Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hjt log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hjt log

Unread postby lindai » July 5th, 2009, 1:10 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:01 PM, on 7/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\SYSTEM32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Spyware Doctor\TFEngine\TFService.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] F:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4863751199
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0460242890
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Drive ... Member.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zp ... b99160.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zp ... b42858.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - F:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 8175 bytes
Last edited by NonSuch on July 5th, 2009, 4:13 pm, edited 1 time in total.
Reason: Edited to remove Chryssi2001's name from topic title. Note that placing a helper's name in the title of your topic could cause the mistaken impression that this topic should be left for that person to respond.
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm
Advertisement
Register to Remove

Re: hjt log

Unread postby Cypher » July 9th, 2009, 11:40 am

Sorry for the delay.

Hi, Welcome to the Malware Removal forum.
My name is Cypher, and I'll be helping you with your malware problems.

Before we begin...please note the following important guidelines.
  1. The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. Please, if you have questions about something...ASK, don't guess or assume.
  3. Please -only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  4. Please -only- reply to this thread, do not start another!
  5. Please do not run any other fix/removal tools unless instructed to do so!
  6. Print each set of instructions...if possible...your Internet connection might not be available during some fix processes.
  7. Please, continue responding, until I give you the "All Clean"

If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with your instructions.


Please post an Uninstall list.


  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.

Please explain what problems you are having with your computer.


In your next reply.

1. Uninstall list.
2. An outline of the problems you are having.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: hjt log

Unread postby lindai » July 9th, 2009, 11:19 pm

32 Bit HP CIO Components Installer
ABITEQ
Adobe Acrobat Reader 3.01
Adobe Flash Player 10 ActiveX
Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Reader 8.1.3
Adobe Shockwave Player
Advanced SystemCare 3
AMD CPUInfo
ArcSoft PhotoStudio 5.5
Canon ScanGear Toolbox CS 2.2
CCScore
ClearType Tuning Control Panel Applet
ClickArt® 40,000 Image Pak
ClickArt® Christian Value
Compatibility Pack for the 2007 Office system
CR2
Critical Update for Windows Media Player 11 (KB959772)
DesignPro 5.0 Limited Edition
DVD Shrink 3.2
EPSON Printer Software
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Freeze Clip Art
GdiplusUpgrade
Glary Utilities 2.6.1
Google Toolbar for Internet Explorer
HDView for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
HP Customer Participation Program 10.0
HP Deskjet D2500 Printer Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 13
kgcbase
Kodak EasyShare software
Malwarebytes' Anti-Malware
Metafile Companion 1.10
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Nero 6 Ultra Edition
netbrdg
OfotoXMI
overland
Peggle Deluxe (remove only)
Pradis Do Not Remove
Pradis: NIV Study Bible
QuickTime
Remove Hidden Data Tool
Scrabble (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SFR
SFR2
SHASTA
Shop for HP Supplies
skin0001
SKINXSDK
Smart Defrag 1.20
Sound Blaster Live! Web 2K/XP
Spybot - Search & Destroy
Spyware Doctor 6.0
SpywareBlaster 4.2
staticcr
tooltips
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Platform Device Manager
VPRINTOL
What Process
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinFast(R) Display Driver
WinPatrol 2009
WinZip
WIRELESS

Main problems are:
1.Takes a much longer time to start up than it used to.
2.There is sometimes a long delay between clicking and anything happening; it doesn't matter what is clicked. Example: wnen playing spider solitare(the one built in) the pointer will be on a card, I will left click and hold and start to move the card and it doesn't move but maybe another card will finally move (if it is on the path of the mouse)
3. Sometimes the activity icon will flash. This is the two monitor icon that indicates network activity. If I run Sysinternals Process Explorer, there will be no cpu activity while the network icon is flashing. This makes me think something hidden is running. Maybe an alternate data stream or a rootkit. (Although the reason I bought Spyware Doctor w/av is because it is supposed to be good at finding rootkits)
(Off the subject, but what is an MRU mentor? I thought MRU was most recently used.
Hey, I just noticed something. I don't have an Epson printer, I have a HP 2540.
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby Cypher » July 11th, 2009, 5:48 am

Hi lindai.

Can you tell me if your version of Spyware Doctor includes anti-virus software?

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. If your version of Spyware Doctor does not include an Anti- virus, i would like you to install one from the list below NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Next

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)

In your next reply

1. RSIT log.txt file contents
2. RSIT info.txt file contents
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: hjt log

Unread postby lindai » July 13th, 2009, 8:21 am

The version of Spyware Doctor is the purchased professional version with anti virus.
Here are the logs:
info.txt logfile of random's system information tool 1.06 2009-07-13 07:11:58

======Uninstall list======

-->"F:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S
-->MsiExec.exe /I{C98E5F1B-5C2B-4FD1-BDF9-F3779DCAAA16}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
ABITEQ-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{149B898E-BDCA-11D7-B544-00105A845E81}\setup.exe" -l0x9
Adobe Acrobat Reader 3.01-->F:\WINDOWS\uninst.exe -fF:\Acrobat3\Reader\DeIsL1.isu
Adobe Flash Player 10 ActiveX-->F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop Elements 4.0-->msiexec /I {EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe Shockwave Player-->F:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE F:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Advanced SystemCare 3-->"F:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
AMD CPUInfo-->MsiExec.exe /X{C6783FB4-2E95-4ED0-8A32-1BF32821689F}
ArcSoft PhotoStudio 5.5-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{8890B37D-FB54-465F-8655-73F69C81EFFC}\setup.exe" -l0x9
Canon ScanGear Toolbox CS 2.2-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Canon\ScanGear Toolbox CS\Uninst.isu" -c"F:\Program Files\Canon\ScanGear Toolbox CS\uninst.dll"
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
ClearType Tuning Control Panel Applet-->MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
ClickArt® 40,000 Image Pak-->F:\WINDOWS\UNINST.EXE -f"c:\OFFICE~1\DeIsL1.isu"
ClickArt® Christian Value-->F:\WINDOWS\UNINST.EXE -f"F:\PROGRA~1\ClickArt\CHRIST~1\DeIsL1.isu"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CR2-->MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Critical Update for Windows Media Player 11 (KB959772)-->"F:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DesignPro 5.0 Limited Edition-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{97AE00A8-1336-410F-B467-1C6623127BD6}
DVD Shrink 3.2-->"F:\Program Files\DVD Shrink\unins000.exe"
EPSON Printer Software-->F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC-->MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS-->MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt-->MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
Freeze Clip Art-->"F:\PROGRA~1\Freeze.com\Freeze Clip Art\UNINSTAL.EXE"
GdiplusUpgrade-->MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Glary Utilities 2.6.1-->"F:\Program Files\Glary Utilities\unins000.exe"
Google Toolbar for Internet Explorer-->"F:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe" /uninstall
HDView for Internet Explorer-->MsiExec.exe /I{FCC3BD6A-F118-475D-8748-7EE08EA0AF56}
HijackThis 2.0.2-->"F:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->F:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->F:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"F:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"F:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"F:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"F:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"F:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"F:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
HP Customer Participation Program 10.0-->F:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet D2500 Printer Driver Software 10.0 Rel .3-->F:\Program Files\HP\Digital Imaging\{89998BCF-F415-468a-8282-CB042765A26F}\setup\hpzscr01.exe -datfile hphscr25.dat -onestop
HP Imaging Device Functions 10.0-->F:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential 2.5-->F:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Smart Web Printing-->F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat
HP Solution Center 10.0-->F:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{11B83AD3-7A46-4C2E-A568-9505981D4C6F}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
kgcbase-->MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
Kodak EasyShare software-->F:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_3d8ec\Setup.exe /APR-REMOVE
Malwarebytes' Anti-Malware-->"F:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Metafile Companion 1.10-->F:\WINDOWS\uninst.exe -f"F:\Program Files\Companion Software\Metafile Companion\DeIsL1.isu"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"F:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "F:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->F:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"F:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"F:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"F:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"F:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"F:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Nero 6 Ultra Edition-->F:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
netbrdg-->MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
overland-->MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Peggle Deluxe (remove only)-->"F:\Program Files\Yahoo! Games\Peggle Deluxe\Uninstall.exe"
Pradis Do Not Remove-->MsiExec.exe /I{2B6E2126-4438-4CF1-BDDE-3C4355092860}
Pradis: NIV Study Bible-->F:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{515033D5-383F-4F73-B560-04682F5F868B}
QuickTime-->F:\WINDOWS\unvise32qt.exe F:\WINDOWS\system32\QuickTime\Uninstall.log
Remove Hidden Data Tool-->MsiExec.exe /X{90F80409-6000-11D3-8CFE-0150048383C9}
Scrabble (remove only)-->"F:\Program Files\Yahoo! Games\Scrabble\Uninstall.exe"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB928090)-->"F:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"F:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"F:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"F:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"F:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"F:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"F:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"F:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"F:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"F:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"F:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"F:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"F:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"F:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"F:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"F:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"F:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"F:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"F:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"F:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"F:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"F:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"F:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"F:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"F:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"F:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"F:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"F:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"F:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"F:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"F:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"F:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"F:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"F:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"F:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"F:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953155)-->"F:\WINDOWS\$NtUninstallKB953155$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"F:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"F:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"F:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"F:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"F:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"F:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"F:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"F:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"F:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"F:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"F:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"F:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"F:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"F:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"F:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"F:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"F:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"F:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"F:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"F:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"F:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"F:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"F:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"F:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SFR2-->MsiExec.exe /I{ABE068DF-8DC4-4947-ABFC-DD2B40850225}
SHASTA-->MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shop for HP Supplies-->F:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
skin0001-->MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK-->MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Smart Defrag 1.20-->"F:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
Sound Blaster Live! Web 2K/XP-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
Spybot - Search & Destroy-->"F:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spyware Doctor 6.0-->F:\Program Files\Spyware Doctor\unins000.exe /LOG
SpywareBlaster 4.2-->"F:\Program Files\SpywareBlaster\unins000.exe"
staticcr-->MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
tooltips-->MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Update for Windows XP (KB951072-v2)-->"F:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"F:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"F:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"F:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"F:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VIA Platform Device Manager-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
What Process-->MsiExec.exe /I{F99E285B-EEED-4405-89F0-AA0E5369C0E0}
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"F:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"F:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"F:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"F:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"F:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"F:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"F:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinFast(R) Display Driver-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{F69FD33C-8815-46BF-9134-A643DE68F3C0}\setup.exe" -l0x9 -removeonly
WinPatrol 2009-->F:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinZip-->"F:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WIRELESS-->MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======Security center information======

AV: Spyware Doctor with AntiVirus

======System event log======

Computer Name: HOMEUPSTAIRS
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00508D6A4632. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 57287
Source Name: Dhcp
Time Written: 20090519205543.000000-300
Event Type: warning
User:

Computer Name: HOMEUPSTAIRS
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\HOMEUPSTAIRS1B on the network \Device\NetBT_Tcpip_{A7E55AF7-F853-436D-B240-C1350D01138B}.
The data is the error code.

Record Number: 57284
Source Name: BROWSER
Time Written: 20090516181532.000000-300
Event Type: warning
User:

Computer Name: HOMEUPSTAIRS
Event Code: 8
Message: Printer HP Deskjet D2500 series was purged.

Record Number: 57250
Source Name: Print
Time Written: 20090514192536.000000-300
Event Type: warning
User: HOMEUPSTAIRS\Linda

Computer Name: HOMEUPSTAIRS
Event Code: 8003
Message: The master browser has received a server announcement from the computer HOMEUPSTAIRS1B
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A7E55AF7-F853.
The master browser is stopping or an election is being forced.

Record Number: 57113
Source Name: MRxSmb
Time Written: 20090508183456.000000-300
Event Type: error
User:

Computer Name: HOMEUPSTAIRS
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\HOMEUPSTAIRS1B on the network \Device\NetBT_Tcpip_{A7E55AF7-F853-436D-B240-C1350D01138B}.
The data is the error code.

Record Number: 57109
Source Name: BROWSER
Time Written: 20090508140555.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: HOMEUPSTAIRS
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.

Record Number: 11878
Source Name: Adobe Active File Monitor 4.0
Time Written: 20081229180556.000000-360
Event Type:
User:

Computer Name: HOMEUPSTAIRS
Event Code: 12001
Message:
Record Number: 11870
Source Name: usnjsvc
Time Written: 20081228203044.000000-360
Event Type:
User:

Computer Name: HOMEUPSTAIRS
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.

Record Number: 11866
Source Name: Adobe Active File Monitor 4.0
Time Written: 20081228202854.000000-360
Event Type:
User:

Computer Name: HOMEUPSTAIRS
Event Code: 12001
Message:
Record Number: 11859
Source Name: usnjsvc
Time Written: 20081225164000.000000-360
Event Type:
User:

Computer Name: HOMEUPSTAIRS
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.

Record Number: 11855
Source Name: Adobe Active File Monitor 4.0
Time Written: 20081225163817.000000-360
Event Type:
User:

=====Security event log=====

Computer Name: HOMEUPSTAIRS
Event Code: 576
Message: Special privileges assigned to new logon:

User Name:

Domain:

Logon ID: (0x0,0x11603)

Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege

Record Number: 181341
Source Name: Security
Time Written: 20090611141616.000000-300
Event Type: audit success
User: HOMEUPSTAIRS\Linda

Computer Name: HOMEUPSTAIRS
Event Code: 528
Message: Successful Logon:

User Name: Linda

Domain: HOMEUPSTAIRS

Logon ID: (0x0,0x11603)

Logon Type: 2

Logon Process: Advapi

Authentication Package: Negotiate

Workstation Name: HOMEUPSTAIRS

Logon GUID: -

Record Number: 181340
Source Name: Security
Time Written: 20090611141616.000000-300
Event Type: audit success
User: HOMEUPSTAIRS\Linda

Computer Name: HOMEUPSTAIRS
Event Code: 680
Message: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: Linda

Source Workstation: HOMEUPSTAIRS

Error Code: 0x0


Record Number: 181339
Source Name: Security
Time Written: 20090611141616.000000-300
Event Type: audit success
User: NT AUTHORITY\SYSTEM

Computer Name: HOMEUPSTAIRS
Event Code: 576
Message: Special privileges assigned to new logon:

User Name:

Domain:

Logon ID: (0x0,0x3E5)

Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

Record Number: 181338
Source Name: Security
Time Written: 20090611141616.000000-300
Event Type: audit success
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: HOMEUPSTAIRS
Event Code: 528
Message: Successful Logon:

User Name: LOCAL SERVICE

Domain: NT AUTHORITY

Logon ID: (0x0,0x3E5)

Logon Type: 5

Logon Process: Advapi

Authentication Package: Negotiate

Workstation Name:

Logon GUID: -

Record Number: 181337
Source Name: Security
Time Written: 20090611141616.000000-300
Event Type: audit success
User: NT AUTHORITY\LOCAL SERVICE

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"VERSION"=2.1.5
"SESSIONID"=1222153560890g1u0358c.austin.hp.com-5475bb1a:11cd67052df:-180b
"COLLECTIONID"=COL7299
"ITEMID"=oj-21918-1
"UPDATEDIR"=F:\DOCUME~1\Linda\LOCALS~1\Temp\radE7285.tmp
"TOOLPATH"=/F:/Program%20Files/Hewlett-Packard/HP%20Software%20Update/install.htm
"HMSERVER"=https://vausnzisprob.austin.hp.com/wuss/servlet/WUSSServlet
"SWUTVER"=1.0.18.30716
"OSVER"=winXPH
"LANG"=1033
"TIMEOUT"=0

-----------------EOF-----------------
Logfile of random's system information tool 1.06 (written by random/random)
Run by Linda at 2009-07-13 07:11:34
Microsoft Windows XP Home Edition Service Pack 3
System drive F: has 42 GB (74%) free of 57 GB
Total RAM: 1022 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:53 AM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\SYSTEM32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Spyware Doctor\TFEngine\TFService.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
F:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Documents and Settings\Linda\Desktop\RSIT.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\Program Files\Trend Micro\HijackThis\Linda.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] F:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 4863751199
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0460242890
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Drive ... Member.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zp ... b99160.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zp ... b42858.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/defaul ... der_v6.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - F:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 8269 bytes

======Scheduled tasks folder======

F:\WINDOWS\tasks\SmartDefrag.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2007-11-06 322880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - F:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - F:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-03 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2007-11-06 542016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ISTray"=F:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
"NvCplDaemon"=F:\WINDOWS\system32\NvCpl.dll [2005-01-27 5529600]
"HP Software Update"=F:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152]
"hpqSRMon"=F:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2007-08-22 80896]
"SystemTray"=F:\WINDOWS\SYSTEM32\SysTray.Exe [2001-08-23 3072]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=F:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
AutorunsDisabled
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
F:\WINDOWS\SYSTEM32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - F:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\svcWRSSSDK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\WINDOWS\system32\mshta.exe"="F:\WINDOWS\system32\mshta.exe:*:Enabled:Microsoft (R) HTML Application host"
"F:\Program Files\Internet Explorer\iexplore.exe"="F:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"F:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="F:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"F:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="F:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-07-13 07:11:34 ----D---- F:\rsit
2009-07-04 11:50:07 ----D---- F:\Documents and Settings\All Users\Application Data\HP Product Assistant
2009-07-04 11:49:30 ----D---- F:\Program Files\Common Files\HP
2009-07-04 08:25:13 ----D---- F:\Documents and Settings\Linda\Application Data\WinPatrol
2009-07-04 08:25:02 ----D---- F:\Program Files\BillP Studios
2009-07-04 08:04:35 ----D---- F:\Program Files\PicPick

======List of files/folders modified in the last 1 months======

2009-07-13 07:11:44 ----D---- F:\WINDOWS\Prefetch
2009-07-13 07:07:57 ----D---- F:\WINDOWS\Temp
2009-07-13 07:06:03 ----AD---- F:\Documents and Settings\All Users\Application Data\TEMP
2009-07-13 07:04:33 ----D---- F:\Program Files\Spyware Doctor
2009-07-13 07:04:28 ----D---- F:\WINDOWS\system32\drivers
2009-07-09 22:20:58 ----A---- F:\WINDOWS\SchedLgU.Txt
2009-07-09 22:01:05 ----D---- F:\WINDOWS\system32
2009-07-06 20:50:16 ----D---- F:\WINDOWS\system32\CatRoot2
2009-07-05 12:06:33 ----D---- F:\Program Files\Trend Micro
2009-07-04 20:54:30 ----D---- F:\WINDOWS
2009-07-04 20:31:47 ----SD---- F:\WINDOWS\Downloaded Program Files
2009-07-04 19:56:50 ----D---- F:\WINDOWS\security
2009-07-04 19:51:43 ----A---- F:\WINDOWS\system32\PerfStringBackup.INI
2009-07-04 19:51:37 ----RD---- F:\Program Files
2009-07-04 19:50:50 ----A---- F:\WINDOWS\imsins.BAK
2009-07-04 19:50:42 ----RSHDC---- F:\WINDOWS\system32\dllcache
2009-07-04 19:50:36 ----D---- F:\WINDOWS\system32\wbem
2009-07-04 19:18:29 ----HD---- F:\Config.Msi
2009-07-04 19:15:41 ----SHD---- F:\WINDOWS\Installer
2009-07-04 19:14:59 ----D---- F:\WINDOWS\WinSxS
2009-07-04 13:59:28 ----D---- F:\WINDOWS\system32\Macromed
2009-07-04 13:57:24 ----HD---- F:\WINDOWS\inf
2009-07-04 12:00:11 ----D---- F:\Program Files\HP
2009-07-04 11:50:07 ----D---- F:\Documents and Settings\All Users\Application Data\HP
2009-07-04 11:49:30 ----D---- F:\Program Files\Common Files
2009-07-04 11:48:53 ----DC---- F:\WINDOWS\system32\DRVSTORE
2009-07-04 11:43:11 ----A---- F:\WINDOWS\wininit.ini
2009-07-04 04:55:48 ----SD---- F:\WINDOWS\Tasks
2009-07-04 04:55:37 ----D---- F:\Documents and Settings\Linda\Application Data\IObit
2009-07-04 04:55:35 ----D---- F:\Program Files\IObit

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; F:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 pctgntdi;pctgntdi; \??\F:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; F:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 tmcomm;tmcomm; \??\F:\WINDOWS\system32\drivers\tmcomm.sys []
R3 amdtools;AMD Special Tools Driver; F:\WINDOWS\system32\DRIVERS\amdtools.sys [2007-08-14 34304]
R3 ctac32k;Creative AC3 Software Decoder; F:\WINDOWS\System32\drivers\ctac32k.sys [2002-07-19 127948]
R3 ctaud2k;Creative Audio Driver (WDM); F:\WINDOWS\system32\drivers\ctaud2k.sys [2002-07-19 837548]
R3 ctprxy2k;Creative Proxy Driver; F:\WINDOWS\System32\drivers\ctprxy2k.sys [2002-07-19 11068]
R3 ctsfm2k;Creative SoundFont Management Device Driver; F:\WINDOWS\System32\drivers\ctsfm2k.sys [2002-07-19 213860]
R3 emupia;E-mu Plug-in Architecture Driver; F:\WINDOWS\System32\drivers\emupia2k.sys [2002-07-19 156604]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; F:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; F:\WINDOWS\system32\drivers\ha10kx2k.sys [2002-07-24 998004]
R3 nv;nv; F:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2005-01-27 3407424]
R3 ossrv;Creative OS Services Driver; F:\WINDOWS\system32\drivers\ctoss2k.sys [2002-07-19 195432]
R3 pctplsg;pctplsg; \??\F:\WINDOWS\system32\drivers\pctplsg.sys []
R3 TfNetMon;TfNetMon; \??\F:\WINDOWS\system32\drivers\TfNetMon.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; F:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; F:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; F:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 vulfntrs;VIA USB Roothub Lower Filter; F:\WINDOWS\System32\Drivers\vulfntr.sys [2003-08-04 11392]
S1 P3;Intel PentiumIII Processor Driver; F:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S3 ALCXSENS;Service for WDM 3D Audio Driver; F:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-23 400384]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); F:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-07-01 626977]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; F:\WINDOWS\System32\DRIVERS\AN983.sys [2004-08-03 36224]
S3 AvFlt;Antivirus Filter Driver; F:\WINDOWS\system32\drivers\av5flt.sys []
S3 ctljystk;Creative SBLive! Gameport; F:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); F:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); F:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; F:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; F:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; F:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
S3 nv4;nv4; F:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 sfman;Creative SoundFont Manager Driver (WDM); F:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 usbccgp;Microsoft USB Generic Parent Driver; F:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; F:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; F:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbstor;USB Mass Storage Driver; F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vulfnths;VIA USB Host Controller Lower Filter; F:\WINDOWS\System32\Drivers\vulfnth.sys [2003-08-04 6912]
S3 WBHWDOCT;Winbond GPIO Driver1; F:\WINDOWS\System32\drivers\WBHWDOCT.sys [2003-04-07 7296]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; F:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; F:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; F:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 JavaQuickStarterService;Java Quick Starter; F:\Program Files\Java\jre6\bin\jqs.exe [2009-04-03 152984]
R2 Net Driver HPZ12;Net Driver HPZ12; F:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 NVSvc;NVIDIA Display Driver Service; F:\WINDOWS\system32\nvsvc32.exe [2005-01-27 127042]
R2 Pml Driver HPZ12;Pml Driver HPZ12; F:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 sdAuxService;PC Tools Auxiliary Service; F:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; F:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R3 hpqcxs08;hpqcxs08; F:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 ThreatFire;ThreatFire; F:\Program Files\Spyware Doctor\TFEngine\TFService.exe [2009-04-20 70944]
S3 aspnet_state;ASP.NET State Service; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; F:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Updater Service; F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-10 137200]
S3 idsvc;Windows CardSpace; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; F:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; F:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; F:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby Cypher » July 13th, 2009, 3:56 pm

Hi lindai

I see you already have Malwarebytes' Anti-Malware installed.

I would like you to update it then select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Checked (tick) all items except items in the C:\System Volume Information folder, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post that log back here.

Next.

GMER
Please download GMER by GMER. An alternate download site.
  1. Unzip it to a folder on your desktop.
  2. Double click on gmer.exe to execute.
    If asked, allow the gmer.sys driver load.
  3. If you get a warning prompt about rootkit activity ... asking if you want to run Scan, click OK.
  4. If you don't get a warning then...
    • Click the Rootkit/Malware tab at the top of the GMER window.
    • Click the Scan button.
  5. Once the scan has finished... click Copy. ... Do not close the GMER window yet...
  6. Open Notepad and paste what you copied. Ctrl+V
  7. Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.

    In the GMER window...
  8. Click on the >>> tab at the top of the GMER window.
    This displays the rest of the "selection" tabs for you.
  9. Click on the Autostart tab.
  10. Click on Scan button.
  11. Once the scan has finished... click Copy.
  12. Open Notepad (again) and paste what you copied. Ctrl+V
  13. Select "Save As" in Notepad...saving the file to your desktop as "gmerauto.txt"
  14. Copy and paste the contents of the files gmerroot.txt and gmerauto.txt in you next reply.

In your next reply

1. Malwarebytes' Anti-Malware log
2. gmerroot.txt
3. gmerauto.txt log.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: hjt log

Unread postby lindai » July 15th, 2009, 4:27 pm

I was unexpectedly called out of town on business.
Please re-open and we can continue.
I apologize, but I couldn't help it.
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby Cypher » July 16th, 2009, 5:46 am

Hi lindai.
Please continue with the instructions i posted above.
You need to post the following logs from the requested scans.

1. Malwarebytes' Anti-Malware log
2. gmerroot.txt
3. gmerauto.txt log.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: hjt log

Unread postby lindai » July 16th, 2009, 10:10 am

I got the following when I tried to submit, so I will have to break it up:
Your message contains 396706 characters. The maximum number of allowed characters is 100000
Malwarebytes' Anti-Malware 1.39
Database version: 2435
Windows 5.1.2600 Service Pack 3

7/15/2009 4:48:23 PM
mbam-log-2009-07-15 (16-48-23).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 165427
Time elapsed: 46 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\f:/WINDOWS/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\f:/WINDOWS/downloaded program files/CONFLICT.2/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\f:\WINDOWS\downloaded program files\CONFLICT.2\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
f:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
f:\WINDOWS\downloaded program files\CONFLICT.2\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
GMER 1.0.15.14972 - http://www.gmer.net
Autostart scan 2009-07-15 18:16:21
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = F:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
WgaLogon@DLLName = WgaLogon.dll
WRNotifier@DLLName = WRLogonNTF.dll /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AdobeActiveFileMonitor4.0@ = F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
JavaQuickStarterService@ = "F:\Program Files\Java\jre6\bin\jqs.exe" -service -config "F:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
NVSvc@ = %SystemRoot%\system32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NvCplDaemonRUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
@HP Software UpdateF:\Program Files\HP\HP Software Update\HPWuSchd2.exe = F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
@hpqSRMonF:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe = F:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
@SystemTraySysTray.Exe = SysTray.Exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = F:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@WPDShServiceObjF:\WINDOWS\system32\WPDShServiceObj.dll = F:\WINDOWS\system32\WPDShServiceObj.dll
@UPnPMonitorF:\WINDOWS\system32\upnpui.dll = F:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/F:\PROGRA~1\WinZip\WZSHLSTB.DLL = F:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/F:\PROGRA~1\WinZip\WZSHLSTB.DLL = F:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/F:\PROGRA~1\WinZip\WZSHLSTB.DLL = F:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/F:\WINDOWS\system32\twext.dll = F:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/F:\WINDOWS\system32\twext.dll = F:\WINDOWS\system32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/F:\WINDOWS\system32\extmgr.dll = F:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/F:\Program Files\Microsoft Office\OFFICE11\msohev.dll = F:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/F:\WINDOWS\system32\nvcpl.dll = F:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/F:\WINDOWS\system32\nvshell.dll = F:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/F:\WINDOWS\system32\nvshell.dll = F:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/F:\WINDOWS\system32\nvshell.dll = F:\WINDOWS\system32\nvshell.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/F:\WINDOWS\system32\nvcpl.dll = F:\WINDOWS\system32\nvcpl.dll
@{AB77609F-2178-4E6F-9C4B-44AC179D937A} /*a² Context Menu Shell Extension*/(null) =
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/F:\WINDOWS\system32\dfshim.dll = F:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/F:\WINDOWS\system32\dfshim.dll = F:\WINDOWS\system32\dfshim.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = F:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{72923739-5A47-40A3-9895-25AF0DFBB9E4} /*Glary Utilities Context Menu Shell Extension*/F:\PROGRA~1\GLARYU~1\CONTEX~1.DLL = F:\PROGRA~1\GLARYU~1\CONTEX~1.DLL
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/F:\WINDOWS\system32\upnpui.dll = F:\WINDOWS\system32\upnpui.dll
@{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/F:\WINDOWS\system32\ieframe.dll = F:\WINDOWS\system32\ieframe.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Glary Utilities@{72923739-5A47-40A3-9895-25AF0DFBB9E4} = F:\PROGRA~1\GLARYU~1\CONTEX~1.DLL
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = F:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = F:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Glary Utilities@{72923739-5A47-40A3-9895-25AF0DFBB9E4} = F:\PROGRA~1\GLARYU~1\CONTEX~1.DLL
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = F:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = F:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{0347C33E-8762-4905-BF09-768834316C61}F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll = F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}F:\PROGRA~1\SPYBOT~1\SDHelper.dll = F:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{DBC80044-A445-435b-BC74-9C25C1C588A9}F:\Program Files\Java\jre6\bin\jp2ssv.dll = F:\Program Files\Java\jre6\bin\jp2ssv.dll
@{E7E6F031-17CE-4C07-BC86-EABFE594F69C}F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll = F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
@{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll = F:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = F:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.mid@Location = F:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local PageF:\WINDOWS\system32\blank.htm = F:\WINDOWS\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local PageF:\WINDOWS\system32\blank.htm = F:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = F:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = F:\WINDOWS\system32\msvidctl.dll
its@CLSID = F:\WINDOWS\System32\itss.dll
lid@CLSID = F:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = F:\WINDOWS\System32\itss.dll
mso-offdap11@CLSID = F:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = F:\WINDOWS\system32\msvidctl.dll
wia@CLSID = F:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
000000000002@PackedCatalogItem = F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
000000000003@PackedCatalogItem = F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017@PackedCatalogItem = F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll

F:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
AutorunsDisabled = AutorunsDisabled
HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk

---- EOF - GMER 1.0.15 ----
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby lindai » July 16th, 2009, 10:29 am

I tried to break it up into four notepads, but when I tried to paste gmerroot1, it still was too big.
So Gmerroot5 is the start, then it follows in order 1,2,3,4.
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-15 18:14:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7564514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7553282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7553474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7564D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7564FB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF75633FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7565422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF75647D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7552F32]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 228 804E2884 2 Bytes [FA, 33]
.text ntoskrnl.exe!_abnormal_termination + 22B 804E2887 1 Byte [F7]
? xopzpw.sys The system cannot find the file specified. !
? F:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [4A, 5F] {DEC EDX; POP EDI}
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [38, 5F]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F670F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F700F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F130F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0D0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F220F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F1F0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F7C0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F550F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F160F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [05, 5F]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F6D0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044AD11 F:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F640F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F3A0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F580F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F3D0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F310F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F6A0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F5E0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F5B0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F610F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [74, 5F] {JZ 0x61}
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F0A0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F4C0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F1C0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F400F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F430F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [7A, 5F] {JP 0x61}
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F190F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F4F0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F760F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F460F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F340F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [53, 5F] {PUSH EBX; POP EDI}
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] shell32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F2E0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] shell32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F2B0F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] shell32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F250F5A
.text F:\Program Files\Spyware Doctor\pctsSvc.exe[180] shell32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F280F5A
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04C00001
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\Explorer.EXE[524] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\Explorer.EXE[524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\Explorer.EXE[524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\Explorer.EXE[524] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\Explorer.EXE[524] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\Explorer.EXE[524] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\Explorer.EXE[524] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\Explorer.EXE[524] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\Explorer.EXE[524] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\Explorer.EXE[524] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\Explorer.EXE[524] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\Explorer.EXE[524] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\csrss.exe[620] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\system32\csrss.exe[620] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015C0001
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01100001
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F2E0F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [50, 5F] {PUSH EAX; POP EDI}
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text F:\WINDOWS\SYSTEM32\winlogon.exe[644] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [68, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F860F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F8F0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F9B0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F730F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F8C0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F830F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\system32\services.exe[688] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F890F5A
.text F:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F7D0F5A
.text F:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F7A0F5A
.text F:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F800F5A
.text F:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [93, 5F] {XCHG EBX, EAX; POP EDI}
.text F:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F610F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [99, 5F] {CDQ ; POP EDI}
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F950F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\services.exe[688] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [71, 5F] {JNO 0x61}
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\lsass.exe[700] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby lindai » July 16th, 2009, 10:30 am

.text F:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[936] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\system32\svchost.exe[936] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [75, 5F] {JNZ 0x61}
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F930F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9C0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02F30001
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA80F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F810F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F990F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F900F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F840F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F960F5A
.text F:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F8A0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F870F5A
.text F:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8D0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [A0, 5F]
.text F:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F780F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A6, 5F] {CMPSB ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7B0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA20F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1032] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7F, 5F] {JG 0x61}
.text F:\WINDOWS\System32\svchost.exe[1032] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\System32\svchost.exe[1032] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\System32\svchost.exe[1032] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\System32\svchost.exe[1032] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D10001
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1184] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\System32\svchost.exe[1184] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\System32\svchost.exe[1184] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\System32\svchost.exe[1184] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\System32\svchost.exe[1184] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EA0001
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\system32\spoolsv.exe[1400] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\spoolsv.exe[1400] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\system32\spoolsv.exe[1400] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1400] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [81, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [6F, 5F] {OUTSD ; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F9E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FA70F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F3E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01280001
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F4A0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F440F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F470F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F590F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F560F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB30F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8C0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F4D0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3C, 5F] {CMP AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA40F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9B0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F710F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F8F0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F740F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F680F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA10F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F950F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F920F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F980F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AB, 5F] {STOSD ; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F410F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F830F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F530F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F770F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7A0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B1, 5F] {MOV CL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F500F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F860F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FAD0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F7D0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6B0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8A, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F650F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F620F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5C0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1432] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F5F0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [81, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [6F, 5F] {OUTSD ; POP EDI}
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F9E0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FA70F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F3E0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AB0001
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F4A0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F440F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F470F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F590F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F560F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB30F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8C0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F4D0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3C, 5F] {CMP AL, 0x5f}
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA40F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9B0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F710F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F8F0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F740F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F680F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA10F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F950F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F920F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F980F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AB, 5F] {STOSD ; POP EDI}
.text F:\WINDOWS\system32\ctfmon.exe[1576] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F410F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F830F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F530F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F770F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7A0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B1, 5F] {MOV CL, 0x5f}
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F500F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F860F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FAD0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F7D0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6B0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\ctfmon.exe[1576] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8A, 5F]
.text F:\WINDOWS\system32\ctfmon.exe[1576] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F650F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F620F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5C0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1576] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F5F0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [81, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [6F, 5F] {OUTSD ; POP EDI}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F9E0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5FA70F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F3E0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C90001
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F4A0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F440F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F470F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F590F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F560F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FB30F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F8C0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F4D0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3C, 5F] {CMP AL, 0x5f}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5FA40F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F9B0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F710F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F8F0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F740F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F680F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5FA10F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby lindai » July 16th, 2009, 10:31 am

.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F530F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F770F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F7A0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [B1, 5F] {MOV CL, 0x5f}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F500F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F860F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FAD0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F7D0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F6B0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8A, 5F]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F950F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F920F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F980F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [AB, 5F] {STOSD ; POP EDI}
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F410F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F830F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F650F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F620F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F5C0F5A
.text F:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1648] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F5F0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00920001
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\System32\svchost.exe[1692] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1692] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\System32\svchost.exe[1692] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\System32\svchost.exe[1692] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\System32\svchost.exe[1692] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\System32\svchost.exe[1692] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00640001
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe[1724] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DE0001
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\system32\svchost.exe[1768] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\svchost.exe[1768] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\system32\svchost.exe[1768] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\system32\svchost.exe[1768] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\system32\svchost.exe[1768] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\system32\svchost.exe[1768] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01300001
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\Program Files\Java\jre6\bin\jqs.exe[1780] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009A0001
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\System32\svchost.exe[1820] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1820] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\System32\svchost.exe[1820] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\System32\svchost.exe[1820] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\System32\svchost.exe[1820] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\System32\svchost.exe[1820] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [68, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [56, 5F] {PUSH ESI; POP EDI}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00770001
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F730F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F610F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [98, 5F] {CWDE ; POP EDI}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [71, 5F] {JNO 0x61}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F7C0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI}
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\system32\nvsvc32.exe[1896] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby lindai » July 16th, 2009, 10:32 am

.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009A0001
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\System32\svchost.exe[1932] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\svchost.exe[1932] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\System32\svchost.exe[1932] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\System32\svchost.exe[1932] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\System32\svchost.exe[1932] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\System32\svchost.exe[1932] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00730001
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\Program Files\Spyware Doctor\pctsAuxs.exe[2012] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00870001
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\system32\wuauclt.exe[2200] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\system32\wuauclt.exe[2200] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [75, 5F] {JNZ 0x61}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [63, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F920F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9B0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F3E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F4A0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F440F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F470F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F590F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F560F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA70F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F800F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F4D0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3C, 5F] {CMP AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F980F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8F0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F650F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F830F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F680F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5C0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F950F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F530F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6B0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A5, 5F] {MOVSD ; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F500F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7A0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA10F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F710F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5F0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7E, 5F] {JLE 0x61}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F890F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F860F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8C0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9F, 5F] {LAHF ; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F410F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F770F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5FAA0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5FB30F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5FAD0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2264] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5FB00F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [75, 5F] {JNZ 0x61}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [63, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F920F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9B0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F3E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F4A0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F440F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F470F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F590F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F560F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA70F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F800F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F4D0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3C, 5F] {CMP AL, 0x5f}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F980F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8F0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F650F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F830F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F680F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5C0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F950F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F890F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F860F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8C0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9F, 5F] {LAHF ; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F410F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F770F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F530F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6B0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6E0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A5, 5F] {MOVSD ; POP EDI}
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F500F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7A0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA10F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F710F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5F0F5A
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2344] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7E, 5F] {JLE 0x61}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [75, 5F] {JNZ 0x61}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [63, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F920F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9B0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F3E0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003D0001
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F4A0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F440F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F470F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F590F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F560F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA70F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F800F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F4D0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [3C, 5F] {CMP AL, 0x5f}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F980F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8F0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F650F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F830F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F680F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5C0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F950F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F890F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F860F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8C0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9F, 5F] {LAHF ; POP EDI}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F410F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F770F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F530F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6B0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6E0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A5, 5F] {MOVSD ; POP EDI}
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F500F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F7A0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA10F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F710F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5F0F5A
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\Documents and Settings\Linda\Desktop\gmer\gmer.exe[2796] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7E, 5F] {JLE 0x61}
.text F:\Program Files\Spyware Doctor\TFEngine\TFService.exe[2880] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [74, 5F] {JZ 0x61}
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [62, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00870001
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!LoadResource 7C80A055 6 Bytes JMP 5FA60F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!GetProcAddress 7C80AE40 6 Bytes JMP 5F7F0F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 5F400F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateRemoteThread 7C8104CC 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateRemoteThread + 4 7C8104D0 2 Bytes [2F, 5F] {DAS ; POP EDI}
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateThread 7C8106D7 6 Bytes JMP 5F970F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 5F8E0F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!TerminateThread 7C81CB3B 6 Bytes JMP 5F640F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!GetVolumeInformationA 7C821BA5 6 Bytes JMP 5F820F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!DebugActiveProcess 7C85B0FB 6 Bytes JMP 5F670F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F5B0F5A
.text F:\WINDOWS\System32\alg.exe[3004] kernel32.dll!CreateToolhelp32Snapshot 7C865C7F 6 Bytes JMP 5F940F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F460F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!GetKeyState 7E429ED9 6 Bytes JMP 5F6A0F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!GetAsyncKeyState 7E42A78F 6 Bytes JMP 5F6D0F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!ShowWindow 7E42AF56 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!ShowWindow + 4 7E42AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI}
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F430F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!SetWinEventHook 7E4317F7 6 Bytes JMP 5F790F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!GetWindowTextA 7E43216B 6 Bytes JMP 5FA00F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!DdeConnect 7E4581C3 6 Bytes JMP 5F700F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!EndTask 7E45A0A5 6 Bytes JMP 5F5E0F5A
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] USER32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 5F] {JGE 0x61}
.text F:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!RegOpenKeyExA 77DD7852 6 Bytes JMP 5F880F5A
.text F:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 6 Bytes JMP 5F850F5A
.text F:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!RegSetValueExA 77DDEAE7 6 Bytes JMP 5F8B0F5A
.text F:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!OpenSCManagerA 77DF69AE 3 Bytes [FF, 25, 1E]
.text F:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!OpenSCManagerA + 4 77DF69B2 2 Bytes [9E, 5F] {SAHF ; POP EDI}
.text F:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!LsaRemoveAccountRights 77E1AC91 6 Bytes JMP 5F340F5A
.text F:\WINDOWS\System32\alg.exe[3004] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F760F5A
.text F:\WINDOWS\System32\alg.exe[3004] SHELL32.dll!ShellExecuteExW 7CA0996B 6 Bytes JMP 5F580F5A
.text F:\WINDOWS\System32\alg.exe[3004] SHELL32.dll!ShellExecuteEx 7CA40EB5 6 Bytes JMP 5F550F5A
.text F:\WINDOWS\System32\alg.exe[3004] SHELL32.dll!ShellExecuteA 7CA411E0 6 Bytes JMP 5F4F0F5A
.text F:\WINDOWS\System32\alg.exe[3004] SHELL32.dll!ShellExecuteW 7CAB5D48 6 Bytes JMP 5F520F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E53B982070CDa7c47901BB6D68AEB4D7\Usage@statusexe 988742764

---- EOF - GMER 1.0.15 ----
lindai
Regular Member
 
Posts: 18
Joined: July 4th, 2009, 1:56 pm

Re: hjt log

Unread postby Cypher » July 16th, 2009, 12:33 pm

Hi lindai :)
Thank you for those logs.


Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next.

1. Kaspersky scan log.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: hjt log

Unread postby Cypher » July 19th, 2009, 6:42 am

Hi lindai

It has been 3 days since my last post. Do you still need help?

According to Malware Removal's latest policy, topics can be closed after 3 days without a response. If I do not get any within the next 24 hours, this topic will be closed.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 333 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware