Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help I have a virus and can't download any software

Started by mburwood , Mar 18 2009 06:41 AM

  • Please log in to reply

#1
mburwood
Posted 18 March 2009 - 06:41 AM

mburwood

    New Member

  • Member
  • Pip
  • 4 posts
I have had a virus for a couple of weeks now. It brings up the warning you have a security problem! It re-directs me to various websites and is slowly making my computer impossible to use. recently crashing frequently.
I have tried removing .tmp files fro the temp folder which are usually a number followed by tmp. I have been into the registry keys and tried to remove corresponding files from there.
I have tried to download spyware doctor but am unable to download the update files for the database and cannot run this programme.
I am becoming desperate any help appreciated. Heres my HJT log
DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 23:09:22.78 on 10/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.511.115 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\050PQJSD\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.orange.co.uk
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyBa.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyBa.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Cognac] c:\docume~1\admini~1\locals~1\temp\1.tmp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.truprint.co.uk/TruprintActivia.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: NameServer = 85.255.112.21,85.255.112.89
TCP: {BEED4074-13FE-413C-8B5E-4837FADA6ED9} = 85.255.112.21,85.255.112.89
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\yizs3vqx.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\qfaservices.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-11 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-11 26184]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-11 282904]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-2-16 23096]
R3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2009-2-16 3768]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-2-16 237568]

=============== Created Last 30 ================

2009-03-09 23:08 2,005,504 a------- c:\program files\SDShred.exe
2009-03-09 23:08 1,879,896 a------- c:\program files\SDHelper.dll
2009-03-09 23:08 1,757,696 a------- c:\program files\SDFiles.exe
2009-03-09 23:08 1,303,896 a------- c:\program files\Tools.dll
2009-03-09 23:08 428,888 a------- c:\program files\blindman.exe
2009-03-09 23:08 414,552 a------- c:\program files\SDMain.exe
2009-03-09 23:08 333,288 a------- c:\program files\sqlite3.dll
2009-03-09 23:08 255,392 a------- c:\program files\DelZip179.dll
2009-03-09 23:08 204,160 a------- c:\program files\UninsSrv.dll
2009-03-09 23:08 1,287,000 a------- c:\program files\advcheck.dll
2009-03-09 23:08 34,472 a------- c:\program files\aports.dll
2009-03-08 20:06 18,191,016 a------- c:\program files\sdsetup.exe
2009-03-08 19:53 2,876,728 a------- c:\program files\mbam-setup.exe
2009-03-08 19:31 <DIR> --d----- c:\windows\pss
2009-03-08 10:51 115,204 a------- c:\windows\system32\msxml71.dll
2009-03-08 10:50 <DIR> --d----- c:\program files\WatchFree
2009-03-08 10:50 342 ---shr-- C:\autorun.inf
2009-02-16 21:46 <DIR> --d----- C:\Converted
2009-02-16 21:21 237,568 a------- c:\windows\system32\snmvtsvc.exe
2009-02-16 21:21 23,096 a------- c:\windows\system32\MusCAudio.sys
2009-02-16 21:21 23,096 a------- c:\windows\system32\drivers\MusCAudio.sys
2009-02-16 21:21 19,099 a------- c:\windows\system32\MusCAudio.inf
2009-02-16 21:21 10,936 a------- c:\windows\system32\MusCVideo.dll
2009-02-16 21:21 3,768 a------- c:\windows\system32\MusCVideo.sys
2009-02-16 21:21 3,768 a------- c:\windows\system32\drivers\MusCVideo.sys
2009-02-16 21:21 2,577 a------- c:\windows\system32\MusCVideo.inf
2009-02-16 21:21 2,539 a------- c:\windows\system32\MusCVideo.cat
2009-02-16 21:21 2,100 a------- c:\windows\system32\MusCAudio.cat
2009-02-16 21:21 <DIR> --d----- c:\program files\AllMusicConverter
2009-02-14 11:46 <DIR> --d----- c:\program files\common files\Napster Shared

==================== Find3M ====================

2009-03-08 10:51 32,256 a------- c:\windows\system32\userinit.exe
2009-03-08 02:58 1,152 a---h--- c:\program files\Default.rdp
2009-01-31 13:20 499,712 a------- c:\windows\system32\msvcp71.dll
2009-01-31 13:20 348,160 a------- c:\windows\system32\msvcr71.dll
2009-01-30 21:01 36,864 a------- c:\windows\system32\jRegistryKey.dll
2008-06-11 22:54 47,787,248 a------- c:\program files\avg_free_stf_en_8_100a1295.exe
2008-06-11 22:27 13,665,632 a------- c:\program files\winzip112.exe
2008-06-09 17:59 11,241,682 a------- c:\program files\WM Components 2.2.0.49R.dmg
2008-06-09 13:01 59,782,440 a------- c:\program files\iTunesSetup.exe
2008-06-09 10:35 2,585,872 a------- c:\program files\WindowsInstaller-KB893803-v2-x86.exe
2008-06-09 10:34 59,392 a------- c:\program files\windows installer 3.1 EULA.doc
2008-06-09 10:13 278,528 a------- c:\program files\common files\FDEUnInstaller.exe
2007-04-02 19:22 2,683 a------- c:\program files\OptOut.ini
2007-04-02 19:22 2,128 a------- c:\program files\Default configuration.ini
2000-05-15 10:08 134,656 a------- c:\program files\setup.exe

============= FINISH: 23:10:01.95 ===============
  • 0

Advertisements

#2
kahdah
Posted 18 March 2009 - 06:55 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello mburwood

Welcome to G2Go. :)
=====================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#3
mburwood
Posted 20 March 2009 - 12:14 PM

mburwood

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry it has taken a while to respond. The infected PC will no longer access any pages on the internet making progress more tricky. Here are the results of the GMER scan.
GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-20 18:10:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF843C506]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF842B240]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF842B432]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF843CCC8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF843CF88]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF843B3EC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF843D3EC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF843C7B8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF842AEF0]

Code 81F2A068 ZwEnumerateKey
Code 81F59068 ZwFlushInstructionCache
Code 81FA4068 ZwQueryValueKey
Code 81F57066 IofCallDriver
Code 81F79066 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 81F5706B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 81F7906B
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B183 5 Bytes JMP 81FA406C
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 81F2A06C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 81F5906C
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Spyware Doctor\pctsTray.exe[132] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0044AB89 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01270001
.text C:\WINDOWS\system32\csrss.exe[624] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[624] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[648] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[648] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01110001
.text C:\WINDOWS\system32\winlogon.exe[648] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[648] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\services.exe[728] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A30001
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\lsass.exe[740] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B50001
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A80001
.text C:\WINDOWS\system32\svchost.exe[892] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[892] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[960] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C00001
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[960] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[996] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 02A20001
.text C:\WINDOWS\System32\svchost.exe[996] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[996] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A50001
.text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 006D0001
.text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1264] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1264] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00CF0001
.text C:\WINDOWS\system32\spoolsv.exe[1264] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\spoolsv.exe[1264] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C20001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1360] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00FF0001
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1372] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00790001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1392] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00720001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1516] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1608] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Internet Explorer\iexplore.exe[3376] WS2_32.dll!send 71AB428A 5 Bytes JMP 003D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3376] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00A0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3376] WS2_32.dll!recv 71AB615A 5 Bytes JMP 003E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3376] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 003F000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExA] [0040F5D0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateWindowExW] [0040F660] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!ShowWindow] [0040F6F0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CreateWindowExW] [0040F660] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ShowWindow] [0040F6F0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowPos] [0040F7B0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [0040F5D0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [0040F660] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [0040F7B0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [0040F6F0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!ShowWindow] [0040F6F0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!CreateWindowExA] [0040F5D0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowPos] [0040F7B0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!SetWindowPos] [0040F7B0] C:\WINDOWS\msb.exe
IAT C:\WINDOWS\msb.exe[2708] @ C:\WINDOWS\system32\USERENV.dll [USER32.dll!ShowWindow] [0040F6F0] C:\WINDOWS\msb.exe
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0133BCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0133BC50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01337EA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01339100
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0133AA10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01339370
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01339180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0133A010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0133B950
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0133B990
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0133BD30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0133B810
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0133A970
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01339930
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013392E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01339660
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0133C2B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0133A360
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0133A7D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0133AE90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0133AC20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0133AE10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0133B2F0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0133B000
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01339250
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013397E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0133BA70
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0133AD60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0133A910
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0133A790
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0133AB20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0133BD50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0133AB60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0133BFF0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0133BF90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0133C1E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0133C280
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3756] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0133C0B0

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys (*** hidden *** ) EDE6E000-EDE81000 (77824 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxxfvrtnvsitnidmppxoxrvpwewwxxmddx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxxfvrtnvsitnidmppxoxrvpwewwxxmddx.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys 34816 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\gaopdxjapjgtqguyruesnxvkfrywhcxdoymkmv.sys 38400 bytes executable
File C:\WINDOWS\system32\drivers\gaopdxjnbmlotkltfaqgodyidulruiuwpjoepp.sys 34816 bytes executable
File C:\WINDOWS\system32\drivers\gaopdxkajowioywfstethcucivmvfvmhnqftuw.sys 34816 bytes executable
File C:\WINDOWS\system32\drivers\gaopdxkbgkvpxudovnsihaorjolemrmtkdqodk.sys 34816 bytes executable
File C:\WINDOWS\system32\drivers\gaopdxsberrfwxweaxppyymbpfmqxnkhaavdlv.sys 34816 bytes executable
File C:\WINDOWS\system32\gaopdxcounter 4 bytes
File C:\WINDOWS\system32\gaopdxxfvrtnvsitnidmppxoxrvpwewwxxmddx.dll 10752 bytes executable

---- EOF - GMER 1.0.15 ----

Thanks
  • 0

#4
kahdah
Posted 21 March 2009 - 06:20 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is fine please try to run this program even if you have to download it to a different system and transfer it to the infected computer then run it.
You can use a cd or a flash drive.
=======================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
mburwood
Posted 23 March 2009 - 08:51 AM

mburwood

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello again,
I,ve run combo fix here is the log:
ComboFix 09-03-22.01 - Administrator 2009-03-23 14:28:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.291 [GMT 0:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\Administrator\Start Menu\Programs\WatchFree
c:\documents and settings\Administrator\Start Menu\Programs\WatchFree\Uninstall.lnk
c:\documents and settings\All Users\Application Data\autorun.inf
c:\program files\\setup.exe
c:\program files\WatchFree
c:\program files\WatchFree\Uninstall.exe
c:\recycler\S-5-6-19-100019863-100023084-100007780-4270.com
c:\windows\system32\drivers\gaopdxielesiqjlcnvxbqbuwsrsbfpbfpcknjw.sys
c:\windows\system32\drivers\gaopdxjapjgtqguyruesnxvkfrywhcxdoymkmv.sys
c:\windows\system32\drivers\gaopdxjnbmlotkltfaqgodyidulruiuwpjoepp.sys
c:\windows\system32\drivers\gaopdxkajowioywfstethcucivmvfvmhnqftuw.sys
c:\windows\system32\drivers\gaopdxkbgkvpxudovnsihaorjolemrmtkdqodk.sys
c:\windows\system32\drivers\gaopdxsberrfwxweaxppyymbpfmqxnkhaavdlv.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxxfvrtnvsitnidmppxoxrvpwewwxxmddx.dll
c:\windows\system32\msxml71.dll
E:\autorun.inf
F:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-16 23:00 . 2009-03-16 23:01 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-16 23:00 . 2009-03-16 23:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-16 23:00 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-16 23:00 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-16 23:00 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-16 23:00 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-16 15:58 . 2009-03-16 15:58 58,372 --a------ c:\windows\msb.exe
2009-03-14 15:53 . 2009-03-14 15:53 <DIR> d-------- c:\program files\Trend Micro
2009-03-13 23:32 . 2009-03-13 23:32 58,372 --a------ c:\windows\msa.exe
2009-03-13 18:55 . 2009-03-16 23:01 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-13 18:55 . 2009-03-13 18:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PC Tools
2009-03-13 18:55 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-03-13 18:55 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-03-13 18:55 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-03-13 18:55 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-03-09 23:08 . 2009-01-26 15:30 2,005,504 --a------ c:\program files\SDShred.exe
2009-03-09 23:08 . 2009-01-26 15:31 1,879,896 --a------ c:\program files\SDHelper.dll
2009-03-09 23:08 . 2009-01-26 15:29 1,757,696 --a------ c:\program files\SDFiles.exe
2009-03-09 23:08 . 2009-01-26 15:31 1,303,896 --a------ c:\program files\Tools.dll
2009-03-09 23:08 . 2009-01-26 15:30 1,287,000 --a------ c:\program files\advcheck.dll
2009-03-09 23:08 . 2009-01-26 15:31 428,888 --a------ c:\program files\blindman.exe
2009-03-09 23:08 . 2009-01-26 15:31 414,552 --a------ c:\program files\SDMain.exe
2009-03-09 23:08 . 2008-06-19 17:35 333,288 --a------ c:\program files\sqlite3.dll
2009-03-09 23:08 . 2008-06-14 10:24 255,392 --a------ c:\program files\DelZip179.dll
2009-03-09 23:08 . 2009-01-16 14:06 204,160 --a------ c:\program files\UninsSrv.dll
2009-03-09 23:08 . 2007-04-02 19:22 34,472 --a------ c:\program files\aports.dll
2009-03-08 20:06 . 2009-03-23 14:15 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-08 20:06 . 2009-03-08 20:06 18,191,016 --a------ c:\program files\sdsetup.exe
2009-03-08 19:53 . 2009-03-08 19:53 2,876,728 --a------ c:\program files\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 22:04 81,920 ----a-w c:\windows\system32\W32N50.dll
2009-03-17 22:04 17,134 ----a-w c:\windows\system32\PCANDIS5.sys
2009-03-15 10:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-03-08 11:19 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-08 10:51 32,256 ----a-w c:\windows\system32\userinit.exe
2009-03-08 02:58 1,152 ---ha-w c:\program files\Default.rdp
2009-03-03 12:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-16 21:22 --------- d-----w c:\program files\AllMusicConverter
2009-02-16 10:58 --------- d-----w c:\documents and settings\Administrator\Application Data\Roxio
2009-02-16 10:52 --------- d-----w c:\program files\Google
2009-02-14 11:46 --------- d-----w c:\program files\Napster
2009-02-14 11:46 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-02-14 11:46 --------- d-----w c:\program files\Common Files\Napster Shared
2009-02-14 11:44 --------- d-----w c:\documents and settings\Administrator\Application Data\InstallShield
2009-02-03 13:53 3,768 ----a-w c:\windows\system32\MusCVideo.sys
2009-02-03 13:53 3,768 ----a-w c:\windows\system32\drivers\MusCVideo.sys
2009-02-03 13:53 23,096 ----a-w c:\windows\system32\MusCAudio.sys
2009-02-03 13:53 23,096 ----a-w c:\windows\system32\drivers\MusCAudio.sys
2009-02-03 13:53 10,936 ----a-w c:\windows\system32\MusCVideo.dll
2009-02-03 13:47 237,568 ----a-w c:\windows\system32\snmvtsvc.exe
2009-01-31 13:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Talkback
2009-01-31 13:20 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-31 13:20 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-31 13:20 --------- d-----w c:\program files\Real
2009-01-31 13:20 --------- d-----w c:\program files\Common Files\xing shared
2009-01-31 13:20 --------- d-----w c:\program files\Common Files\Real
2009-01-31 12:51 --------- d-----w c:\program files\Platte
2009-01-30 21:01 36,864 ----a-w c:\windows\system32\jRegistryKey.dll
2008-06-11 22:54 47,787,248 ----a-w c:\program files\avg_free_stf_en_8_100a1295.exe
2008-06-11 22:27 13,665,632 ----a-w c:\program files\winzip112.exe
2008-06-09 17:59 11,241,682 ----a-w c:\program files\WM Components 2.2.0.49R.dmg
2008-06-09 13:01 59,782,440 ----a-w c:\program files\iTunesSetup.exe
2008-06-09 10:35 2,585,872 ----a-w c:\program files\WindowsInstaller-KB893803-v2-x86.exe
2008-06-09 10:34 59,392 ----a-w c:\program files\windows installer 3.1 EULA.doc
2008-06-09 10:13 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2007-04-02 19:22 2,683 ----a-w c:\program files\OptOut.ini
2007-04-02 19:22 2,128 ----a-w c:\program files\Default configuration.ini
.

------- Sigcheck -------

2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
2009-03-08 10:51 32256 1fc4b37e91425a906ebc23b13b9d29e7 c:\windows\system32\userinit.exe
2004-08-03 23:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2008-08-20 22:03 1780248 --a------ c:\program files\myBabylon_English\tbmyBa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyBa.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\tbmyBa.dll" [2008-08-20 1780248]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-28 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-02-03 323216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-31 185872]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-04-28 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-06-11 23:10 1177368 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ColdWare]
--a------ 2009-03-13 23:32 58372 c:\windows\msa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-28 16:17 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-16 130424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-11 96520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 282904]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-02-16 23096]
R3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2009-02-16 3768]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-13 348752]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-02-16 237568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-6-2-97-100008464-100023366-100021078-3840.com c:\
\Shell\Open\command - c:\recycler\S-6-2-97-100008464-100023366-100021078-3840.com c:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98745ed2-3624-11dd-98ab-000874f856c4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL remove.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d263dcef-5eef-11dd-98e4-000874f856c4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL remove.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8e781a5-2258-11dd-989e-d3591d079eaf}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL remove.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de10d40a-3613-11dd-98aa-000874f856c4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL remove.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-23 c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
- c:\windows\msb.exe [2009-03-16 15:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{500BCA15-57A7-4eaf-8143-8C619470B13D} - c:\windows\system32\msxml71.dll
MSConfigStartUp-Cognac - c:\docume~1\ADMINI~1\LOCALS~1\Temp\9.tmp.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 14:31:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-23 14:34:08
ComboFix-quarantined-files.txt 2009-03-23 14:33:58

Pre-Run: 64,792,309,760 bytes free
Post-Run: 65,857,761,280 bytes free

205 --- E O F --- 2009-02-27 16:26:52

Literally just finished I am going to see if the PC will connect to the intenet...
Thanks
  • 0

#6
mburwood
Posted 23 March 2009 - 10:33 AM

mburwood

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Oh dear,
I think I may really have done it now. After running comboFix the PC seemed much better. I was able to update and run AVG, which found a number of infections. It asked to restart the computer which I allowed. I am now unable to get the PC to start. I sign in and it says it is starting up, but then the message changes to logging off and I am returned to the logging in screen. I have tried in SafeMode but the same thing happens. I should have waited for your reply. Is there anything I can do?
  • 0

#7
kahdah
Posted 23 March 2009 - 07:07 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Well do you have an Xp cd?
Do you have the means in which to burn a cd?

Try to boot into Last Known Good Configuration by pressing F8 just like you were going to boot into Safe Mode but choose Last Known Good Configuration .
Let me know how that goes.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP