1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Pendrive folders are all shortcuts

Discussion in 'Virus & Other Malware Removal' started by goingcrazy123, May 12, 2014.

Thread Status:
Not open for further replies.
Advertisement
  1. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Dear Tech Support Representatives,

    Hello. Last week I printed out some material from my USB pendrive from an internet cafe. (I do not have my own computer at home).

    Later I discovered that all the folders on my USB have been changed to shortcuts, with little arrows in the lefthand corner.

    I need to retrieve the data on my USB, otherwise I could just format the pendrive.

    I have already run Malwarebytes, SuperAnti-Spyware, and Junk Removal Tool. However the shortcuts on my USB pendrive are still there.

    Would you someone please give me step-by-stap instructions on how to convert the folders back to normal and how to remove any other malware that may have spread to my computer's registry, etc?

    I will send first my Hijack This log, the the DDS (2 logs), and then the GMER.

    Thank you for your help.

    Courtney


    HJT Log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:48:27 AM, on 5/13/2014
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16545)
    Boot mode: Normal

    Running processes:
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\USB Disk Security\USBGuard.exe
    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
    C:\Users\Szabadsag\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
    O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
    O4 - HKLM\..\Run: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'Default user')
    O4 - Startup: JustCloud.lnk = C:\Program Files (x86)\JustCloud\JustCloud.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F04901F7-B480-4150-8D1D-62B33857E4C3}: NameServer = 10.0.0.1 91.224.178.4
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: HideMyIpSRV - Hide My IP - C:\Program Files (x86)\Hide My IP\HideMyIpSrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 7703 bytes


    ++++++++++++++++++++++++++++++++++++++++++++++++++++++

    DDS Notepad


    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16545
    Run by Szabadsag at 0:49:51 on 2014-05-13
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1485.791 [GMT 3:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\JustCloud\JustCloud.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\USB Disk Security\USBGuard.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\rasautou.exe
    C:\Windows\explorer.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
    C:\Windows\splwow64.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Users\Szabadsag\Downloads\HijackThis.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit = userinit.exe,
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
    mRun: [USB Security] C:\Program Files (x86)\USB Disk Security\USBGuard.exe
    dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
    StartupFolder: C:\Users\SZABAD~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\JUSTCL~1.LNK - C:\Program Files (x86)\JustCloud\JustCloud.exe
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    TCP: Interfaces\{F04901F7-B480-4150-8D1D-62B33857E4C3} : NameServer = 10.0.0.1 91.224.178.4
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Szabadsag\AppData\Roaming\Mozilla\Firefox\Profiles\wlpqbayh.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.ca/advanced_search
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_206.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2014-3-17 82600]
    R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2014-3-17 42664]
    R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2014-4-17 65776]
    R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2014-4-17 208416]
    R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2014-3-17 20464]
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2014-4-17 1039096]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2014-4-17 423240]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-13 12368]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-11 144152]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2014-3-17 241152]
    R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-4-26 29208]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2014-4-17 79184]
    R2 aswStm;aswStm;C:\Windows\System32\drivers\aswStm.sys [2014-4-17 85328]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-4-26 50344]
    R2 hmip;hmip;C:\Windows\System32\drivers\hmip64.sys [2014-4-18 30056]
    R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\System32\drivers\AcpiVpc.sys [2014-3-17 30816]
    R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2014-3-17 107688]
    R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2014-3-17 228008]
    R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2014-3-17 128200]
    R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUVStor.sys [2014-3-17 327752]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
    S3 HideMyIpSRV;HideMyIpSRV;C:\Program Files (x86)\Hide My IP\HideMyIpSrv.exe [2014-4-18 3616880]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-3-18 20992]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-4-8 59392]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-4-10 1255736]
    S3 wmdusbser;Wetelecom USB Device for Legacy Serial Communication;C:\Windows\System32\drivers\wmdusbser.sys [2010-6-11 154240]
    .
    =============== Created Last 30 ================
    .
    2014-05-12 17:54:41 -------- d-----w- C:\Users\Szabadsag\AppData\Roaming\SUPERAntiSpyware.com
    2014-05-12 17:54:09 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
    2014-05-12 17:54:09 -------- d-----w- C:\Program Files\SUPERAntiSpyware
    2014-05-12 16:55:32 -------- d-----w- C:\Windows\ERUNT
    2014-05-11 21:36:04 -------- d-----w- C:\Users\Szabadsag\AppData\Roaming\Zbshareware Lab
    2014-05-11 21:36:04 -------- d-----w- C:\ProgramData\Zbshareware Lab
    2014-05-11 21:35:45 -------- d-----w- C:\Program Files (x86)\USB Disk Security
    2014-05-10 15:57:11 -------- d-----w- C:\Users\Szabadsag\AppData\Local\Norman Malware Cleaner
    2014-05-03 23:14:19 -------- d-----w- C:\Users\Szabadsag\AppData\Local\Amazon
    2014-04-26 16:11:00 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
    2014-04-26 16:10:55 43152 ----a-w- C:\Windows\avastSS.scr
    2014-04-19 15:19:08 -------- d-----w- C:\Users\Szabadsag\AppData\Local\Apple Computer
    2014-04-19 15:18:20 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
    2014-04-19 15:17:17 -------- d-----w- C:\Program Files\iPod
    2014-04-19 15:17:14 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2014-04-19 15:17:14 -------- d-----w- C:\Program Files\iTunes
    2014-04-19 15:17:14 -------- d-----w- C:\Program Files (x86)\iTunes
    2014-04-19 15:14:00 -------- d-----w- C:\Users\Szabadsag\AppData\Local\Apple
    2014-04-19 15:13:01 -------- d-----w- C:\Program Files\Bonjour
    2014-04-19 15:13:01 -------- d-----w- C:\Program Files (x86)\Bonjour
    2014-04-18 14:28:45 -------- d-----w- C:\Program Files (x86)\Free OCR to Word
    2014-04-18 12:25:09 30056 ----a-w- C:\Windows\System32\drivers\hmip64.sys
    2014-04-18 12:24:54 -------- d-----w- C:\Program Files (x86)\Hide My IP
    2014-04-17 11:38:49 -------- d-----w- C:\Users\Szabadsag\AppData\Roaming\AVAST Software
    2014-04-17 11:38:09 85328 ----a-w- C:\Windows\System32\drivers\aswStm.sys
    2014-04-17 11:38:07 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2014-04-17 11:38:07 79184 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2014-04-17 11:38:07 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
    2014-04-17 11:38:07 208416 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
    2014-04-17 11:38:07 1039096 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2014-04-17 11:37:01 -------- d-----w- C:\Program Files\AVAST Software
    2014-04-16 02:04:19 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{795D38C7-FC81-4BBC-8653-D41DE917B279}\offreg.dll
    .
    ==================== Find3M ====================
    .
    2014-05-12 14:21:06 65536 ----a-w- C:\Windows\System32\spu_storage.bin
    2014-05-11 20:08:52 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
    2014-04-28 22:06:27 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-04-28 22:06:27 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2014-04-10 19:51:34 14848 ----a-w- C:\Windows\System32\slwga.dll
    2014-04-10 19:51:33 419840 ----a-w- C:\Windows\System32\systemcpl.dll
    2014-04-10 19:51:33 13824 ----a-w- C:\Windows\SysWow64\slwga.dll
    2014-04-10 19:51:27 1008640 ----a-w- C:\Windows\System32\user32.dll
    2014-04-10 19:51:26 833024 ----a-w- C:\Windows\SysWow64\user32.dll
    2014-04-09 06:38:33 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2014-04-09 06:38:31 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2014-04-03 06:51:16 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
    2014-04-03 06:51:04 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
    2014-04-03 06:50:58 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2014-03-31 06:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
    2014-03-30 08:05:17 50063360 ----a-w- C:\Program Files (x86)\GUTEF2F.tmp
    2014-03-17 11:13:53 0 ----a-w- C:\Windows\ativpsrm.bin
    2014-03-08 03:49:45 2334720 ----a-w- C:\Windows\System32\jscript9.dll
    2014-03-08 03:40:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2014-03-08 03:39:34 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2014-03-08 03:34:25 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2014-03-08 03:33:45 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2014-03-08 03:29:50 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2014-03-07 23:12:00 1806848 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2014-03-07 23:02:19 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2014-03-07 23:02:07 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2014-03-07 22:57:17 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2014-03-07 22:56:03 421376 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2014-03-07 22:52:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
    2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2014-03-04 09:17:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2014-03-04 09:17:05 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
    .
    ============= FINISH: 0:51:15.97 ===============



    +++++++++++++++++++++++++++++++

    DDS Attach:



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/17/2014 9:42:06 PM
    System Uptime: 5/12/2014 12:36:46 PM (12 hours ago)
    .
    Motherboard: LENOVO | | Lenovo G505
    Processor: AMD E1-2100 APU with Radeon(TM) HD Graphics | Socket FT1 | 1000/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 150 GiB total, 116.369 GiB free.
    D: is FIXED (NTFS) - 316 GiB total, 266.163 GiB free.
    E: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP20: 4/17/2014 2:19:00 PM - avast! antivirus system restore point
    RP21: 4/17/2014 2:36:09 PM - avast! antivirus system restore point
    RP22: 4/19/2014 6:14:09 PM - Installed iTunes
    RP23: 4/26/2014 7:09:04 PM - avast! antivirus system restore point
    RP24: 5/4/2014 12:19:06 PM - Scheduled Checkpoint
    RP25: 5/12/2014 12:41:12 PM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 13 Plugin
    Amazon Kindle
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    avast! Free Antivirus
    Bonjour
    calibre
    CCleaner
    Free OCR to Word 6.8.1
    Hide My IP 5.4
    iTunes
    JustCloud
    Malwarebytes Anti-Malware version 2.0.1.1004
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared 64-bit MUI (English) 2007
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Mozilla Firefox 29.0.1 (x86 en-US)
    Mozilla Maintenance Service
    Skype™ 6.14
    SumatraPDF
    SUPERAntiSpyware
    USB Disk Security
    VLC media player 2.1.3
    Wetelecom
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/13/2014 12:09:43 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer 1228A2141EF34F3 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D48C5B1C-CC9A-4F9A-99BC-80853280C5BE}. The master browser is stopping or an election is being forced.
    5/12/2014 10:20:59 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer USER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D48C5B1C-CC9A-4F9A-99BC-80853280C5BE}. The master browser is stopping or an election is being forced.
    .
    ==== End Of File ===========================
     
  2. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    GMER:


    GMER 2.1.19357 - http://www.gmer.net
    Rootkit scan 2014-05-13 02:00:51
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000068 WDC_WD50 rev.02.0 465.76GB
    Running: es5ubck8.exe; Driver: C:\Users\SZABAD~1\AppData\Local\Temp\uwtyiuob.sys


    ---- User code sections - GMER 2.1 ----

    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 00000000772b0460
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 00000000772b0450
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 00000000772b0370
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 00000000772b0470
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000000772b03e0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 00000000772b0320
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000000772b03b0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 00000000772b0390
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000000772b02e0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000000772b02d0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 00000000772b0310
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000000772b03c0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000000772b03f0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 00000000772b0230
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 00000000772b0480
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000000772b03a0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000000772b02f0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 00000000772b0350
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 00000000772b0290
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000000772b02b0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000000772b03d0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 00000000772b0330
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 00000000772b0410
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 00000000772b0240
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000000772b01e0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 00000000772b0250
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 00000000772b0490
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000000772b04a0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 00000000772b0300
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 00000000772b0360
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000000772b02a0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000000772b02c0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 00000000772b0380
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 00000000772b0340
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 00000000772b0440
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 00000000772b0260
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 00000000772b0270
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 00000000772b0400
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000000772b01f0
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 00000000772b0210
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 00000000772b0200
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 00000000772b0420
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 00000000772b0430
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 00000000772b0220
    .text C:\Windows\system32\services.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 00000000772b0280
    .text C:\Windows\system32\services.exe[624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007703ef8d 1 byte [62]
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 00000000772b0460
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 00000000772b0450
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 00000000772b0370
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 00000000772b0470
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000000772b03e0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 00000000772b0320
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000000772b03b0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 00000000772b0390
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000000772b02e0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000000772b02d0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 00000000772b0310
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000000772b03c0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000000772b03f0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 00000000772b0230
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 00000000772b0480
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000000772b03a0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000000772b02f0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 00000000772b0350
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 00000000772b0290
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000000772b02b0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000000772b03d0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 00000000772b0330
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 00000000772b0410
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 00000000772b0240
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000000772b01e0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 00000000772b0250
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 00000000772b0490
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000000772b04a0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 00000000772b0300
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 00000000772b0360
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000000772b02a0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000000772b02c0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 00000000772b0380
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 00000000772b0340
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 00000000772b0440
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 00000000772b0260
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 00000000772b0270
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 00000000772b0400
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000000772b01f0
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 00000000772b0210
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 00000000772b0200
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 00000000772b0420
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 00000000772b0430
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 00000000772b0220
    .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 00000000772b0280
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 0000000100070460
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 0000000100070450
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 0000000100070370
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 0000000100070470
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000001000703e0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 0000000100070320
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000001000703b0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 0000000100070390
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000001000702e0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000001000702d0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 0000000100070310
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000001000703c0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000001000703f0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 0000000100070230
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 0000000100070480
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000001000703a0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000001000702f0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 0000000100070350
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 0000000100070290
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000001000702b0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000001000703d0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 0000000100070330
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 0000000100070410
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 0000000100070240
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000001000701e0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 0000000100070250
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 0000000100070490
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000001000704a0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 0000000100070300
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 0000000100070360
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000001000702a0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000001000702c0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 0000000100070380
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 0000000100070340
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 0000000100070440
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 0000000100070260
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 0000000100070270
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 0000000100070400
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000001000701f0
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 0000000100070210
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 0000000100070200
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 0000000100070420
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 0000000100070430
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 0000000100070220
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 0000000100070280
    .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007703ef8d 1 byte [62]
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 00000000772b0460
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 00000000772b0450
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 00000000772b0370
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 00000000772b0470
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000000772b03e0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 00000000772b0320
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000000772b03b0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 00000000772b0390
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000000772b02e0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000000772b02d0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 00000000772b0310
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000000772b03c0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000000772b03f0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 00000000772b0230
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 00000000772b0480
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000000772b03a0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000000772b02f0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 00000000772b0350
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 00000000772b0290
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000000772b02b0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000000772b03d0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 00000000772b0330
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 00000000772b0410
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 00000000772b0240
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000000772b01e0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 00000000772b0250
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 00000000772b0490
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000000772b04a0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 00000000772b0300
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 00000000772b0360
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000000772b02a0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000000772b02c0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 00000000772b0380
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 00000000772b0340
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 00000000772b0440
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 00000000772b0260
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 00000000772b0270
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 00000000772b0400
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000000772b01f0
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 00000000772b0210
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 00000000772b0200
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 00000000772b0420
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 00000000772b0430
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 00000000772b0220
    .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 00000000772b0280
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 00000000772b0460
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 00000000772b0450
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 00000000772b0370
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 00000000772b0470
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000000772b03e0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 00000000772b0320
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000000772b03b0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 00000000772b0390
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000000772b02e0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000000772b02d0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 00000000772b0310
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000000772b03c0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000000772b03f0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 00000000772b0230
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 00000000772b0480
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000000772b03a0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000000772b02f0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 00000000772b0350
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 00000000772b0290
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000000772b02b0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000000772b03d0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 00000000772b0330
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 00000000772b0410
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 00000000772b0240
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000000772b01e0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 00000000772b0250
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 00000000772b0490
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000000772b04a0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 00000000772b0300
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 00000000772b0360
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000000772b02a0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000000772b02c0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 00000000772b0380
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 00000000772b0340
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 00000000772b0440
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 00000000772b0260
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 00000000772b0270
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 00000000772b0400
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000000772b01f0
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 00000000772b0210
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 00000000772b0200
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 00000000772b0420
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 00000000772b0430
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 00000000772b0220
    .text C:\Windows\System32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 00000000772b0280
    .text C:\Windows\system32\svchost.exe[372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007703ef8d 1 byte [62]
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 0000000100070460
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 0000000100070450
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 0000000100070370
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 0000000100070470
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000001000703e0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 0000000100070320
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000001000703b0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 0000000100070390
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000001000702e0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000001000702d0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 0000000100070310
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000001000703c0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000001000703f0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 0000000100070230
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 0000000100070480
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000001000703a0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000001000702f0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 0000000100070350
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 0000000100070290
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000001000702b0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000001000703d0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 0000000100070330
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 0000000100070410
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 0000000100070240
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000001000701e0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 0000000100070250
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 0000000100070490
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000001000704a0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 0000000100070300
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 0000000100070360
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000001000702a0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000001000702c0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 0000000100070380
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 0000000100070340
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 0000000100070440
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 0000000100070260
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 0000000100070270
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 0000000100070400
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000001000701f0
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 0000000100070210
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 0000000100070200
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 0000000100070420
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 0000000100070430
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 0000000100070220
    .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 0000000100070280
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 00000000772b0460
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 00000000772b0450
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 00000000772b0370
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 00000000772b0470
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000000772b03e0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 00000000772b0320
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000000772b03b0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 00000000772b0390
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000000772b02e0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000000772b02d0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 00000000772b0310
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000000772b03c0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000000772b03f0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 00000000772b0230
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 00000000772b0480
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000000772b03a0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000000772b02f0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 00000000772b0350
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 00000000772b0290
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000000772b02b0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000000772b03d0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 00000000772b0330
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 00000000772b0410
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 00000000772b0240
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000000772b01e0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 00000000772b0250
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 00000000772b0490
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000000772b04a0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 00000000772b0300
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 00000000772b0360
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000000772b02a0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000000772b02c0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 00000000772b0380
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 00000000772b0340
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 00000000772b0440
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 00000000772b0260
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 00000000772b0270
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 00000000772b0400
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000000772b01f0
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 00000000772b0210
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 00000000772b0200
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 00000000772b0420
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 00000000772b0430
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 00000000772b0220
    .text C:\Windows\system32\Dwm.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 00000000772b0280
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 00000000772b0460
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 00000000772b0450
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 00000000772b0370
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 00000000772b0470
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000000772b03e0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 00000000772b0320
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000000772b03b0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 00000000772b0390
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000000772b02e0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000000772b02d0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 00000000772b0310
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000000772b03c0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000000772b03f0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 00000000772b0230
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 00000000772b0480
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000000772b03a0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000000772b02f0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 00000000772b0350
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 00000000772b0290
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000000772b02b0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000000772b03d0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 00000000772b0330
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 00000000772b0410
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 00000000772b0240
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000000772b01e0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 00000000772b0250
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 00000000772b0490
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000000772b04a0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 00000000772b0300
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 00000000772b0360
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000000772b02a0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000000772b02c0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 00000000772b0380
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 00000000772b0340
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 00000000772b0440
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 00000000772b0260
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 00000000772b0270
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 00000000772b0400
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000000772b01f0
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 00000000772b0210
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 00000000772b0200
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 00000000772b0420
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 00000000772b0430
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 00000000772b0220
    .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 00000000772b0280
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1100] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075f58791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]
    .text C:\Program Files (x86)\USB Disk Security\USBGuard.exe[1244] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 00000000772b0460
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 00000000772b0450
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 00000000772b0370
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 00000000772b0470
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000000772b03e0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 00000000772b0320
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000000772b03b0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 00000000772b0390
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000000772b02e0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000000772b02d0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 00000000772b0310
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000000772b03c0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000000772b03f0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 00000000772b0230
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 00000000772b0480
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000000772b03a0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000000772b02f0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 00000000772b0350
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 00000000772b0290
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000000772b02b0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000000772b03d0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 00000000772b0330
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 00000000772b0410
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 00000000772b0240
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000000772b01e0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 00000000772b0250
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 00000000772b0490
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000000772b04a0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 00000000772b0300
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 00000000772b0360
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000000772b02a0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000000772b02c0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 00000000772b0380
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 00000000772b0340
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 00000000772b0440
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 00000000772b0260
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 00000000772b0270
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 00000000772b0400
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000000772b01f0
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 00000000772b0210
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 00000000772b0200
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 00000000772b0420
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 00000000772b0430
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 00000000772b0220
    .text C:\Windows\system32\SearchIndexer.exe[2432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 00000000772b0280
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077151360 5 bytes JMP 0000000100070460
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771513b0 5 bytes JMP 0000000100070450
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077151510 5 bytes JMP 0000000100070370
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077151560 5 bytes JMP 0000000100070470
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077151570 5 bytes JMP 00000001000703e0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151620 5 bytes JMP 0000000100070320
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077151650 5 bytes JMP 00000001000703b0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077151670 5 bytes JMP 0000000100070390
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771516b0 5 bytes JMP 00000001000702e0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151730 5 bytes JMP 00000001000702d0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077151750 5 bytes JMP 0000000100070310
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077151790 5 bytes JMP 00000001000703c0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771517e0 5 bytes JMP 00000001000703f0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077151940 5 bytes JMP 0000000100070230
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b00 5 bytes JMP 0000000100070480
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b30 5 bytes JMP 00000001000703a0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c10 5 bytes JMP 00000001000702f0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c20 5 bytes JMP 0000000100070350
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151c80 5 bytes JMP 0000000100070290
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d10 5 bytes JMP 00000001000702b0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d30 5 bytes JMP 00000001000703d0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151d40 5 bytes JMP 0000000100070330
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151db0 5 bytes JMP 0000000100070410
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151de0 5 bytes JMP 0000000100070240
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771520a0 5 bytes JMP 00000001000701e0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077152160 5 bytes JMP 0000000100070250
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077152190 5 bytes JMP 0000000100070490
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771521a0 5 bytes JMP 00000001000704a0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771521d0 5 bytes JMP 0000000100070300
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771521e0 5 bytes JMP 0000000100070360
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077152240 5 bytes JMP 00000001000702a0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077152290 5 bytes JMP 00000001000702c0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771522c0 5 bytes JMP 0000000100070380
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771522d0 5 bytes JMP 0000000100070340
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771525c0 5 bytes JMP 0000000100070440
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771527c0 5 bytes JMP 0000000100070260
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771527d0 5 bytes JMP 0000000100070270
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771527e0 5 bytes JMP 0000000100070400
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771529a0 5 bytes JMP 00000001000701f0
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771529b0 5 bytes JMP 0000000100070210
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a20 5 bytes JMP 0000000100070200
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152a80 5 bytes JMP 0000000100070420
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152a90 5 bytes JMP 0000000100070430
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152aa0 5 bytes JMP 0000000100070220
    .text C:\Windows\explorer.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152b80 5 bytes JMP 0000000100070280
    .text C:\Windows\explorer.exe[2424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007703ef8d 1 byte [62]
    .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[4660] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075f58791 4 bytes JMP 0000000162ce5629
    .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[4660] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]
    ? C:\Windows\system32\mssprxy.dll [4660] entry point in ".rdata" section 000000006da171e6
    .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75]
    .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[4660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75]
    .text ... * 2
    .text C:\Windows\splwow64.exe[4668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007703ef8d 1 byte [62]
    .text C:\Users\Szabadsag\Downloads\HijackThis.exe[2796] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]
    .text C:\Users\Szabadsag\Downloads\HijackThis.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75]
    .text C:\Users\Szabadsag\Downloads\HijackThis.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75]
    .text ... * 2
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[2760] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[3380] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]
    .text C:\Windows\SysWOW64\NOTEPAD.EXE[2716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]
    .text C:\Users\Szabadsag\Downloads\es5ubck8.exe[3788] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075f7a2fd 1 byte [62]

    ---- Threads - GMER 2.1 ----

    Thread [460:544] 000007fefd581f00
    Thread [460:548] 000007fefd581c90
    Thread [460:552] 000007fefd5e4be4
    Thread [460:556] 000007fefd5e3ff0
    Thread [460:576] 000007fefd5e4be4
    Thread [460:600] 000007fefd583710
    Thread [460:604] 000007fefd583710
    Thread [460:636] 000007fefd5e4be4
    Thread [460:696] 000007fefd583710
    Thread [460:1420] 000007fefd5e4be4
    Thread C:\Windows\System32\svchost.exe [1012:972] 000007fefb84f2f4
    Thread C:\Windows\System32\svchost.exe [1012:1052] 000007fefb916204
    Thread C:\Windows\System32\svchost.exe [1012:1280] 000007fefad65440
    Thread C:\Windows\System32\svchost.exe [1012:3952] 000007fef09e6b8c
    Thread C:\Windows\System32\svchost.exe [1012:3956] 000007fef09e1d88
    Thread C:\Windows\System32\svchost.exe [1012:4376] 000007fefae72070
    Thread C:\Windows\System32\svchost.exe [344:2596] 000007fef146818c
    Thread C:\Windows\System32\svchost.exe [344:3280] 000007fef27d44e0
    Thread C:\Windows\System32\svchost.exe [344:3064] 000007fef2ee88f8
    Thread C:\Windows\System32\svchost.exe [344:2468] 000007fef86714a0
    Thread C:\Windows\system32\svchost.exe [372:3204] 000007fef2ea5124
    Thread C:\Windows\system32\svchost.exe [372:3416] 000007fef898506c
    Thread C:\Windows\system32\svchost.exe [372:3424] 000007fef33c1c20
    Thread C:\Windows\system32\svchost.exe [372:3428] 000007fef33c1c20
    Thread C:\Windows\system32\svchost.exe [372:3816] 000007fef86f84d8
    Thread C:\Windows\system32\svchost.exe [372:2392] 000007feeca123a8
    Thread C:\Windows\system32\svchost.exe [372:3672] 000007feefb70d00
    Thread C:\Windows\system32\svchost.exe [372:3628] 000007feec989498
    Thread C:\Windows\system32\svchost.exe [372:4164] 000007fef8ad1ab0
    Thread C:\Windows\system32\svchost.exe [372:2564] 000007fef8af4164
    Thread C:\Windows\system32\svchost.exe [1272:1776] 000007fef305bec4
    Thread C:\Windows\system32\svchost.exe [1272:2396] 000007fef2ea5124
    Thread C:\Windows\system32\svchost.exe [1272:1608] 000007fef0a35170
    Thread C:\Windows\system32\svchost.exe [1272:1816] 000007fef146818c
    Thread C:\Windows\system32\svchost.exe [1272:1256] 000007feeffc83d8
    Thread C:\Windows\system32\svchost.exe [1272:2940] 000007feeffc83d8
    Thread C:\Windows\system32\svchost.exe [1272:3264] 000007feec9d3f1c
    Thread C:\Windows\system32\svchost.exe [1272:3760] 000007fefb581a38
    Thread C:\Windows\system32\svchost.exe [1272:3468] 000007fef89a5388
    Thread C:\Windows\system32\svchost.exe [1272:884] 000007fef4b37738
    Thread C:\Windows\system32\svchost.exe [1272:3632] 000007fef86e1f90
    Thread C:\Windows\System32\spoolsv.exe [1764:3592] 000007feefea10c8
    Thread C:\Windows\System32\spoolsv.exe [1764:3596] 000007feef976144
    Thread C:\Windows\System32\spoolsv.exe [1764:3600] 000007fefa5a5fd0
    Thread C:\Windows\System32\spoolsv.exe [1764:3604] 000007fefa593438
    Thread C:\Windows\System32\spoolsv.exe [1764:3608] 000007fefa5a63ec
    Thread C:\Windows\System32\spoolsv.exe [1764:3616] 000007fef89b5e5c
    Thread C:\Windows\System32\spoolsv.exe [1764:3620] 000007feef9a5074
    Thread C:\Windows\system32\taskhost.exe [1784:1876] 000007fef8652740
    Thread C:\Windows\system32\taskhost.exe [1784:1896] 000007fef7c01010
    Thread C:\Windows\system32\taskhost.exe [1784:1924] 000007fef6d11f38
    Thread C:\Windows\system32\taskhost.exe [1784:1988] 000007feff129274
    Thread C:\Windows\system32\svchost.exe [2484:2528] 000007feefa98470
    Thread C:\Windows\system32\svchost.exe [2484:2460] 000007feefaa2418
    Thread C:\Windows\system32\svchost.exe [2484:3768] 000007feef2265c4
    Thread C:\Windows\System32\svchost.exe [3796:4072] 000007feedc19688
    Thread C:\Windows\explorer.exe [2424:4704] 000007fef146818c
    Thread C:\Windows\explorer.exe [2424:3388] 000007fef0541ebc
    Thread C:\Windows\system32\taskhost.exe [3472:4220] 000007fef09bef24

    ---- Registry - GMER 2.1 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{120BB1E1-DB17-4249-A2D8-6A45C5023C6E}@InterfaceName Reusable ISATAP Interface {120BB1E1-DB17-4249-A2D8-6A45C5023C6E}
    Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{120BB1E1-DB17-4249-A2D8-6A45C5023C6E}@ReusableType 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\[email protected] 1405
    Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\[email protected] 911

    ---- EOF - GMER 2.1 ----
     
  3. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Hello. I am still waiting. This is Day Three (3).How much longer before you can get back to me, do you think?
     
  4. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    There just aren't enough helpers available to cope with the demand, but sorry for the delay.

    I am a bit confused by your opening post. You said you do not have your own computer at home, so what computer are the above logs from?

    Can you be certain that when you copied the files to the Pen Drive that they were actual copies and you didn't just save a shortcut for each file?

    Had you been able to view the files before you noticed they had changed to shortcuts?

    The logs above are clean as far as I can see, but one infection that can cause this is known as a Worm, this is not detected by the scans you have run. Eset on the other hand will detect Worm infections so I would suggest a scan with that. Make sure you have the Pen Drive plugged in to the PC.

    Read these instructions carefully so you make sure you do not remove any of the detections as some may be false positives. I will then review the scan results and instruct you on how to remove anything that needs to go.

    This scan may take several hours to complete.


    Eset online scan instructions.
    IMPORTANT ---> Please make sure you follow the instruction to uncheck the box next to Remove found threats. Eset will detect anything that looks even remotely suspicious, this can include legitimate program files. If you do not uncheck the box, as instructed, Eset will automatically remove all suspect files which could leave some of your software inoperative. If you make a mistake these files can be restored from quarantine, but it would be preferable not to add any extra work to the clean up of your system.

    • Disable your existing Anti Virus following these instructions.
    • Please go here to use the Eset Online Scanner.
    • When the web page opens click on this button [​IMG]
    • If you are not using Internet Explorer you will see a message box open asking you to to download the ESET Smart Installer, click on the link and allow it to download and then run it. Accept the Terms of use and click on Start. The required components will download.
    • If using Internet Explorer the Terms of use box will open immediately, accept it and click on Start.
    • After the download is complete the Computer scan settings window will open, IMPORTANT ----> uncheck the box next to Remove found threats and click on Start. The virus signature database will then download which may take some time depending on the speed of your internet connection. The scan will automatically start when the download is complete.
    • This is a very thorough scan and may take several hours to complete depending on how much data you have on your hard drive. Do not interrupt it, be patient and let it finish.
    • A Scan Results window will appear at the end of the scan. If it lists any number of Infected Files click on List of found threats. Click on Copy to clipboard, come back to this thread and right click on the message box. Select Paste and the report will appear, add any comments you have and post the reply.
    • Back on the Eset window, click the Back button and then click on Finish.
     
  5. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Sorry, Mark. I meant that I don't have my own PRINTER at home. That's why I let that guy stick my pendrive into his infected computer. I'll finish reading your message and answer your own questions.
     
  6. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    You asked: "Can you be certain that when you copied the files to the Pen Drive that they were actual copies and you didn't just save a shortcut for each file?"

    I had a full pendrive with intact folders and individual files. These were my folders that were already on my pendrive before I even went to the internet cafe. I did not copy ANYTHING onto my pendrive. I simply wanted one file printed out. After this guy printed out ONE pdf file from ONE of the folders on the pendrive, ALL the folders suddenly appeared as shortcuts.

    "Had you been able to view the files before you noticed they had changed to shortcuts?"

    YES. Everything was fine before I went to the stupid internet cafe.
     
  7. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Dear Mark,

    I will run this scan tonight. I do not have "several hours" to kill right now. I have to work on the computer. Will post the scan results as soon as I can. Thanks for your help.

    Courtney
     
  8. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Sounds to me like the PC in the Internet Cafe has a Worm infection as that is the only thing I have seen do this, but I could not be certain without running scans on their PC.

    Post the results of the Eset scan whenever you have the time and I would avoid plugging that Pen drive into anything else. Worm infections will move with ease from one hard drive to another even with Flash Drive protection software, so if that is the cause, be aware. If it is there Eset should find it.
     
  9. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Mark, nothing happens when I click on "Run Eset Online Scanner." Zilch. I have tried several times. I cannot download the ESET Smart Installer.

    Can you suggest a different web page????

    • When the web page opens click on this button [​IMG]
    • If you are not using Internet Explorer you will see a message box open asking you to to download the ESET Smart Installer, click on the link and allow it to download and then run it. Accept the Terms of use and click on Start. The required components will download.
    • If using Internet Explorer the Terms of use box will open immediately, accept it and click on Start.
     
  10. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    That blue button is only a graphic included in the instructions to show you what to click on when you get to the Eset site. The link to get there is in the second line of the instructions where it says "Please go here". Just click on the blue word 'here'.
     
  11. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Okay, I finished the Eset scan.

    There were NO suspicious items.

    I'm seeing other complaints about this problem that I have on the internet. Folders on pendrives suddenly turning into shortcuts. Could it be the Win32 virus for pendrives, maybe?

    Also, maybe I just need to "unhide" my files? How do I do that? But this is very strange, because I never touched anything to "hide" the files in the first place. Like I said, everything was fine until I went to that internet cafe.

    Here is a useful website discussing the same problem I have:

    http://cocodrilabs.wordpress.com/2012/04/16/virus-my-files-turned-into-shortcuts-solved/

    Please instruct me on what else we can do. The problem remains, alas. Thanks, Mark.

    Courtney
     
  12. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Have you tried following the guide in the link you posted? It looks like a genuine solution.

    After the Eset scan came up clean I think we can be fairly sure your system is ok and the damage was done by an infection on the PC at the internet cafe.
     
  13. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Hi Mark.

    Is that what you are advising me to do, then? Follow the instructions in that link?

    I am rather leery of following some layperson's advice on the internet, as opposed to the advice of an
    real trained malware expert on Tech Support Guy. Are you yourself unfamiliar with this type of pendrive virus/maleware?

    Is there maybe someone else on Tech Support who could guide me?

    Please let me know what to do. Thank you.

    Courtney
     
  14. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    I did take the time to check the information in that link and it certainly wasn't created by a layman. It is all good solid advice. These kind of infections are rare, but I have dealt with Worms before when the infection was active and spread to two Flash Drives and two PC's, it took some beating. I am fairly sure your PC is not infected so we only need to deal with the Flash Drive which is not much different to handling problems on a hard drive.

    As you have some reservations then please do as follows.

    Plug the Flash Drive into your PC and then open up its contents in Windows Explorer and take a screenshot. Make quite certain that all the files are visible by opening the window up to full screen if need be. Attach the screenshot to your next post. Follow the link and the instructions below if you don't know how to do that.

    How to take a screen shot in Vista/Windows 7

    How to attach a screenshot.
    Below the Message Box click on Go Advanced. Then scroll down until you see a button, Manage Attachments. Click on it and a new window opens.
    &#8226; Click on the Browse button, find the screenshot/folder you made earlier and doubleclick on it.
    &#8226; Now click on the Upload button. When done, click on the Close this window button at the top of the page.
    &#8226; Enter your message-text in the message box, then click on Submit Message/Reply.
     
  15. goingcrazy123

    goingcrazy123 Thread Starter

    Joined:
    Dec 14, 2013
    Messages:
    79
    Thanks, Mark. I'll send you the screenshot soon.

    Sorry to ask a dumb question, but: could you send me instructions for how to "open up the contents of my flash drive in Windows Explorer"? (I just bought this Lenovo laptop two months ago, and I'm also new to Windows 7. Thanks).

    By the way, a couple of days ago, I downloaded a program called "USB Disk Security". It apparently
    found a threat which it classifies "risky":

    F:\autorun.inf

    But when I tried to opt for "delete," this program asks me to buy a license. Is this legit? Apparently some nasty stuff can be spread through autorun.inf.

    Anyway, please let me know Windows Explorer. I don't see it on my computer, just other Microsoft programs and Internet Explorer. Thank you for your patience.

    Courtney
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1125883

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice