CLB Driver Infection - Please Help!

[JoeBubba]

Micrsoft OneCare tells me I am infected with Aluren.H but can't clean it. Here is my RootRepeal log file. Please help. Thank you so much.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/05/02 17:39

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\7B1Y2U0H\logging_clicks[3].gif

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FOWQX0OT\yellowpages_com[1].txt

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FOWQX0OT\logging_requests[3].gif

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NFNOQV5G\beaconCAXA63YT.js

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NFNOQV5G\yellowpages_com[1].txt

Status: Visible to the Windows API, but not on disk.

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\000000sm.msg

Status: Allocation size mismatch (API: 98304, Raw: 49152)

==EOF==

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• GMER log
  

[JoeBubba]

Hello Elise, Thank you for your help. Here is my OTL & Extras Logfile. GMER stuff to come. Thank you, Joe:

OTL logfile created on: 5/3/2010 7:23:26 PM - Run 1

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\mountsj\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 232.00 Mb Available Physical Memory | 23.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): C:\pagefile.sys 3048 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 50.02 Gb Total Space | 1.84 Gb Free Space | 3.67% Space Free | Partition Type: NTFS

Drive D: | 5.85 Gb Total Space | 0.20 Gb Free Space | 3.49% Space Free | Partition Type: FAT32

Drive E: | 12.88 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: N3059520

Current User Name: MOUNTSJ

NOT logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/03 19:22:42 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mountsj\Desktop\OTL.exe

PRC - [2010/04/08 09:14:22 | 000,632,792 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

PRC - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe

PRC - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe

PRC - [2010/03/09 08:40:26 | 001,286,608 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe

PRC - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/05/22 16:19:52 | 000,180,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe

PRC - [2007/05/17 17:45:34 | 000,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe

PRC - [2007/04/06 13:07:16 | 012,295,008 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

PRC - [2006/12/20 14:29:34 | 000,116,928 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe

PRC - [2006/12/20 14:29:30 | 001,814,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PRC - [2006/12/20 14:29:20 | 000,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe

PRC - [2006/11/21 21:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

PRC - [2006/11/21 21:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

PRC - [2006/08/02 00:39:20 | 000,434,176 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2006/08/02 00:38:30 | 000,802,816 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

PRC - [2006/08/02 00:32:44 | 000,696,320 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

PRC - [2006/08/02 00:31:22 | 000,937,984 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2006/08/02 00:27:54 | 000,479,232 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

PRC - [2006/08/02 00:24:22 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

PRC - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

PRC - [2006/01/09 13:56:04 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\LxrSII1s.exe

PRC - [2005/08/17 23:51:22 | 000,196,608 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

PRC - [2005/08/09 14:41:38 | 000,075,328 | ---- | M] (PatchLink Corporation) -- C:\Program Files\Patchlink\Update Agent\GravitixService.exe

PRC - [2004/10/29 17:13:40 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\vnxserv.exe

PRC - [2004/08/04 03:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe

PRC - [2004/07/23 03:01:00 | 000,241,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe

========== Modules (SafeList) ==========

MOD - [2010/05/03 19:22:42 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\mountsj\Desktop\OTL.exe

MOD - [2010/02/26 07:16:18 | 000,154,160 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\smum32.dll

MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)

SRV - [2010/04/08 09:14:22 | 000,632,792 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)

SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)

SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)

SRV - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)

SRV - [2007/07/11 17:25:20 | 000,025,640 | R--- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)

SRV - [2007/05/22 16:19:52 | 000,180,224 | ---- | M] () [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe -- (SG_Service)

SRV - [2007/05/17 17:45:34 | 000,271,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)

SRV - [2006/12/20 14:29:34 | 000,116,928 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)

SRV - [2006/12/20 14:29:30 | 001,814,720 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2006/12/20 14:29:20 | 000,031,424 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

SRV - [2006/11/21 21:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2006/11/21 21:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)

SRV - [2006/08/07 16:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)

SRV - [2006/08/02 00:39:20 | 000,434,176 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®

SRV - [2006/08/02 00:31:22 | 000,937,984 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®

SRV - [2006/08/02 00:24:22 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®

SRV - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

SRV - [2006/01/09 13:56:04 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\LxrSII1s.exe -- (LxrSII1s)

SRV - [2005/08/17 23:51:22 | 000,196,608 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)

SRV - [2005/08/09 14:41:38 | 000,075,328 | ---- | M] (PatchLink Corporation) [Auto | Running] -- C:\Program Files\PatchLink\Update Agent\GravitixService.exe -- (PatchLink Update)

SRV - [2004/10/29 17:13:40 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\vnxserv.exe -- (VnxService)

SRV - [2004/08/04 03:05:00 | 000,570,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)

SRV - [2004/07/23 03:01:00 | 000,241,664 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe -- (Wuser32)

SRV - [2002/04/30 23:09:04 | 000,614,400 | ---- | M] (Nortel Networks NA, Inc.) [On_Demand | Stopped] -- C:\Program Files\Nortel Networks\Extranet_serv.exe -- (ExtranetAccess)

========== Driver Services (SafeList) ==========

DRV - [2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)

DRV - [2010/03/29 08:38:44 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100503.002\navex15.sys -- (NAVEX15)

DRV - [2010/03/29 08:38:44 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100503.002\naveng.sys -- (NAVENG)

DRV - [2009/08/27 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2009/08/27 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2008/05/06 02:01:28 | 000,016,512 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (ASPI32)

DRV - [2008/04/13 14:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)

DRV - [2008/04/13 14:46:20 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)

DRV - [2008/04/13 14:46:09 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)

DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2008/04/13 13:46:20 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)

DRV - [2008/01/07 13:36:16 | 002,216,064 | ---- | M] (Intel

[Elise]

Thank you, I'll wait for GMER. If it gives you trouble, try running it with the Sections option checked only.

[JoeBubba]

Hey Elise,

I sent you a couple of messages.

JoeBubba

[Elise]

See PM box, I replied

[JoeBubba]

Elise,

Not a problem. Here is my GMER log. Two things though, I have Norton, but I'm not sure it was running. Nothing was in the Taskbar to turn it off. Second, just a heads-up, the sys file at the bottom...the dac2w2k...that is what Microsoft OneCare said was infected with Alureon.H. (Well, I guess it will be in my second post, the forum said my post was too long so I will have to break it up)

Thank you so very much for your help.

Joe

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-04 09:49:22

Windows 5.1.2600 Service Pack 3

Running: jkczftjp.exe; Driver: C:\DOCUME~1\mountsj\LOCALS~1\Temp\ffdiqpog.sys

---- System - GMER 1.0.15 ----

SSDT 86634E88 ZwConnectPort

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7425112]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF74042D6]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF74044C8]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7425900]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7425BB4]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7423E12]

SSDT 863C31C8 ZwQueryValueKey

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7426020]

SSDT 863CD2A0 ZwResumeThread

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF74253D2]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7403F44]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\dac2w2k.sys entry point in ".rsrc" section [0xF746F194]

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF63843BF]

init C:\WINDOWS\System32\drivers\vnxtcp.sys entry point in "init" section [0xA7C613E2]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7F, 71] {JG 0x73}

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [94, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [88, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A0, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9A, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [97, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8B, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9D, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [85, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [91, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8E, 71]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[176] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [82, 71]

.text C:\WINDOWS\system32\svchost.exe[176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E30001

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\spoolsv.exe[388] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\spoolsv.exe[388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00940001

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7F, 71] {JG 0x73}

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [94, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [88, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A0, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9A, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [97, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8B, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9D, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [85, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [91, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8E, 71]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [82, 71]

.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F90001

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\services.exe[544] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\WINDOWS\system32\services.exe[544] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02F90001

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7F, 71] {JG 0x73}

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [94, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [88, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A0, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9A, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [97, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8B, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9D, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [85, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [91, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8E, 71]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\lsass.exe[584] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [82, 71]

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DB0001

.text C:\WINDOWS\System32\svchost.exe[604] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 006D000A

.text C:\WINDOWS\System32\svchost.exe[604] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 006E000A

.text C:\WINDOWS\System32\svchost.exe[604] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 006C000C

.text C:\WINDOWS\System32\svchost.exe[604] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FC000A

.text C:\WINDOWS\System32\svchost.exe[604] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FB000A

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [83, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [98, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8C, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A4, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9E, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9B, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8F, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A1, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [89, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [95, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [92, 71]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[788] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [86, 71]

.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006E0001

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [83, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [98, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8C, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A4, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9E, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9B, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8F, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A1, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [89, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [95, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [92, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [86, 71]

.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 06D20001

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\WINDOWS\System32\svchost.exe[932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006C0001

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7E, 71] {JLE 0x73}

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [93, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [87, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [9F, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [99, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [96, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8A, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9C, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [84, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [90, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8D, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [81, 71]

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[992] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E80001

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[1012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006C0001

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[1040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00710001

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7F, 71] {JG 0x73}

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [94, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [88, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A0, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9A, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [97, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8B, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9D, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [85, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [91, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8E, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [82, 71]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1072] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014D0001

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [83, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [98, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8C, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A4, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9E, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9B, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8F, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A1, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [89, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [95, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [92, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [86, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1120] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[1144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010F0001

[JoeBubba]

Ok, I was wrong, not two...but three parts. Here is 2 of 3:

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [83, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [98, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8C, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A4, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9E, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9B, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8F, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A1, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [89, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [95, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [92, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [86, 71]

.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006E0001

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7F, 71] {JG 0x73}

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [94, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [88, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A0, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9A, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [97, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8B, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9D, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [85, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [91, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8E, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [82, 71]

.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DB0001

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006E0001

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7F, 71] {JG 0x73}

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [94, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [88, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A0, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9A, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [97, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8B, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9D, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [85, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [91, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8E, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [82, 71]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AF0001

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [83, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [98, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8C, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A4, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9E, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9B, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8F, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A1, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [89, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [95, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [92, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [86, 71]

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01960001

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B60001

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006F0001

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7E, 71] {JLE 0x73}

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [93, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [87, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [9F, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [99, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [96, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8A, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9C, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [84, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [90, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8D, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [81, 71]

.text C:\Program Files\PatchLink\Update Agent\GravitixService.exe[1604] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01650001

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [83, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [98, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8C, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A4, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9E, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9B, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8F, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A1, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [89, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [95, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [92, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [86, 71]

.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 07130001

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\vnxserv.exe[1696] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\vnxserv.exe[1696] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01130001

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\LxrSII1s.exe[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D50001

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\csrss.exe[1856] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\csrss.exe[1856] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01620001

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01620001

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [83, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [98, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8C, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A4, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9E, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9B, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8F, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A1, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [89, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [95, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [92, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [86, 71]

.text C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 007A0001

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[1980] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006E0001

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\winlogon.exe[2020] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\WINDOWS\system32\winlogon.exe[2020] kernel32.dll!LoadLibraryExW + C4

[JoeBubba]

Ok, 3 of 3 with file name at the bottom:

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7F, 71] {JG 0x73}

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [94, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [88, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A0, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9A, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [97, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8B, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9D, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [85, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [91, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8E, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [82, 71]

.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[2148] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006A0001

.text C:\Program Files\Spyware Doctor\pctsTray.exe[2208] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\MsPMSPSv.exe[2368] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D30001

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [7E, 71] {JLE 0x73}

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [93, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [87, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [99, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [96, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [84, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [90, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [81, 71]

.text C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe[2596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01BE0001

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2732] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00770001

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\Documents and Settings\All Users\Application Data\RbtProt\sgsrv.exe[2756] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012C0001

.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2796] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [84, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [99, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [90, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [96, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [93, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [87, 71]

.text C:\WINDOWS\system32\CCM\CcmExec.exe[3132] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F90001

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [87, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [9C, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [AE, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [90, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [A8, 71] {TEST AL, 0x71}

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [A2, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [9F, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [93, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [A5, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [8D, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [99, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [96, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]

.text C:\WINDOWS\system32\svchost.exe[3336] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [8A, 71]

.text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006E0001

.text C:\WINDOWS\Explorer.EXE[3628] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[3628] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[3628] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip vnxtcp.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp vnxtcp.sys

Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp vnxtcp.sys

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp vnxtcp.sys

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 872B1AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dac2w2k.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[Elise]

Hi again

Yes, indeed that is clearly an Alureon or TDSS rootkit infection. Please consider the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[JoeBubba]

Elise,

I'm having trouble running ComboFix. I couldn't turn off Norton, but it still loaded the Microsoft Recovery Console. After the Recovery Console load, I turned off the Wireless card to disconnect from the Internet.

It continued to run, but ran all night saying it was scanning files. This morning I received an error that said it needed to close Norton Anitvirus and I said 'ok', but as of noon, it still doesn't look like ComboFix is working properly.

Any suggestions?

Joe

[Elise]

Could you please try to run Combofix again, but now in safe mode?

[JoeBubba]

Sure, I'll do it this evening when I get home.

Thank you

[Elise]

Okay, I'll wait for the log

[JoeBubba]

ok Elise,

Here is the Combofix log.

Joe

ComboFix 10-05-04.03 - MOUNTSJ 05/05/2010 19:29:27.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.664 [GMT -4:00]

Running from: c:\documents and settings\mountsj\Desktop\ComboFix.exe

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\mountsj\System

c:\documents and settings\mountsj\System\win_qs8.jqx

c:\program files\Common Files\Temp

c:\program files\WindowsUpdate

c:\windows\eSellerateEngine.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000011_.tmp.dll

c:\windows\system32\_000012_.tmp.dll

c:\windows\system32\ctfmon .exe

c:\windows\system32\Settings

c:\windows\system32\Settings\Settings.ini

c:\windows\system32\win.ini

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.yimg.com

Infected copy of c:\windows\system32\drivers\dac2w2k.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))

.

2010-05-03 00:11 . 2010-05-03 00:11 -------- d-----w- c:\program files\ESET

2010-05-02 15:32 . 2010-05-02 15:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-02 15:20 . 2010-05-02 15:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-02 04:52 . 2010-05-02 04:52 -------- dc----w- c:\documents and settings\Admin\Application Data\Malwarebytes

2010-05-02 04:51 . 2010-05-02 04:51 -------- dcsh--w- c:\documents and settings\Admin\PrivacIE

2010-05-02 03:12 . 2010-05-02 03:12 -------- d-----w- c:\documents and settings\mountsj\Application Data\Malwarebytes

2010-05-02 03:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-02 03:11 . 2010-05-02 03:11 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-02 03:11 . 2010-05-02 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-02 03:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-01 21:43 . 2010-05-01 21:43 -------- dcsh--w- c:\documents and settings\Admin\IETldCache

2010-05-01 18:43 . 2010-05-01 19:02 -------- dc----w- C:\e5b6d7ec23b1e84ba2327f803264

2010-04-30 19:08 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-04-30 19:08 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-04-30 19:08 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-04-30 19:08 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-04-30 19:08 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-04-30 19:08 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-04-30 19:03 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-04-30 19:02 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-04-30 19:02 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-04-30 19:02 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-04-30 19:02 . 2010-05-05 00:08 -------- d-----w- c:\program files\Spyware Doctor

2010-04-30 19:02 . 2010-04-30 19:02 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-04-30 19:02 . 2010-04-30 19:02 -------- d-----w- c:\documents and settings\mountsj\Application Data\PC Tools

2010-04-30 00:51 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-04-27 23:55 . 2010-04-27 23:55 -------- d-sh--w- c:\documents and settings\mountsj\IECompatCache

2010-04-25 21:17 . 2010-04-25 21:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-04-25 21:17 . 2010-04-25 21:17 -------- d-----w- c:\program files\Alwil Software

2010-04-25 17:27 . 2010-05-01 02:54 -------- d-----w- c:\program files\Trend Micro

2010-04-25 15:54 . 2004-08-04 19:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll

2010-04-25 15:54 . 2004-08-04 19:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2010-04-25 15:53 . 2004-08-04 19:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-04-25 15:53 . 2004-08-04 19:00 10752 ----a-w- c:\windows\system32\c_iscii.dll

2010-04-25 15:53 . 2004-08-04 19:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll

2010-04-25 15:53 . 2004-08-04 19:00 5632 ----a-w- c:\windows\system32\kbdusa.dll

2010-04-25 15:51 . 2004-08-04 19:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll

2010-04-25 15:51 . 2004-08-04 19:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2010-04-25 02:17 . 2010-04-25 02:25 -------- d-----w- c:\windows\SxsCaPendDel

2010-04-25 01:55 . 2010-04-25 01:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Ascentive

2010-04-25 01:49 . 2010-04-25 01:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Sunbelt Software

2010-04-24 21:50 . 2009-10-06 15:27 86016 ----a-w- c:\windows\system32\SQLiteWrapper.dll

2010-04-24 21:50 . 2009-10-06 15:27 223232 ----a-w- c:\windows\system32\sqlite3.dll

2010-04-24 21:50 . 2009-10-06 15:27 32768 ----a-w- c:\windows\system32\Password.dll

2010-04-24 20:56 . 2010-04-24 20:56 -------- dc----w- c:\documents and settings\All Users\Application Data\Norton

2010-04-24 20:54 . 2010-04-24 20:56 -------- d-----w- c:\program files\NortonInstaller

2010-04-24 20:54 . 2010-04-24 20:54 -------- dc----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-04-22 20:26 . 2010-04-22 20:26 -------- d-sh--w- c:\documents and settings\mountsj\PrivacIE

2010-04-21 02:44 . 2010-04-21 02:44 -------- d-----w- c:\documents and settings\mountsj\Local Settings\Application Data\Yahoo

2010-04-21 02:23 . 2010-04-21 02:23 -------- d-sh--w- c:\documents and settings\mountsj\IETldCache

2010-04-21 02:20 . 2010-04-21 02:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-04-21 02:10 . 2010-04-22 03:48 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-04-21 02:10 . 2010-04-21 02:10 -------- d-----w- c:\documents and settings\mountsj\Application Data\Yahoo!

2010-04-21 02:10 . 2010-04-22 03:57 -------- d-----w- c:\program files\Yahoo!

2010-04-21 02:05 . 2010-04-21 02:09 -------- dc-h--w- c:\windows\ie8

2010-04-15 23:57 . 2010-04-15 23:57 -------- d-----w- c:\documents and settings\mountsj\Local Settings\Application Data\IsolatedStorage

2010-04-15 02:49 . 2010-04-15 15:54 -------- d-----w- c:\documents and settings\mountsj\Application Data\Registry Mechanic

2010-04-14 23:25 . 2010-01-16 17:50 36864 ----a-w- c:\windows\system32\ascbalon.dll

2010-04-14 23:25 . 2009-10-06 15:27 307200 ----a-w- c:\windows\system32\AscSQLite.dll

2010-04-14 23:25 . 2009-10-06 15:27 217088 ----a-w- c:\windows\system32\AscConTest.dll

2010-04-14 01:59 . 2010-04-14 01:59 -------- d-----w- c:\documents and settings\mountsj\Local Settings\Application Data\Threat Expert

2010-04-11 23:21 . 2010-04-11 23:21 -------- d-sh--w- c:\documents and settings\NetworkService\UserData

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-05 23:48 . 2008-10-15 22:43 -------- d-----w- c:\documents and settings\mountsj\Application Data\skypePM

2010-05-05 23:48 . 2006-08-19 05:06 -------- d-----w- c:\documents and settings\mountsj\Application Data\Skype

2010-05-05 23:47 . 2007-04-27 04:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-05 23:27 . 2009-03-22 18:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-05-04 14:35 . 2007-04-30 16:43 -------- d-----w- c:\program files\Symantec AntiVirus

2010-05-02 18:19 . 2008-12-03 22:00 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-02 15:18 . 2009-04-24 00:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-01 02:54 . 2005-08-18 03:40 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-30 19:10 . 2009-09-26 18:06 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-25 19:36 . 2006-05-18 22:47 130208 -c--a-w- c:\documents and settings\mountsj\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-25 17:27 . 2010-04-25 17:27 388096 ----a-r- c:\documents and settings\mountsj\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-04-25 16:39 . 2005-08-18 03:42 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee

2010-04-25 02:25 . 2008-08-30 01:19 -------- d-----w- c:\program files\Ascentive

2010-04-23 01:57 . 2010-01-13 01:17 81392 -c-ha-w- c:\windows\system32\mlfcache.dat

2010-04-22 03:13 . 2008-05-18 00:18 -------- d-----w- c:\program files\TechSmith

2010-04-22 03:00 . 2010-01-01 18:35 -------- d-----w- c:\program files\Bible Explorer 4

2010-04-22 03:00 . 2010-01-01 18:35 -------- dc----w- c:\documents and settings\All Users\Application Data\WORDsearch

2010-04-22 02:37 . 2005-08-18 03:36 -------- d-----w- c:\program files\Symantec

2010-04-22 02:35 . 2007-02-26 04:21 -------- d-----w- c:\program files\NCH Swift Sound

2010-04-22 02:31 . 2007-03-18 02:26 -------- d-----w- c:\program files\Common Files\Intuit

2010-04-18 18:34 . 2006-07-24 00:38 -------- d-----w- c:\documents and settings\mountsj\Application Data\Corel

2010-04-18 16:40 . 2006-07-16 23:42 8350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-04-15 23:56 . 2007-03-18 02:25 -------- d-----w- c:\program files\TurboTax

2010-04-15 21:03 . 2008-05-18 23:22 -------- d-----w- c:\program files\Free WMA to MP3 Converter

2010-04-15 19:37 . 2009-08-27 22:48 -------- d-----w- c:\program files\Frhed

2010-04-15 19:10 . 2007-04-30 16:49 902776 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVEX32A.DLL

2010-04-15 19:10 . 2007-04-30 16:49 852824 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVEX15.SYS

2010-04-15 19:10 . 2007-04-30 16:49 77688 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVENG.SYS

2010-04-15 19:10 . 2007-04-30 16:49 120440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVENG32.DLL

2010-04-15 19:10 . 2007-04-30 16:49 389432 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\EECTRL.SYS

2010-04-15 19:10 . 2007-04-30 16:49 106808 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\ERASER.SYS

2010-04-15 19:10 . 2007-04-30 16:49 271992 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\ECMSVR32.DLL

2010-04-15 19:10 . 2007-04-30 16:49 2598200 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\CCERASER.DLL

2010-04-11 23:24 . 2010-01-13 01:15 -------- d-----w- c:\program files\Safari

2010-04-11 21:47 . 2006-08-11 00:26 -------- d-----w- c:\program files\Microsoft Location Finder

2010-04-06 22:46 . 2010-04-06 22:46 20846064 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-03-07 14:44 . 2010-03-07 14:44 8405312 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-07 14:43 . 2010-03-07 14:43 149000 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe

2010-03-07 14:43 . 2010-03-07 14:43 10309448 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-03-07 14:43 . 2010-03-07 14:43 283280 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe

2010-03-07 14:43 . 2010-03-07 14:43 181768 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe

2010-03-07 14:43 . 2010-03-07 14:43 79368 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\vista.exe

2010-03-07 14:43 . 2010-03-07 14:43 64000 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll

2010-03-07 14:43 . 2010-03-07 14:43 52288 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll

2010-03-07 14:43 . 2010-03-07 14:43 50688 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll

2010-03-07 14:43 . 2010-03-07 14:43 49152 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll

2010-03-07 14:43 . 2010-03-07 14:43 118784 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll

2010-03-07 04:08 . 2010-03-07 04:08 439816 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\setup.exe

2010-02-15 23:41 . 2010-02-15 23:41 72488 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-02-08 19:10 . 2010-02-08 19:10 593920 -c--a-w- c:\documents and settings\mountsj\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll

2010-02-08 19:10 . 2010-02-08 19:10 319488 -c--a-w- c:\documents and settings\mountsj\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

2008-06-27 00:07 . 2008-06-27 00:07 659 -c--a-w- c:\program files\F01_FwSw_Multi Purpose Logistics Module.puf

2002-09-17 17:59 . 2002-09-17 17:59 190976 -c--a-w- c:\program files\Sept_02_10A_README.doc

2004-03-15 21:51 . 2004-03-15 21:51 114688 -c--a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2008-05-28 02:13 . 2008-05-28 01:57 24 -csha-w- c:\windows\S5E639DE2.tmp

2006-09-05 00:29 . 2006-07-24 00:39 56 -csh--r- c:\windows\system32\0A48CFED48.sys

2006-10-09 23:53 . 2006-10-09 23:05 88 --sh--r- c:\windows\system32\48EDCF480A.sys

.

<pre>
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Microsoft Location Finder\locationfinder .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-04-08 3233752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-6-30 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"PromptRunasInstallNetPath"= 1 (0x1)

"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1255017396-1846112650-1849977318-1978\Scripts\Logon\0\0]

"Script"=\\sms-ksc-01.boeing.ksc.nasa.gov\apps1\Communicator\SIP_account.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\mountsj\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/30/2010 3:02 PM 218592]

R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [5/21/2007 6:28 PM 2996]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/30/2010 3:08 PM 112592]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [10/3/2007 5:06 PM 72672]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [4/14/2010 10:33 PM 632792]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 2:29 PM 116928]

R2 SG_Service;SoftGuard Service;c:\documents and settings\All Users\Application Data\RbtProt\sgsrv.exe [5/22/2007 4:19 PM 180224]

R2 VnxTcp;VnxTcp;c:\windows\system32\drivers\vnxtcp.sys [8/19/2005 12:52 AM 159576]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/19/2005 12:33 AM 9161]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 4:54 PM 102448]

S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]

S1 brptdaql;brptdaql;\??\c:\windows\system32\drivers\brptdaql.sys --> c:\windows\system32\drivers\brptdaql.sys [?]

S1 yooxjcde;yooxjcde;\??\c:\windows\system32\drivers\yooxjcde.sys --> c:\windows\system32\drivers\yooxjcde.sys [?]

S2 gupdate1c9ab1b79da6a96;Google Update Service (gupdate1c9ab1b79da6a96);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2009 2:24 PM 133104]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/19/2005 12:33 AM 114016]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/19/2005 12:33 AM 614400]

S3 SBSWDMISA32;%SbsWdmIsa32.DeviceDesc%;c:\windows\system32\DRIVERS\SbsWdmIsa32.sys --> c:\windows\system32\DRIVERS\SbsWdmIsa32.sys [?]

S3 SbsWdmPcmcia;SBS 1553 PCM2 PASS;c:\windows\system32\DRIVERS\SbsWdmPcmcia.sys --> c:\windows\system32\DRIVERS\SbsWdmPcmcia.sys [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/30/2010 3:02 PM 366840]

S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{222F6582-49B7-4198-932C-7F36498CB902}]

2004-04-26 20:53 4870 ----a-r- c:\program files\Real\RealOne Enterprise Desktop\r1_cfg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{78D1AFB1-DB72-4262-BDED-7823DF9EDFEF}]

2004-10-08 15:00 3535 ----a-r- c:\program files\Informed\ShanaCleanUP.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-05 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-22 18:23]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 18:24]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 18:24]

2005-08-18 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-05-26 00:12]

2005-08-18 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-05-26 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.space.com/

uSearchAssistant =

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

Trusted Zone: corel.com\'www

Trusted Zone: corel.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

Trusted Zone: plk-ksc-01.boeing.ksc.nasa.gov

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-05 19:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(820)

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\LxrSII1s.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\program files\PatchLink\Update Agent\GravitixService.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\vnxserv.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

c:\windows\system32\CCM\CcmExec.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2010-05-05 19:55:59 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-05 23:55

Pre-Run: 1,798,475,776 bytes free

Post-Run: 3,290,537,984 bytes free

- - End Of File - - 145790E89566E52B67CEE975F97F08AB

[Elise]

Hi, that got rid already of a lot, but still a few Vundo files left.

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
  

RenV::
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Microsoft Location Finder\locationfinder .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[JoeBubba]

Ok, I'll do that tonight when I get home. Just an FYI, when I restarted my system last night after the Combofix run, Norton and Spy Doctor automatiocally updated and ran. Norton was clean, but Spy Doctor found several low and one medium risks.

I hope that is not a problem. Please let me know if I would need to do anything different instead of just running the script on Combofix.

Joe

[Elise]

Please only run the script. I don't trust Norton/Spyware Doctor too much, they might delete parts of combofix or quarantined files.

I'll wait for your log

[JoeBubba]

Ok, I will run it tonight. Unfortunately, I can't do much about Norton, but should I delete Spy Doctor, either now or when we are done?

Also, if you are not crazy about Norton or SD, what do you recommend to protect your machine?

thank you,

Joe

[Elise]

Since Norton is a paid product, I'd say keep it. Spyware Doctor is an antispyware product, as is MBAM and MBAM is just a better antispyware scanner (I know its their forum, but I recommend it also on other forums I am working on ).

In case you want to switch to a free antivirus application, just let me know and I'll post a few

[JoeBubba]

Ok Elise,

Here is the second Combofix log file.

Joe

ComboFix 10-05-04.03 - MOUNTSJ 05/06/2010 21:38:19.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.351 [GMT -4:00]

Running from: c:\documents and settings\mountsj\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\mountsj\Desktop\CFScript.txt

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((( Files Created from 2010-04-07 to 2010-05-07 )))))))))))))))))))))))))))))))

.

2010-05-03 00:11 . 2010-05-03 00:11 -------- d-----w- c:\program files\ESET

2010-05-02 15:32 . 2010-05-02 15:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-02 15:20 . 2010-05-02 15:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-02 04:52 . 2010-05-02 04:52 -------- dc----w- c:\documents and settings\Admin\Application Data\Malwarebytes

2010-05-02 04:51 . 2010-05-02 04:51 -------- dcsh--w- c:\documents and settings\Admin\PrivacIE

2010-05-02 03:12 . 2010-05-02 03:12 -------- d-----w- c:\documents and settings\mountsj\Application Data\Malwarebytes

2010-05-02 03:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-02 03:11 . 2010-05-02 03:11 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-02 03:11 . 2010-05-02 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-02 03:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-01 21:43 . 2010-05-01 21:43 -------- dcsh--w- c:\documents and settings\Admin\IETldCache

2010-05-01 18:43 . 2010-05-01 19:02 -------- dc----w- C:\e5b6d7ec23b1e84ba2327f803264

2010-04-30 19:08 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-04-30 19:08 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-04-30 19:08 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-04-30 19:08 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-04-30 19:08 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip

2010-04-30 19:08 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-04-30 19:03 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-04-30 19:02 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-04-30 19:02 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-04-30 19:02 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-04-30 19:02 . 2010-05-07 01:33 -------- d-----w- c:\program files\Spyware Doctor

2010-04-30 19:02 . 2010-04-30 19:02 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-04-30 19:02 . 2010-04-30 19:02 -------- d-----w- c:\documents and settings\mountsj\Application Data\PC Tools

2010-04-30 00:51 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-04-27 23:55 . 2010-04-27 23:55 -------- d-sh--w- c:\documents and settings\mountsj\IECompatCache

2010-04-25 21:17 . 2010-04-25 21:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-04-25 21:17 . 2010-04-25 21:17 -------- d-----w- c:\program files\Alwil Software

2010-04-25 17:27 . 2010-04-25 17:27 388096 ----a-r- c:\documents and settings\mountsj\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-04-25 17:27 . 2010-05-01 02:54 -------- d-----w- c:\program files\Trend Micro

2010-04-25 15:54 . 2004-08-04 19:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll

2010-04-25 15:54 . 2004-08-04 19:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll

2010-04-25 15:53 . 2004-08-04 19:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll

2010-04-25 15:53 . 2004-08-04 19:00 10752 ----a-w- c:\windows\system32\c_iscii.dll

2010-04-25 15:53 . 2004-08-04 19:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll

2010-04-25 15:53 . 2004-08-04 19:00 5632 ----a-w- c:\windows\system32\kbdusa.dll

2010-04-25 15:51 . 2004-08-04 19:00 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll

2010-04-25 15:51 . 2004-08-04 19:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll

2010-04-25 02:17 . 2010-04-25 02:25 -------- d-----w- c:\windows\SxsCaPendDel

2010-04-25 01:55 . 2010-04-25 01:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Ascentive

2010-04-25 01:49 . 2010-04-25 01:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Sunbelt Software

2010-04-24 21:50 . 2009-10-06 15:27 86016 ----a-w- c:\windows\system32\SQLiteWrapper.dll

2010-04-24 21:50 . 2009-10-06 15:27 223232 ----a-w- c:\windows\system32\sqlite3.dll

2010-04-24 21:50 . 2009-10-06 15:27 32768 ----a-w- c:\windows\system32\Password.dll

2010-04-24 20:56 . 2010-04-24 20:56 -------- dc----w- c:\documents and settings\All Users\Application Data\Norton

2010-04-24 20:54 . 2010-04-24 20:56 -------- d-----w- c:\program files\NortonInstaller

2010-04-24 20:54 . 2010-04-24 20:54 -------- dc----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-04-22 20:26 . 2010-04-22 20:26 -------- d-sh--w- c:\documents and settings\mountsj\PrivacIE

2010-04-21 02:44 . 2010-04-21 02:44 -------- d-----w- c:\documents and settings\mountsj\Local Settings\Application Data\Yahoo

2010-04-21 02:23 . 2010-04-21 02:23 -------- d-sh--w- c:\documents and settings\mountsj\IETldCache

2010-04-21 02:20 . 2010-04-21 02:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-04-21 02:10 . 2010-04-22 03:48 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-04-21 02:10 . 2010-04-21 02:10 -------- d-----w- c:\documents and settings\mountsj\Application Data\Yahoo!

2010-04-21 02:10 . 2010-04-22 03:57 -------- d-----w- c:\program files\Yahoo!

2010-04-21 02:05 . 2010-04-21 02:09 -------- dc-h--w- c:\windows\ie8

2010-04-15 23:57 . 2010-04-15 23:57 -------- d-----w- c:\documents and settings\mountsj\Local Settings\Application Data\IsolatedStorage

2010-04-15 02:49 . 2010-04-15 15:54 -------- d-----w- c:\documents and settings\mountsj\Application Data\Registry Mechanic

2010-04-14 23:25 . 2010-01-16 17:50 36864 ----a-w- c:\windows\system32\ascbalon.dll

2010-04-14 23:25 . 2009-10-06 15:27 307200 ----a-w- c:\windows\system32\AscSQLite.dll

2010-04-14 23:25 . 2009-10-06 15:27 217088 ----a-w- c:\windows\system32\AscConTest.dll

2010-04-14 01:59 . 2010-04-14 01:59 -------- d-----w- c:\documents and settings\mountsj\Local Settings\Application Data\Threat Expert

2010-04-11 23:21 . 2010-04-11 23:21 -------- d-sh--w- c:\documents and settings\NetworkService\UserData

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-07 01:38 . 2006-08-11 00:26 -------- d-----w- c:\program files\Microsoft Location Finder

2010-05-07 01:33 . 2007-04-27 04:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-07 01:11 . 2006-08-19 05:06 -------- d-----w- c:\documents and settings\mountsj\Application Data\Skype

2010-05-07 01:11 . 2008-10-15 22:43 -------- d-----w- c:\documents and settings\mountsj\Application Data\skypePM

2010-05-07 01:10 . 2007-04-30 16:43 -------- d-----w- c:\program files\Symantec AntiVirus

2010-05-07 01:08 . 2009-03-22 18:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-05-06 01:29 . 2008-12-03 22:00 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-02 15:18 . 2009-04-24 00:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-01 02:54 . 2005-08-18 03:40 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-30 19:10 . 2009-09-26 18:06 -------- d-----w- c:\program files\Common Files\PC Tools

2010-04-25 19:36 . 2006-05-18 22:47 130208 -c--a-w- c:\documents and settings\mountsj\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-25 16:39 . 2005-08-18 03:42 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee

2010-04-25 02:25 . 2008-08-30 01:19 -------- d-----w- c:\program files\Ascentive

2010-04-23 01:57 . 2010-01-13 01:17 81392 -c-ha-w- c:\windows\system32\mlfcache.dat

2010-04-22 03:13 . 2008-05-18 00:18 -------- d-----w- c:\program files\TechSmith

2010-04-22 03:00 . 2010-01-01 18:35 -------- d-----w- c:\program files\Bible Explorer 4

2010-04-22 03:00 . 2010-01-01 18:35 -------- dc----w- c:\documents and settings\All Users\Application Data\WORDsearch

2010-04-22 02:37 . 2005-08-18 03:36 -------- d-----w- c:\program files\Symantec

2010-04-22 02:35 . 2007-02-26 04:21 -------- d-----w- c:\program files\NCH Swift Sound

2010-04-22 02:31 . 2007-03-18 02:26 -------- d-----w- c:\program files\Common Files\Intuit

2010-04-18 18:34 . 2006-07-24 00:38 -------- d-----w- c:\documents and settings\mountsj\Application Data\Corel

2010-04-18 16:40 . 2006-07-16 23:42 8350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-04-15 23:56 . 2007-03-18 02:25 -------- d-----w- c:\program files\TurboTax

2010-04-15 21:03 . 2008-05-18 23:22 -------- d-----w- c:\program files\Free WMA to MP3 Converter

2010-04-15 19:37 . 2009-08-27 22:48 -------- d-----w- c:\program files\Frhed

2010-04-15 19:10 . 2007-04-30 16:49 902776 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVEX32A.DLL

2010-04-15 19:10 . 2007-04-30 16:49 852824 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVEX15.SYS

2010-04-15 19:10 . 2007-04-30 16:49 77688 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVENG.SYS

2010-04-15 19:10 . 2007-04-30 16:49 120440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\NAVENG32.DLL

2010-04-15 19:10 . 2007-04-30 16:49 389432 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\EECTRL.SYS

2010-04-15 19:10 . 2007-04-30 16:49 106808 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\ERASER.SYS

2010-04-15 19:10 . 2007-04-30 16:49 271992 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\ECMSVR32.DLL

2010-04-15 19:10 . 2007-04-30 16:49 2598200 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd253a10.vdb\CCERASER.DLL

2010-04-11 23:24 . 2010-01-13 01:15 -------- d-----w- c:\program files\Safari

2010-04-06 22:46 . 2010-04-06 22:46 20846064 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-03-07 14:44 . 2010-03-07 14:44 8405312 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-07 14:43 . 2010-03-07 14:43 149000 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe

2010-03-07 14:43 . 2010-03-07 14:43 10309448 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-03-07 14:43 . 2010-03-07 14:43 283280 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe

2010-03-07 14:43 . 2010-03-07 14:43 181768 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe

2010-03-07 14:43 . 2010-03-07 14:43 79368 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\vista.exe

2010-03-07 14:43 . 2010-03-07 14:43 64000 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll

2010-03-07 14:43 . 2010-03-07 14:43 52288 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll

2010-03-07 14:43 . 2010-03-07 14:43 50688 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll

2010-03-07 14:43 . 2010-03-07 14:43 49152 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll

2010-03-07 14:43 . 2010-03-07 14:43 118784 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll

2010-03-07 04:08 . 2010-03-07 04:08 439816 ----a-w- c:\documents and settings\mountsj\Application Data\Real\Update\setup3.10\setup.exe

2010-02-15 23:41 . 2010-02-15 23:41 72488 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

2010-02-08 19:10 . 2010-02-08 19:10 593920 -c--a-w- c:\documents and settings\mountsj\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll

2010-02-08 19:10 . 2010-02-08 19:10 319488 -c--a-w- c:\documents and settings\mountsj\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

2008-06-27 00:07 . 2008-06-27 00:07 659 -c--a-w- c:\program files\F01_FwSw_Multi Purpose Logistics Module.puf

2002-09-17 17:59 . 2002-09-17 17:59 190976 -c--a-w- c:\program files\Sept_02_10A_README.doc

2004-03-15 21:51 . 2004-03-15 21:51 114688 -c--a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2008-05-28 02:13 . 2008-05-28 01:57 24 -csha-w- c:\windows\S5E639DE2.tmp

2006-09-05 00:29 . 2006-07-24 00:39 56 -csh--r- c:\windows\system32\0A48CFED48.sys

2006-10-09 23:53 . 2006-10-09 23:05 88 --sh--r- c:\windows\system32\48EDCF480A.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-04-08 3233752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-6-30 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"MemCheckBoxInRunDlg"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"PromptRunasInstallNetPath"= 1 (0x1)

"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1255017396-1846112650-1849977318-1978\Scripts\Logon\0\0]

"Script"=\\sms-ksc-01.boeing.ksc.nasa.gov\apps1\Communicator\SIP_account.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\mountsj\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/30/2010 3:02 PM 218592]

R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [5/21/2007 6:28 PM 2996]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/30/2010 3:08 PM 112592]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [10/3/2007 5:06 PM 72672]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [4/14/2010 10:33 PM 632792]

R2 VnxTcp;VnxTcp;c:\windows\system32\drivers\vnxtcp.sys [8/19/2005 12:52 AM 159576]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [8/19/2005 12:33 AM 9161]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 4:54 PM 102448]

S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]

S1 brptdaql;brptdaql;\??\c:\windows\system32\drivers\brptdaql.sys --> c:\windows\system32\drivers\brptdaql.sys [?]

S1 yooxjcde;yooxjcde;\??\c:\windows\system32\drivers\yooxjcde.sys --> c:\windows\system32\drivers\yooxjcde.sys [?]

S2 gupdate1c9ab1b79da6a96;Google Update Service (gupdate1c9ab1b79da6a96);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2009 2:24 PM 133104]

S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [8/19/2005 12:33 AM 114016]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [8/19/2005 12:33 AM 614400]

S3 SBSWDMISA32;%SbsWdmIsa32.DeviceDesc%;c:\windows\system32\DRIVERS\SbsWdmIsa32.sys --> c:\windows\system32\DRIVERS\SbsWdmIsa32.sys [?]

S3 SbsWdmPcmcia;SBS 1553 PCM2 PASS;c:\windows\system32\DRIVERS\SbsWdmPcmcia.sys --> c:\windows\system32\DRIVERS\SbsWdmPcmcia.sys [?]

S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{222F6582-49B7-4198-932C-7F36498CB902}]

2004-04-26 20:53 4870 ----a-r- c:\program files\Real\RealOne Enterprise Desktop\r1_cfg.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{78D1AFB1-DB72-4262-BDED-7823DF9EDFEF}]

2004-10-08 15:00 3535 ----a-r- c:\program files\Informed\ShanaCleanUP.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-07 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-22 18:23]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 18:24]

2010-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 18:24]

2005-08-18 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-05-26 00:12]

2005-08-18 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-05-26 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.space.com/

uSearchAssistant =

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

Trusted Zone: corel.com\'www

Trusted Zone: corel.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

Trusted Zone: plk-ksc-01.boeing.ksc.nasa.gov

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-06 21:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2988)

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-05-06 21:53:52

ComboFix-quarantined-files.txt 2010-05-07 01:53

ComboFix2.txt 2010-05-05 23:56

Pre-Run: 3,199,750,144 bytes free

Post-Run: 3,197,136,896 bytes free

- - End Of File - - CEF5109262BBA7EE8227984B80CE162F

[JoeBubba]

Also, I meant to tell you, when I powered up tonight, there was an extra icon on my desktop call "Thumbs.db".

Not sure what that is about.

Joe

[Elise]

Hello again,

thumbs.db is a legit file that apears if you view one or more folder icons as thumbnail. It stores some settings for that. You can safely delete it from your desktop.

I notice the presence of Registry Mechanic Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners for several reasons.

[JoeBubba]

Elise,

Thank you so very much for your advice. I will remove Registry Cleaner right away.

I know working with the Registry is very tricky, I was just trying to clean up some things that I felt were left over from uninstalls that weren't very clean and left some junk behind.

Does it seem as though the virus is gone? And what can I do to block these types of things from happening again?

Thank you again,

Joe

[Elise]

Please run MBAM, once cleaned up, I'll give you some general prevention info