installed on it?!? can ANYBODY help me please?!?

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,663

    Default

    Hello mashakarp,

    Did you miss the forum FAQS?

    Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts but please do not count on it.

    The same applies to bumping, please don't. In this case topics that are 'bumped' will probably be closed and the user would have to start again. http://forums.spybot.info/showpost.p...68&postcount=6
    Now a new topic: http://forums.spybot.info/showthread.php?t=55914
    Please do not start more than one topic for the same computer, during the same period. It will either be removed, closed or merged with your original thread.
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Starting a new topic will result in your not being able to post at this time to Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days

    Please let us know if you are going to continue with the new topic.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Junior Member
    Join Date
    Feb 2010
    Posts
    11

    Default

    ahh you're right... im sorry for bumping, quite honestly i should have looked closer and paid more attention to the faq x.x
    yes, i'd like this topic continued if possible. i apologize for the inconvenience

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,663

    Default

    Hi mashakarp,

    Please post in the The Waiting Room I closed the new topic and merged three of your posts here to make the thread shorter.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  6. #6
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Hi and welcome to the forums here at Spybot S&D. Let's get a little better look at things before we do anything here.

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.


    ++++++++++++++++++++++

    Download This file. Note its name and save it to your root folder, such as C:\.

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    • Click on this link to see a list of programs that should be disabled.
    • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    • Allow the driver to load if asked.
    • You may be prompted to scan immediately if it detects rootkit activity.
    • If you are prompted to scan your system click "Yes" to begin the scan.
    • If not prompted, click the "Rootkit/Malware" tab.
    • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
    • Select all drives that are connected to your system to be scanned.
    • Click the Scan button to begin. (Please be patient as it can take some time to complete)
    • When the scan is finished, click Save to save the scan results to your Desktop.
    • Save the file as Results.log and copy/paste the contents in your next reply.
    • Exit the program and re-enable all active protection when done.

  7. #7
    Junior Member
    Join Date
    Feb 2010
    Posts
    11

    Default

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Masha at 20:18:49.43 on Wed 03/03/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1206 [GMT -6:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\KADxMain.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Masha\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071015
    uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0071015
    mDefault_Page_URL = hxxp://www.dell.com
    mStart Page = hxxp://www.dell.com
    mWinlogon: Shell=Explorer.exe logon.exe
    BHO: {0226F6A4-1CAC-401D-B968-51A499B1DA35} - No File
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [KADxMain] c:\windows\system32\KADxMain.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\masha\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\masha\applic~1\mozilla\firefox\profiles\ouc22a89.default\
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

    presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-4 206256]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-24 333192]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-24 28424]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-24 360584]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-21 285392]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
    R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-4 348752]
    R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-4 1097096]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-6-23 16512]
    S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
    S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-4 38496]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

    =============== Created Last 30 ================

    2010-03-02 19:37:17 0 d-----w- c:\program files\Enigma Software Group
    2010-03-02 18:24:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-02-27 23:44:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
    2010-02-27 23:44:38 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    2010-02-27 23:44:32 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-02-21 15:53:26 0 d--h--w- C:\$AVG
    2010-02-21 15:53:01 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
    2010-02-14 23:10:56 0 d-----w- c:\program files\iPod
    2010-02-13 19:58:46 69736 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-02-10 04:06:00 0 d-sh--w- C:\found.000

    ==================== Find3M ====================

    2010-03-02 19:53:44 41351 ----a-w- c:\windows\system32\nvModes.dat
    2010-03-01 04:22:13 277784 ----a-w- c:\windows\system32\drivers\iastor.sys
    2010-02-21 15:53:17 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-02-21 15:53:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-02-21 15:53:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
    2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
    2009-12-22 05:21:05 667136 ------w- c:\windows\system32\dllcache\wininet.dll
    2009-12-22 05:21:03 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
    2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
    2009-12-22 05:21:00 3071488 ------w- c:\windows\system32\dllcache\mshtml.dll
    2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
    2009-12-22 05:20:58 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
    2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
    2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
    2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
    2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
    2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
    2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

    ============= FINISH: 20:20:14.51 ===============











    ATTACH:

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/8/2007 6:35:17 PM
    System Uptime: 3/3/2010 7:26:21 PM (1 hours ago)

    Motherboard: Dell Inc. | | 0WY040
    Processor: Intel(R) Core(TM)2 Duo CPU T5270 @ 1.40GHz |

    Microprocessor | 1396/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 460 GiB total, 328.213 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 2/10/2010 7:46:01 AM - System Checkpoint
    RP2: 2/10/2010 3:23:32 PM - Software Distribution Service 3.0
    RP3: 2/11/2010 3:02:28 PM - Software Distribution Service 3.0
    RP4: 2/12/2010 3:10:33 PM - System Checkpoint
    RP5: 2/13/2010 3:23:25 PM - System Checkpoint
    RP6: 2/14/2010 5:55:45 PM - System Checkpoint
    RP7: 2/15/2010 7:51:06 PM - System Checkpoint
    RP8: 2/17/2010 3:45:08 PM - System Checkpoint
    RP9: 2/18/2010 4:40:16 PM - System Checkpoint
    RP10: 2/19/2010 9:47:18 PM - System Checkpoint
    RP11: 2/20/2010 10:43:29 PM - System Checkpoint
    RP12: 2/21/2010 9:52:55 AM - Installed AVG Free 9.0
    RP13: 2/22/2010 2:49:20 PM - Avg8 Update
    RP14: 2/24/2010 2:38:20 PM - Software Distribution Service 3.0
    RP15: 2/27/2010 5:44:31 PM - Installed Windows XP Wdf01007.
    RP16: 2/28/2010 10:24:15 PM - System Checkpoint
    RP17: 3/3/2010 8:14:09 PM - System Checkpoint

    ==== Installed Programs ======================

    µTorrent
    7-Zip 4.57
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Reader 8.1.2
    Adobe Shockwave Player
    Adobe Stock Photos 1.0
    Advanced Audio FX Engine
    Advanced Video FX Engine
    AIM 6
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ASIO4ALL
    Audacity 1.2.6
    Audiosurf
    AutoUpdate
    AVG Free 9.0
    Bee Icons v 4.0.3
    Bonjour
    Broadcom Management Programs
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon G.726 WMP-Decoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities EOS Utility
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    CCleaner
    Celestia 1.5.1
    Cheat Engine 5.5
    Conexant HDA D330 MDC V.92 Modem
    Dell Support Center (Support Software)
    Dell Touchpad
    Dell Wireless WLAN Card
    DellSupport
    Digital Line Detect
    DivX Codec
    DivX Content Uploader
    DivX Player
    DivX Web Player
    EasySleep 3.0
    FormatFactory 2.10
    GunBound Thor's Hammer
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    IntelliSonic Speech Enhancement
    IrfanView (remove only)
    iTunes
    Japanese Fonts Support For Adobe Reader 8
    Java(TM) 6 Update 11
    Laptop Integrated Webcam Driver (1.03.02.0719)
    Last.fm 1.5.4.24567
    LimeWire 4.16.7
    Macromedia Extension Manager
    Macromedia Flash 8
    Macromedia Flash 8 Video Encoder
    Macromedia Flash Player 8
    Magic ISO Maker v5.5 (build 0273)
    Malwarebytes' Anti-Malware
    MediaDirect
    Messenger Plus! Live
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Professional 2007 Trial
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Windows Journal Viewer
    Microsoft XML Parser
    MilkDrop for Winamp 2x (remove only)
    ML-1430 Series
    Modem Diagnostic Tool
    Mozilla Firefox (3.5.8)
    Mozilla Thunderbird (2.0.0.14)
    MSVC80_x86
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    neroxml
    NetWaiting
    Nokia Connectivity Cable Driver
    NVIDIA Drivers
    OpenOffice.org 3.1
    OutlookAddinSetup
    Pando Media Booster
    PC Connectivity Solution
    Picasa 3
    Power Tab Editor 1.7
    QuickSet
    QuickTime
    RealPlayer
    Registry Mechanic 8.0
    Samsung ML-2570 Series
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB973704)
    Security Update for Microsoft Office Excel 2007 (KB973593)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978706)
    Segoe UI
    Skype™ 3.6
    Sonic Activation Module
    Spheres Of Chaos (remove only)
    Spybot - Search & Destroy
    Spyware Doctor 6.1
    Total Commander (Remove or Repair)
    Tunatic
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Outlook 2007 Junk Email Filter (kb977719)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    VCRedistSetup
    Ventrilo Client
    VideoLAN VLC media player 0.8.6c
    Wave Interference
    WebFldrs XP
    Winamp
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006

    6.00.01.04)
    Windows Installer 3.1 (KB893803)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Mobile® Device Handbook
    WinRAR archiver
    XChat 2 (remove only)
    Xilisoft iPod Video Converter
    ZipZag 1.80 Archiver

    ==== Event Viewer Messages From Past Week ========

    3/2/2010 1:41:29 PM, error: Service Control Manager [7034] - The

    WebClient service terminated unexpectedly. It has done this 1 time(s).
    3/2/2010 1:40:48 PM, error: Service Control Manager [7031] - The Remote

    Procedure Call (RPC) service terminated unexpectedly. It has done this 1

    time(s). The following corrective action will be taken in 60000

    milliseconds: Reboot the machine.
    2/27/2010 6:32:10 PM, error: W32Time [5] - The time provider 'NtpClient'

    returned the following error during shutdown: A device attached to the

    system is not functioning. (0x8007001F)
    2/27/2010 6:32:10 PM, error: W32Time [45] - The time provider NtpServer

    encountered an error and was forced to shut down. The error was:

    0x8007001F
    2/27/2010 6:32:10 PM, error: W32Time [44] - The time provider NtpClient

    encountered an error and was forced to shut down. The error was:

    0x8007001F
    2/27/2010 6:32:10 PM, error: W32Time [21] - The time service is

    configured to use one or more input providers, however, none of the input

    providers are available. The time service has no source of accurate time.
    2/26/2010 8:32:58 PM, error: Print [6161] - The document Air Assault

    Liability Waiver owned by Masha failed to print on printer Samsung

    ML-2570 Series PS. Data type: NT EMF 1.008. Size of the spool file in

    bytes: 4022916. Number of bytes printed: 0. Total number of pages in the

    document: 2. Number of pages printed: 0. Client machine: \\MASHADELL.

    Win32 error code returned by the print processor: 2250 (0x8ca).
    2/26/2010 8:31:45 PM, error: Print [6161] - The document 4925 Merrimac

    Ln N, Plymout... owned by Masha failed to print on printer Samsung

    ML-2570 Series PS. Data type: NT EMF 1.008. Size of the spool file in

    bytes: 4772220. Number of bytes printed: 0. Total number of pages in the

    document: 1. Number of pages printed: 0. Client machine: \\MASHADELL.

    Win32 error code returned by the print processor: 2250 (0x8ca).
    2/24/2010 8:51:12 PM, error: Service Control Manager [7026] - The

    following boot-start or system-start driver(s) failed to load: sptd

    ==== End Of File ===========================

  8. #8
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Nothing too shocking there. Pretty much what I expected. I'll wait for the GMER log before we do anything though.

  9. #9
    Junior Member
    Join Date
    Feb 2010
    Posts
    11

    Default

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-03-03 21:18:01
    Windows 5.1.2600 Service Pack 3
    Running: vv2d2jso.exe; Driver: C:\DOCUME~1\Masha\LOCALS~1\Temp\uwliqpob.sys


    ---- System - GMER 1.0.15 ----

    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9E32D72]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9E139A6]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9E13B98]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9E33568]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9E33820]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9E31A80]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9E33C8A]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9E33036]
    SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9E13656]

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xB9F2E014]
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB964D380, 0x2F18C7, 0xE8000020]
    init C:\WINDOWS\system32\Drivers\OEM02Afx.sys entry point in "init" section [0xB8137310]
    ? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00770001
    .text C:\WINDOWS\system32\svchost.exe[272] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\svchost.exe[272] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DE0001
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[376] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[396] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\svchost.exe[396] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F10001
    .text C:\WINDOWS\system32\svchost.exe[396] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\svchost.exe[396] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 024D0001
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\AVG\AVG9\avgwdsvc.exe[416] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[512] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03BE0001
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[512] kernel32.dll!CreateThread + 1B 7C8106F2 3 Bytes CALL 0044ACCE C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[512] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Spyware Doctor\pctsTray.exe[512] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00940001
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\Bonjour\mDNSResponder.exe[560] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00730001
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\Canon\CAL\CALMAIN.exe[788] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\csrss.exe[864] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01570001
    .text C:\WINDOWS\system32\csrss.exe[864] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\csrss.exe[864] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\nvsvc32.exe[876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01200001
    .text C:\WINDOWS\system32\nvsvc32.exe[876] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\nvsvc32.exe[876] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\winlogon.exe[896] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\winlogon.exe[896] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01420001
    .text C:\WINDOWS\system32\winlogon.exe[896] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\winlogon.exe[896] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\services.exe[944] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
    .text C:\WINDOWS\system32\services.exe[944] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\services.exe[944] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtClose

  10. #10
    Junior Member
    Join Date
    Feb 2010
    Posts
    11

    Default

    7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\lsass.exe[956] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\lsass.exe[956] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01340001
    .text C:\WINDOWS\system32\lsass.exe[956] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\lsass.exe[956] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007F0001
    .text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\Explorer.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
    .text C:\WINDOWS\Explorer.exe[1148] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AF000A
    .text C:\WINDOWS\Explorer.exe[1148] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
    .text C:\WINDOWS\Explorer.exe[1148] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F2F0F5A
    .text C:\WINDOWS\Explorer.exe[1148] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2B0F5A
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F80001
    .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
    .text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
    .text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
    .text C:\WINDOWS\System32\svchost.exe[1268] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F2F0F5A
    .text C:\WINDOWS\System32\svchost.exe[1268] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0176000A
    .text C:\WINDOWS\System32\svchost.exe[1268] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2B0F5A
    .text C:\WINDOWS\System32\svchost.exe[1268] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0175000A
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00770001
    .text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 018F0001
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1340] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00740001
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1372] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 026D0001
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1440] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007E0001
    .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01510001
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
    .text C:\Program Files\AVG\AVG9\avgnsx.exe[1488] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
    .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtClose

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •