Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First Post Here (HJT)


  • This topic is locked This topic is locked
23 replies to this topic

#1 bolterdog

bolterdog

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 02 February 2009 - 08:39 PM

Have been working with boopme in the "Am I Infected" forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/199844/first-post-here/ ~ OB Now will paste a HJT log and see where this takes us. Lots of history but I will just start with the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:55 PM, on 2/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\csrss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\EPSON\epcrmon\epcrmon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS.1\system32\tbctray.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS.1\System32\GEARSec.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS.1\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.1\System32\alg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS.1\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [epcrmon] C:\Program Files\EPSON\epcrmon\epcrmon.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS.1\system32\tbctray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /M "Stylus CX5400" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1078081533-287218729-1801674531-1003\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /M "Stylus CX5400" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-1078081533-287218729-1801674531-1003\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU" (User '?')
O4 - HKUS\S-1-5-21-1078081533-287218729-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe (User '?')
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS.1\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.datelstore.com/
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1219858343187
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS.1\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS.1\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS.1\system32\msiexec.exe/V (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

--
End of file - 10504 bytes

Let me know what you find. Thanks.

Edited by Orange Blossom, 02 February 2009 - 09:04 PM.


BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:30 PM

Posted 08 February 2009 - 03:12 PM

Hello, bolterdog
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix
In your next reply, please include the following:
  • ESET OnlineScan's Log


Please also let me know if SAS still can't update after Dial A Fix.
BillyIII

Edited by Billy O'Neal, 08 February 2009 - 03:12 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 bolterdog

bolterdog
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 08 February 2009 - 06:56 PM

Thanks Billy! Letting you know I am starting! Will respond as soon as I'm able.

#4 bolterdog

bolterdog
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 08 February 2009 - 11:59 PM

Went to ESET, installed and started running, went about 8 minutes, 18229 files and stalled - no response for 10 minutes. Unable to close browser window or click on any item. Had found 6 threats at time of hard reboot with button on front of computer (Ctrl-Alt-Del did nothing). Restarted and tried ESET again would only go as far as the update screen and stopped with Update Error 108. Tried 3 times, all the same result. Ran Dial-A-fix and tried ESET again, same error. After Dial-A-Fix ran I was able to install and run SAS (see log below). After SAS reboot tried ESET again, same update error. So for now here is the SAS log. I will wait to try to install Adobe Reader until I hear back. Have been unable to install anything but don't want to try or make any changes as per the rules laid out here. Not sure if my issue is current maleware, the results of maleware that has been cleaned, or some other XP system issue. Good luck and thanks!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/08/2009 at 06:49 PM

Application Version : 4.25.1012

Core Rules Database Version : 3746
Trace Rules Database Version: 1714

Scan type : Complete Scan
Total Scan Time : 00:50:25

Memory items scanned : 518
Memory threats detected : 0
Registry items scanned : 7451
Registry threats detected : 0
File items scanned : 23141
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@coxhsi.112.2o7[1].txt
C:\Documents and Settings\Melody\Cookies\melody@interclick[2].txt
C:\Documents and Settings\Melody\Cookies\melody@a1.interclick[1].txt
C:\Documents and Settings\Melody\Cookies\melody@tacoda[2].txt

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:30 PM

Posted 10 February 2009 - 06:03 PM

Hello, bolterdog
After running the OTMI3 script, the eset error should go away.

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Program Files\EsetOnlineScanner
    :commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • OTMoveIt3's Log
  • GMER's Log
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 bolterdog

bolterdog
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 11 February 2009 - 12:19 AM

First off, thanks so much for you time, I really appreciate your help. I was able to follow all your instructions successfully. Looking forward to continuing the process. Here are the logs:

OTMoveIt
========== FILES ==========
C:\Program Files\EsetOnlineScanner\nup moved successfully.
C:\Program Files\EsetOnlineScanner moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5C4.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5D9.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E28NON4T\control[4].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS.1\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS.1\temp\Perflib_Perfdata_64c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02102009_181720

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5C4.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5D9.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E28NON4T\control[4].htm not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS.1\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS.1\temp\Perflib_Perfdata_64c.dat moved successfully.

GMER

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-10 18:56:36
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEF4E8576]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEF4E8432]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xEF916794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xEF916F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xEF91A1F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEF4E8910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEF4E800A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEF4E850C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEF4E7F4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEF4E7FAE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEF4E862C]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xEF91B12A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEF4E85EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEF4E876C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEF6E1F20]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xEF915384]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS.1\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, C0, 84 ]
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Executive Software\DiskeeperLite\DKService.exe[704] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2F, 84 ]
.text C:\WINDOWS.1\System32\GEARSec.exe[756] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\System32\GEARSec.exe[756] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\csrss.exe[800] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\csrss.exe[800] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B2, 84 ]
.text C:\WINDOWS.1\system32\csrss.exe[800] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\csrss.exe[800] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B4, 84 ]
.text C:\WINDOWS.1\system32\winlogon.exe[824] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\winlogon.exe[824] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\services.exe[868] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\services.exe[868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 6B, 84 ]
.text C:\WINDOWS.1\system32\services.exe[868] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\services.exe[868] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\lsass.exe[880] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\lsass.exe[880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 65, 84 ]
.text C:\WINDOWS.1\system32\lsass.exe[880] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\lsass.exe[880] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 55, 84 ]
.text C:\WINDOWS.1\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 63, 84 ]
.text C:\WINDOWS.1\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, F2, 83 ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1184] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, EB, 85 ]
.text C:\WINDOWS.1\System32\svchost.exe[1196] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\System32\svchost.exe[1196] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1252] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ 23, A1, C3, 83 ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BC, 83 ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1280] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 24, 84 ]
.text C:\WINDOWS.1\System32\svchost.exe[1284] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\System32\svchost.exe[1284] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BC, 83 ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1328] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 6C, 84 ]
.text C:\WINDOWS.1\System32\svchost.exe[1384] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\System32\svchost.exe[1384] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 9F, 85 ]
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe[1388] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1A, 84 ]
.text C:\WINDOWS.1\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1D, 84 ]
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\MsPMSPSv.exe[1636] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 4F, 84 ]
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\spoolsv.exe[1836] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\alg.exe[2248] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\System32\alg.exe[2248] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 06, 84 ]
.text C:\WINDOWS.1\System32\alg.exe[2248] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS.1\System32\alg.exe[2248] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\System32\alg.exe[2248] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\Explorer.EXE[3016] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\Explorer.EXE[3016] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 57, 84 ]
.text C:\WINDOWS.1\Explorer.EXE[3016] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS.1\Explorer.EXE[3016] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\Explorer.EXE[3016] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2E, 84 ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\wuauclt.exe[3324] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 0E, 84 ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE[3396] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 33, 84 ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\EPSON\epcrmon\epcrmon.exe[3404] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 19, 85 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3420] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3420] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ 37, A1, C3, 83 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3420] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3420] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2E, 84 ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[3456] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 39, 84 ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS.1\system32\tbctray.exe[3552] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\tbctray.exe[3552] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2F, 84 ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS.1\system32\ctfmon.exe[3616] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 69, 88 ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3636] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 10, 84 ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe[3648] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtClose 7C90CFD0 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [ 2C, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtCreateFile 7C90D090 1 Byte [ FF ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtCreateFile + 2 7C90D092 1 Byte [ 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [ 17, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [ 05, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [ 23, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [ 0B, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [ 11, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [ 14, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [ 20, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [ 0E, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 26, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [ 1A, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [ 1D, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [ 29, 5F ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BB, 83 ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[3772] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS.1\system32\services.exe[868] @ C:\WINDOWS.1\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS.1\system32\services.exe[868] @ C:\WINDOWS.1\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\ws2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[3016] @ C:\WINDOWS.1\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 833B4F3C

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\UDFReadr \Device\UdfReadr 830C57A4

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom0 82F6CF00
Device \FileSystem\Rdbss \Device\FsWrap 8308BE54
Device \FileSystem\DVDVRRdr_xp \Device\DVDVRRdr 8316C01C
Device \Driver\atapi \Device\Ide\IdePort0 82FF79D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82FF79D8
Device \Driver\atapi \Device\Ide\IdePort1 82FF79D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82FF79D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 82FF79D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 82FF79D8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom1 82F6CF00
Device \FileSystem\Srv \Device\LanmanServer 830E88B4

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 830AB0C4
Device \FileSystem\MRxSmb \Device\LanmanRedirector 830AB0C4
Device \FileSystem\Npfs \Device\NamedPipe 82F5D6BC
Device \FileSystem\Msfs \Device\Mailslot 8310EAC4
Device \FileSystem\cdudf_xp \Device\CdUdf_XP 831421E4
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 830D4A5C
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 830D4A5C
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 830D4A5C
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 830D4A5C
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 830D4A5C
Device \FileSystem\Cdfs \Cdfs 832CBEDC

---- Modules - GMER 1.0.14 ----

Module _________ F85FD000-F8615000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- EOF - GMER 1.0.14 ----

ESET

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3844 (20090211)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=258328788e01d24b989b366b3415a463
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-11 05:03:55
# local_time=2009-02-10 10:03:55 (-0700, US Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=487460
# found=5
# scan_time=10980
G:\ejikxx.chm multiple infiltrations (deleted) 00000000000000000000000000000000
G:\ejikxx.chm »CHM »/on-line.exe Win32/Dialer.CE trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
G:\ejikxx.chm »CHM »/1.htm Exploit/CodeBase trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
G:\ejikxx.chm »CHM »/htm2chm_explorer Exploit/CodeBase trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
G:\Program Files\LimeWire\Shared\Rare Recording.wma WMA/TrojanDownloader.Wimad.K trojan (unable to clean - deleted) 00000000000000000000000000000000

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:30 PM

Posted 11 February 2009 - 05:47 PM

Thats looking much better. Are you still having issues with infectoin and/or windows installer?

If still issues with installer -- have you run DialAFix?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 bolterdog

bolterdog
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 11 February 2009 - 08:55 PM

System seems to be performing as prior to the infection aside from 2 issues. Yes I had run Dial-A-Fix before and did so again, then installed Adobe Reader and all went well, so the installer issue seems to be repaired.

The first issue is on start up when my log on page starts I get the Windows Installer box followed by "The feature you are trying to use is on a CD Rom that is not avaialble. Insert Roxio Easy Media ,blah, blah, blah". The same thing happens at other times as well. This seems to me to be a Roxio issue and I was thinking of uninstalling it anyway as it came with hardware and I use Nero. If it make sense that uninstalling will fix that, should I use the uninstaller in the control panel or Perfect Uninstaller that I bought while I was trying to fix my infection? Or should I do something else?

The bigger issue is with My Computer. When I click on it I get the box that opens and then the flashlight searches for 2 minutes (I timed it) before it finds the drives. Once it opens it all works fine but it used to open right away. A similar thing occurs if I am looking for files in a program and have to go to another location to find it, the 2 minute delay happens there as well. Any insight you can provide is much appreciated.

Also, when on the internet, if I am at a sight and I click on a link in that site I randomly get a box that opens and says "Internet Explorer cannot open the Internet site ...blah, blah. Operation aborted." If I close that box the screen goes to the default IE can display this site. If I hit the refresh button, it goes to the link I had tried initially without a problem. This happens on any site, it even will happen when I am going from the BleepingComputer home page to the forum page. Probably happens 15% of the time.

Thanks again for your help and for all the resources!

Edited by bolterdog, 11 February 2009 - 09:02 PM.


#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:30 PM

Posted 11 February 2009 - 09:12 PM

For the first issue, download the Windows Installer Cleanup Utility from here:
http://support.microsoft.com/kb/290301

Run the tool and have it remove the entries for the installer that appears seemingly randomly.

If the second issue isn't fixed after running the windows installer cleanup utility, disconnect any portable media and remove any disks or CDRom or DVDRoms inserted and see if the issue persists. If it does, try disconnecting any network drives to which you are connected; especially if they point at machines which are no longer operating.

For the third issue, let's see if the first two are fixed first ;)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 bolterdog

bolterdog
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 11 February 2009 - 11:38 PM

Tried to run the WICU and got the same box but it said "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package 'msicuu.msi' in the box below." In the browse box below it says "C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\". When I click ok it just goes back to the same box, when I click cancel it gives me another box that says "Error 1714. The older version of WICU cannot be removed. Contact your technical support group." So no dice with that KB fix.

I don't have any portable media and there are no discs in any drives and I have no network drives of any kind. Thanks.

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:30 PM

Posted 12 February 2009 - 08:04 PM

Extract the ZIP file before running the tool. It's looking for other files in the ZIP which didn't get copied out when the tool was run.

The tool itself has no dependencies (Beyond the two files in the package) and should run if both miscuu.exe and msizap.exe are in the same directory.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 bolterdog

bolterdog
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 12 February 2009 - 09:34 PM

Ok, I tried opening the program again and when the box opened asking me to browse for the file it made me think to try something else. There was no zip file to open or extract, the link went straight to the installer so I went looking for miscuu.exe and msizap.exe on my computer and found them in Programs/Windows Installer so instead of opening the downloaded file from the KB, I opened miscuu.exe that was allready on my computer. The msizap.exe was in that folder so based on your last post I went with that. I double clicked on miscuu.exe and it opened and gave me a choice of programs to remove from a list and I was able to get rid of the offending Roxio issue. Rebooted and confirmed that is now all ok. Thanks. Still have the slow response to MyComputer and if your still game I will wait for ypur suggestions for that. Thanks again.

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:30 PM

Posted 12 February 2009 - 10:10 PM

Wow! Glad to hear you solved that on your own!

I'm sorry... my copy of windows instalelr cleanup is just sitting in a zip... I should have checked to ensure that link didn't require the installer. :thumbup2:


Please download ProcMon from here: http://technet.microsoft.com/en-us/sysinte...s/bb896645.aspx

Unzip it to your desktop.

Open the program, and leave it running.

Then open my computer, and leave it alone (do NOTHING ELSE with the machine) until My Computer finishes showing it's icons.

Once you've done that, go back to ProcMon, and select File -> Save, and press OK. This will save a procmon log to your desktop as "logfile.pml".

Attach that file to your next post. If it is too large to attach, you can send it to the following location:
http://bleepingcomputer.com/submit-malware.php?Channel=54

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 bolterdog

bolterdog
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chandler, Arizona
  • Local time:09:30 PM

Posted 12 February 2009 - 11:28 PM

It says it's 102 MB! Should I still send it to the other link?
I'm going to try it.

Ok, it wouldn't send. Looking at how ProcMon was counting up percentages at the bottom of it's screen, I decided to try again and open ProcMon and the click on MyComputer as fast as I could and the hit the file button and save as soon as the icons showed up. This file says 21MB so I will try that one. Wish me luck!

Well, it's late and that one failed too. I'll wait to hear from you what to try next. Thanks.

Edited by bolterdog, 13 February 2009 - 12:00 AM.


#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:30 PM

Posted 13 February 2009 - 05:32 PM

Sorry for the delay... been a bit hectic on this end lately :thumbup2:

Take the 21 MB file you have, and run it through a Zipping utility. (For example, WinRar or WinZip). That should produce a manageable file size. If it does not, please upload the file using MediaFire:
  • Go to http://www.mediafire.com/
  • Push the large green "Upload Files to MediaFire" button.
  • Push the "I want to upload without an account" button.
  • Browse to the file you wish to submit. (In this case, the zipped PML file)
  • Push the "Upload Now" button in the lower right.
  • Select "My Files (Main Folder)"
  • Wait until you see the "Upload Complete" message, and push the "Copy Link" button.
  • Paste that link into your next reply.
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users