1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Website redirect and unwanted sounds

Discussion in 'Virus & Other Malware Removal' started by rkmcgee818, Jan 23, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    about two weeks ago, I started having problems with my web browsers. Normally I use firefox, but these problems present in IE as well as Chrome. Basically, whenever I enter a web search and click on the desired link, I am redirected to various other sites. To get to where I'm trying to go, I have to hit the back button and re-click the link a few times. Also, even if no web browser is open, snippets of commercials will play through my speakers. These problems started on the same day. I have a McAfee Internet Security subscription which is up to date. I tried installing Malwarebytes, which got a few hits, but the problems remained. McAfee hasn't detected anything at all. I'm all out of ideas and ready to throw my laptop out the window. Also, I don't know if this is related, but I recently uninstalled a bunch of stuff to free up some space on my HDD. Since these problems started, about thirty percent of the space I freed up is gone.
     
  2. Blottedisk

    Blottedisk

    Joined:
    May 24, 2009
    Messages:
    94
    Hi rkmcgee818, welcome to Tech Support Guy.


    My name is Blottedisk and I will be helping you with your topic. Before we delve into this, there are a few things you need to know:

    • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools menu to the right of your topic title and selecting "Suscribe to this Thread".
    • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
    • Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice. This may cause a delay in response time, but I will do my best to keep it as short as possible.

    The Virus & Other Malware Removal forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 5 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.


    Please follow these steps:


    Step 1 | Download DDS from any of the links below:

    Link 1
    Link 2
    Link 2

    --------------------------------------------------------------------
    • Save it to your desktop.
    • Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs.
    • Save the logs to a convenient place such as your desktop.
    • Post the contents of the DDS.txt report in your next reply.
    • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.


    Step 2 | Please download GMER from one of the following locations and save it to your desktop:

    Main Mirror - This version will download a randomly named file (Recommended)
    Zipped Mirror - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

    --------------------------------------------------------------------

    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

    Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    [​IMG]

    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Make sure all options are checked except:
      • IAT/EAT
      • Drives/Partition other than Systemdrive, which is typically C:\
      • Show All (This is important, so do not miss it.)

    [​IMG]
    Click the image to enlarge it

    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.


    Step 3 | Please download GooredFix from one of the locations below and save it to your Desktop:

    Download Mirror #1
    Download Mirror #2


    • Ensure all browser windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • It doesn't take long to run, once it is finished copy and paste the results in your next reply.
     
  3. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Rashaun McGee at 7:27:47.99 on Tue 01/25/2011
    Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_23
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.889 [GMT -7:00]

    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Protector Suite QL\upeksvr.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Windows\system32\mfevtps.exe
    C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Toshiba\IVP\ISM\pinger.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Toshiba\Utilities\KeNotify.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\System32\WDBtnMgr.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Windows\System32\maFwTray.exe
    C:\Program Files\Razer\DeathAdder\razerhid.exe
    C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Protector Suite QL\psqltray.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\Razer\DeathAdder\razertra.exe
    C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\Oneeko\ONEEKO.EXE
    C:\Users\Rashaun McGee\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files\Razer\DeathAdder\razerofa.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Windows\System32\alg.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
    C:\Windows\system32\ctfmon.exe
    C:\Users\Rashaun McGee\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Users\Rashaun McGee\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Users\Rashaun McGee\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\McAfee Online Backup\MOBK518backup.exe
    C:\Users\Rashaun McGee\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\Zune\ZuneNss.exe
    C:\Program Files\McAfee Online Backup\MOBK518backup.exe
    C:\Users\Rashaun McGee\Desktop\dds.scr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    uStart Page = hxxp://www.yahoo.com/
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    mStart Page = hxxp://www.yahoo.com/
    mDefault_Page_URL = hxxp://www.yahoo.com/
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101102165056.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Google Update] "c:\users\rashaun mcgee\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
    mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [WD Button Manager] WDBtnMgr.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [StormCodec_Helper] "c:\program files\ringz studio\storm codec\StormSet.exe" /S /opti
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
    mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
    mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
    mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
    mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\users\rashau~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\oneeko.lnk - c:\program files\oneeko\ONEEKO.EXE
    StartupFolder: c:\users\rashau~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\users\rashau~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: DisableCAD = 1 (0x1)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: c:\windows\system32\wpclsp.dll
    Trusted Zone: 164.109.25.72
    Trusted Zone: 207.130.86.35
    Trusted Zone: acura.com
    Trusted Zone: ahm-ownerlink.com
    Trusted Zone: ahmdealer.com
    Trusted Zone: edcor.com
    Trusted Zone: honda.com
    Trusted Zone: honda.com\www.in
    Trusted Zone: hondacars.com
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: microsoft.com\download.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: xmradio.com
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    TCP: {8AB7000C-39AF-44BD-A2B8-6C34DA07F5D3} = 192.168.2.254
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    LSA: Notification Packages = scecli psqlpwd

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\rashau~1\appdata\roaming\mozilla\firefox\profiles\3uqso46z.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - component: c:\users\rashaun mcgee\appdata\roaming\mozilla\firefox\profiles\3uqso46z.default\extensions\{12e4c684-c03e-4e4d-85bc-0c065e7a9489}\components\WinampPlayer.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\rashaun mcgee\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Move Media Player: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: SHOUTcast Radio Toolbar: {12e4c684-c03e-4e4d-85bc-0c065e7a9489} - %profile%\extensions\{12e4c684-c03e-4e4d-85bc-0c065e7a9489}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-5-30 386840]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-11-2 64304]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-11-2 164840]
    R1 MOBK518Filter;MOBK518Filter;c:\windows\system32\drivers\MOBK518.sys [2010-11-16 54776]
    R1 OxFWLF;OxFWLF;c:\windows\system32\drivers\OxFWLF.sys [2008-4-6 12043]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-2 55840]
    R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-8-2 22784]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-21 20952]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-5-30 152960]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-5-30 52104]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-2 313288]
    R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2009-12-20 31616]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-22 39272]
    S3 MAFW;%FW.SvcDesc%;c:\windows\system32\drivers\mafw.sys [2008-1-20 186368]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-2 84264]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-5-30 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-5-30 40552]
    S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [2008-4-6 7296]

    =============== Created Last 30 ================

    2011-01-24 03:24:13 -------- d-----w- c:\progra~2\MFAData
    2011-01-21 19:24:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-21 19:24:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-16 22:45:39 -------- d-----w- c:\progra~2\TomTom
    2011-01-16 22:44:36 -------- d-----w- c:\users\rashau~1\appdata\roaming\TomTom
    2011-01-16 22:44:36 -------- d-----w- c:\users\rashau~1\appdata\local\TomTom
    2011-01-16 22:44:27 -------- d-----w- c:\program files\TomTom International B.V
    2011-01-16 22:43:34 -------- d-----w- c:\program files\TomTom HOME 2
    2011-01-16 22:42:38 -------- d-----w- c:\program files\TomTom DesktopSuite
    2011-01-16 02:20:19 -------- d-----w- c:\progra~2\NVIDIA Corporation
    2011-01-16 02:11:46 5473896 ----a-w- c:\windows\system32\nvwgf2um.dll
    2011-01-16 02:11:45 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-01-16 02:11:40 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
    2011-01-16 02:11:40 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
    2011-01-16 02:11:40 10084360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-01-16 02:11:38 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2011-01-16 02:11:38 4837480 ----a-w- c:\windows\system32\nvcuda.dll
    2011-01-16 02:11:38 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-01-16 02:11:38 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-01-16 02:11:38 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-01-16 02:10:32 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-01-16 02:09:22 -------- d-----w- C:\NVIDIA
    2011-01-16 02:06:51 -------- d-----w- c:\program files\SystemRequirementsLab
    2011-01-12 14:32:22 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 14:32:20 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-01-12 14:32:19 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
    2011-01-12 14:32:19 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-01-12 14:32:19 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-01-12 14:32:19 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-01-12 14:32:11 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2011-01-07 14:51:42 -------- d-----w- c:\users\rashau~1\appdata\roaming\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1
    2011-01-07 14:44:56 -------- d-----w- c:\program files\Times Reader
    2011-01-07 14:39:40 -------- d-----w- c:\program files\McAfee Security Scan
    2011-01-07 14:28:48 -------- d-----w- c:\users\rashau~1\appdata\roaming\McAfee
    2011-01-02 06:38:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-01-02 06:38:11 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
    2011-01-02 04:45:29 -------- d-----w- c:\users\rashau~1\appdata\roaming\Malwarebytes
    2011-01-02 04:45:19 -------- d-----w- c:\progra~2\Malwarebytes
    2011-01-02 04:45:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    ==================== Find3M ====================

    2010-11-13 01:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll

    ============= FINISH: 7:40:03.43 ===============
     

    Attached Files:

  4. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-25 11:09:21
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 FUJITSU_MHW2120BH rev.00400013
    Running: r8m1gz10.exe; Driver: C:\Users\RASHAU~1\AppData\Local\Temp\fgldypow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x892380B8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x892380E2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x892380CE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x892380A4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 836759D2 5 Bytes JMP 892380A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 8383ADA3 5 Bytes JMP 892380E6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 8385A4FA 7 Bytes JMP 892380BC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8385A7BD 5 Bytes JMP 892380D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x895B5000, 0x4036D, 0xE8000020]
    .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x895FE000, 0x510, 0x40000040]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\services.exe[756] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00180FEF
    .text C:\Windows\system32\services.exe[756] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0018001B
    .text C:\Windows\system32\services.exe[756] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0018000A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00130F04
    .text C:\Windows\system32\services.exe[756] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00130F15
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00130EC7
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00130ED8
    .text C:\Windows\system32\services.exe[756] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00130F55
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00130FD4
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00130FB9
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 0013004A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00130F70
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00130F9E
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00130F8D
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00130025
    .text C:\Windows\system32\services.exe[756] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00130F3A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00130079
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0013000A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00130FEF
    .text C:\Windows\system32\services.exe[756] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00130EE9
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 002C005B
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 002C0FB9
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 002C0000
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 002C0040
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 002C006C
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 002C0FD4
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 002C0FEF
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 002C0025
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00190FA8
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!system 765C804B 5 Bytes JMP 00190FC3
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00190029
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_open 765CD106 5 Bytes JMP 0019000C
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00190FDE
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00190FEF
    .text C:\Windows\system32\services.exe[756] WS2_32.dll!socket 77C536D1 5 Bytes JMP 002D0FEF
    .text C:\Windows\system32\lsass.exe[768] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00220000
    .text C:\Windows\system32\lsass.exe[768] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00220036
    .text C:\Windows\system32\lsass.exe[768] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0022001B
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 002100E2
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00210FA6
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00210111
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00210F70
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 002100AC
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00210036
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00210047
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 002100D1
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00210091
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00210FE5
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00210FD4
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00210062
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00210FB7
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00210F55
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0021001B
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00210000
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00210F81
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00840FAF
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00840036
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00840000
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00840047
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0084006C
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0084001B
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00840FEF
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00840FCA
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 0023004E
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!system 765C804B 5 Bytes JMP 00230033
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00230FD4
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_open 765CD106 5 Bytes JMP 00230FEF
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00230FC3
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00230018
    .text C:\Windows\system32\lsass.exe[768] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00880FEF
    .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00CE0FEF
    .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00CE0FC3
    .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00CE0FDE
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00CD00B3
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00CD0F6D
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00CD0F1C
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00CD0F41
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00CD006C
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00CD0014
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00CD0025
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00CD00A2
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00CD0F94
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00CD0040
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00CD0051
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00CD0FC3
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00CD0087
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00CD00D8
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00CD0FD4
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00CD0FEF
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00CD0F5C
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00CF0FA1
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!system 765C804B 5 Bytes JMP 00CF0FB2
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00CF0FDE
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_open 765CD106 5 Bytes JMP 00CF0000
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00CF0FCD
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00CF0FEF
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00D00062
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00D00040
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00D0000A
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00D00051
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00D0007D
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00D00FEF
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00D0001B
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00D00FD4
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenA 77CAD690 5 Bytes JMP 00D20000
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenW 77CADB09 5 Bytes JMP 00D20FE5
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenUrlA 77CAF3A4 5 Bytes JMP 00D2001B
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenUrlW 77CF6D77 5 Bytes JMP 00D20FC0
    .text C:\Windows\system32\svchost.exe[940] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00D10FEF
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 009C0FEF
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 009C001B
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 009C000A
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00970F54
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00970F6F
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00970F1E
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 009700B5
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00970089
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0097002C
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00970047
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00970F8A
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00970078
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00970FCA
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00970FB9
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00970FDB
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 0097009A
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00970F03
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0097001B
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00970000
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00970F39
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 009D0FAD
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!system 765C804B 5 Bytes JMP 009D0038
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 009D0FD2
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_open 765CD106 5 Bytes JMP 009D0FEF
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 009D0027
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 009D000C
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00960FAF
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00960FCA
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00960000
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00960051
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00960062
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0096002C
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00960011
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00960FDB
    .text C:\Windows\system32\svchost.exe[1092] WS2_32.dll!socket 77C536D1 5 Bytes JMP 009E000A
    .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01630000
    .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0163001B
    .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01630FEF
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 016100CE
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 016100BD
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 016100DF
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 01610F52
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 01610076
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 01610FD4
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 01610025
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 016100A2
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 01610FA8
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 01610FB9
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0161005B
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 01610036
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 01610091
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 016100FA
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0161000A
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 01610FEF
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 01610F63
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00BE0F89
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!system 765C804B 5 Bytes JMP 00BE0014
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00BE0FB5
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_open 765CD106 5 Bytes JMP 00BE0FEF
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00BE0FA4
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00BE0FD2
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00BF0FAF
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00BF0047
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00BF0000
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00BF0FCA
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00BF0062
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00BF0FE5
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00BF0011
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00BF0036
    .text C:\Windows\system32\svchost.exe[1168] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01620000
    .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01070FEF
    .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01070000
    .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01070FCA
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 77751929 3 Bytes JMP 01010F44
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoW + 4 7775192D 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 777519C9 3 Bytes JMP 01010F55
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoA + 4 777519CD 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessW 77751BF3 3 Bytes JMP 01010F0E
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessW + 4 77751BF7 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessA 77751C28 3 Bytes JMP 01010F29
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessA + 4 77751C2C 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!VirtualProtect 77751DC3 3 Bytes JMP 01010F88
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!VirtualProtect + 4 77751DC7 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 77752EF5 3 Bytes JMP 01010FD4
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA + 4 77752EF9 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 77755C0C 3 Bytes JMP 01010025
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW + 4 77755C10 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 01010F66
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 01010062
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 01010051
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 01010FA5
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 01010036
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 01010F77
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 01010EF3
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0101000A
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 01010FEF
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 010100A5
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00810042
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!system 765C804B 5 Bytes JMP 00810027
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00810016
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_open 765CD106 5 Bytes JMP 00810FEF
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00810FB7
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00810FD2
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 0100005B
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 0100002F
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 01000FEF
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 0100004A
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 01000076
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 01000FC3
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 01000FDE
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0100001E
    .text C:\Windows\System32\svchost.exe[1224] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01020FEF
    .text C:\Windows\System32\svchost.exe[1320] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01A50FE5
    .text C:\Windows\System32\svchost.exe[1320] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01A50025
    .text C:\Windows\System32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01A50000
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 019F0F26
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 019F0F37
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 019F0098
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 019F0087
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 019F0047
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 019F0011
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 019F0FC0
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 019F0F48
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 019F0F6F
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 019F0F9B
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 019F0F80
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 019F0022
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 019F0058
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 019F00A9
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 019F0000
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 019F0FEF
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 019F0F0B
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 018E0FE5
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!system 765C804B 5 Bytes JMP 018E0066
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 018E0044
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_open 765CD106 5 Bytes JMP 018E000C
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 018E0055
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 018E0029
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 019A0F9E
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 019A0036
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 019A0FE5
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 019A0FAF
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 019A0F83
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 019A0025
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 019A0000
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 019A0FD4
    .text C:\Windows\System32\svchost.exe[1320] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01A00FEF
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 012D0000
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 012D0FDB
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 012D0011
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 009B009A
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 009B0F54
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 009B0F03
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 009B0F1E
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 009B0F8A
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 009B0FDB
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 009B0022
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 009B007F
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 009B0F9B
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 009B0047
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 009B0058
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 009B0FB6
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 009B0F79
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 009B0EF2
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 009B0011
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 009B0000
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 009B0F39
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00990FAD
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!system 765C804B 5 Bytes JMP 00990042
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0099001D
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_open 765CD106 5 Bytes JMP 00990FEF
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00990FD2
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 0099000C
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 009A0036
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 009A001B
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 009A0FEF
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 009A0F94
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 009A0F79
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 009A0FB9
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 009A0FCA
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 009A000A
    .text C:\Windows\system32\svchost.exe[1372] WS2_32.dll!socket 77C536D1 5 Bytes JMP 009C0FEF
    .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 009A0FEF
    .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 009A0FD4
    .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 009A0014
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00980EFD
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00980043
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00980EB3
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00980ECE
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00980F44
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00980FC3
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00980014
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00980F22
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00980F61
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00980F8D
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00980F72
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00980FA8
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00980F33
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00980EA2
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00980FD4
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00980FEF
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00980054
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00800064
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!system 765C804B 5 Bytes JMP 00800049
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00800FD9
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_open 765CD106 5 Bytes JMP 00800000
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 0080002E
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00800011
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00850051
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00850FC3
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00850FEF
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00850040
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0085006C
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00850FD4
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 0085000A
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00850025
    .text C:\Windows\system32\svchost.exe[1476] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00990000
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 0158000A
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01580036
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0158001B
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 010D00B1
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 010D0096
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 010D0F46
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 010D00D3
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 010D0056
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 010D0FC3
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 010D0014
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 010D007B
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 010D0F7C
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 010D0F8D
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 010D002F
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 010D0FA8
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 010D0F6B
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 010D0102
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 010D0FDE
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 010D0FEF
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 010D00C2
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00120053
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!system 765C804B 5 Bytes JMP 00120FBE
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0012001D
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_open 765CD106 5 Bytes JMP 00120FEF
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00120038
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 0012000C
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 010C003D
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 010C002C
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 010C0000
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 010C0F9B
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 010C0058
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 010C0FE5
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 010C0011
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 010C0FC0
    .text C:\Windows\system32\svchost.exe[1548] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01120FEF
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenA 77CAD690 5 Bytes JMP 01570FE5
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenW 77CADB09 5 Bytes JMP 01570FCA
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenUrlA 77CAF3A4 5 Bytes JMP 01570FB9
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenUrlW 77CF6D77 5 Bytes JMP 01570F9E
    .text C:\Windows\system32\svchost.exe[1576] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01010FEF
    .text C:\Windows\system32\svchost.exe[1576] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01010FB9
    .text C:\Windows\system32\svchost.exe[1576] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01010FCA
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00840F5E
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 008400A4
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 008400EB
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 008400DA
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00840078
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00840FCA
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00840FAF
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00840F79
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00840051
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 0084002F
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00840040
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00840F9E
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00840089
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00840F39
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00840FEF
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 0084000A
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 008400BF
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 007C0044
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!system 765C804B 5 Bytes JMP 007C0033
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 007C0FCD
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_open 765CD106 5 Bytes JMP 007C0FEF
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 007C0022
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 007C0FDE
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 0083002F
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00830014
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00830FEF
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00830F8D
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00830040
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00830FC3
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00830FDE
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00830FB2
    .text C:\Windows\system32\svchost.exe[1576] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01000FEF
    .text C:\Windows\system32\svchost.exe[2008] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 005F0FE5
    .text C:\Windows\system32\svchost.exe[2008] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 005F001B
    .text C:\Windows\system32\svchost.exe[2008] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 005F000A
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 005900CE
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00590F88
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00590101
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 005900F0
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 0059008E
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0059002C
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00590FD1
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 005900A9
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 0059007D
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00590FC0
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0059006C
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00590047
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00590F99
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00590F4F
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0059001B
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 0059000A
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 005900DF
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00540F90
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!system 765C804B 5 Bytes JMP 00540FA1
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00540FC6
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_open 765CD106 5 Bytes JMP 00540FE3
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00540011
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00540000
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00550F9E
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00550040
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00550FEF
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00550FAF
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0055005B
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00550014
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00550FDE
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0055002F
    .text C:\Windows\system32\svchost.exe[2008] WS2_32.dll!socket 77C536D1 5 Bytes JMP 005A0FEF
    .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 0079000A
    .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00790025
    .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00790FEF
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 006800D3
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 006800B8
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00680F68
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 006800FF
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00680071
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00680FC3
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00680014
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 006800A7
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00680060
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00680FB2
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00680F97
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00680039
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00680082
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00680F4D
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00680FDE
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00680FEF
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 006800EE
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00660F93
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!system 765C804B 5 Bytes JMP 0066001E
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00660FB5
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_open 765CD106 5 Bytes JMP 00660FEF
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00660FA4
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00660FD2
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00670FAF
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00670051
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00670000
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00670FCA
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00670F9E
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00670036
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 0067001B
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00670FEF
    .text C:\Windows\system32\svchost.exe[2172] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00780000
    .text C:\Windows\Explorer.EXE[2420] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 04780FEF
    .text C:\Windows\Explorer.EXE[2420] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 04780FD4
    .text C:\Windows\Explorer.EXE[2420] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 04780000
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 04650080
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 04650F3A
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 04650F15
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 046500B6
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 04650F77
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0465001B
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 04650FCA
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 04650F4B
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 04650051
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 04650F9E
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 04650040
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 04650FAF
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 04650F66
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 046500D1
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 04650FEF
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 04650000
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 046500A5
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 04640FDE
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 04640065
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 04640000
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 04640076
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0464009B
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 04640025
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 04640FEF
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 04640040
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 04620FB4
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!system 765C804B 5 Bytes JMP 0462003F
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0462002E
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_open 765CD106 5 Bytes JMP 04620000
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 04620FCF
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 0462001D
    .text C:\Windows\Explorer.EXE[2420] WS2_32.dll!socket 77C536D1 5 Bytes JMP 04710000
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenA 77CAD690 5 Bytes JMP 04760000
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenW 77CADB09 5 Bytes JMP 04760FE5
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenUrlA 77CAF3A4 5 Bytes JMP 0476001B
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenUrlW 77CF6D77 5 Bytes JMP 04760036
    .text C:\Windows\system32\svchost.exe[2976] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 007D0FEF
    .text C:\Windows\system32\svchost.exe[2976] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 007D002F
    .text C:\Windows\system32\svchost.exe[2976] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 007D0014
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 007C0F61
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 007C0F72
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 007C00DD
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 007C0F46
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 007C0082
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 007C002F
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 007C0040
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 007C0F83
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 007C0067
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 007C0FB9
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 007C0FA8
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 007C0FCA
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 007C009D
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 007C0F2B
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 007C0014
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 007C0FEF
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 007C00C2
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 007A0FBE
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!system 765C804B 5 Bytes JMP 007A0049
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 007A001D
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_open 765CD106 5 Bytes JMP 007A000C
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 007A002E
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 007A0FE3
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 007B0FA5
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 007B0FD1
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 007B0000
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 007B0FC0
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 007B0058
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 007B002C
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 007B0011
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 007B003D
    .text C:\Windows\System32\svchost.exe[3472] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 006D0000
    .text C:\Windows\System32\svchost.exe[3472] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 006D0FD4
    .text C:\Windows\System32\svchost.exe[3472] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 006D0FE5
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00680F65
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 006800AB
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 006800D0
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00680F43
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00680FA5
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0068001B
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00680FCA
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 0068009A
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 0068007D
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00680051
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0068006C
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00680040
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00680F94
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00680F28
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0068000A
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00680FEF
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00680F54
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 0065004C
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!system 765C804B 5 Bytes JMP 00650FB7
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0065000C
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_open 765CD106 5 Bytes JMP 00650FEF
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00650027
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00650FD2
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00670FD4
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 0067005B
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 0067000A
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00670076
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00670FC3
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0067002F
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00670FEF
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00670040
    .text C:\Windows\System32\svchost.exe[3472] WS2_32.dll!socket 77C536D1 5 Bytes JMP 007C0FE5
    .text C:\Windows\System32\svchost.exe[3676] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00140000
    .text C:\Windows\System32\svchost.exe[3676] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00140011
    .text C:\Windows\System32\svchost.exe[3676] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00140FE5
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 001100BA
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 001100A9
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00110F23
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00110F48
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00110073
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0011001B
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00110FCA
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 0011008E
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00110062
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00110FA5
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00110047
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 0011002C
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00110F7E
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00110F12
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00110000
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00110FEF
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00110F59
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 000F0FB0
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!system 765C804B 5 Bytes JMP 000F0FC1
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 000F0027
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_open 765CD106 5 Bytes JMP 000F0000
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 000F0FD2
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 000F0FE3
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00100058
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00100036
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00100000
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00100047
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00100073
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00100FCA
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00100FE5
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0010001B
    .text C:\Windows\System32\svchost.exe[3676] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00130000
    .text C:\Windows\system32\svchost.exe[3864] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00040000
    .text C:\Windows\system32\svchost.exe[3864] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0004002F
    .text C:\Windows\system32\svchost.exe[3864] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00040FEF
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00060F30
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00060F41
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00060F15
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 000600AC
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00060F88
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00060011
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00060FC0
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00060F52
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 0006006C
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00060036
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00060051
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00060FAF
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00060F77
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 000600D1
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00060000
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00060FEF
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00060091
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wsystem 765C7F2F 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00080033
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!system 765C804B 5 Bytes JMP 00080FA8
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00080018
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_open 765CD106 5 Bytes JMP 00080FEF
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00080FB9
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00080FDE
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00090F9E
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00090FB9
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00090000
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00090040
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00090065
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00090FD4
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00090FE5
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0009001B
    .text C:\Windows\system32\svchost.exe[3864] WS2_32.dll!socket 77C536D1 5 Bytes JMP 000F000A
    .text C:\Windows\System32\svchost.exe[3920] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00610FEF
    .text C:\Windows\System32\svchost.exe[3920] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0061001B
    .text C:\Windows\System32\svchost.exe[3920] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0061000A
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 005F0F51
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 005F0097
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 005F00C3
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateProcessA 77751C28 1 Byte [E9]
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 005F0F2C
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 005F0075
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 005F002C
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 005F0FDB
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 005F0F6C
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 005F005A
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 005F0FA5
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 005F003D
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 005F0FC0
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 005F0086
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 005F00E8
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 005F001B
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 005F0000
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 005F00A8
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00150FC3
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!system 765C804B 5 Bytes JMP 0015004E
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00150FDE
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_open 765CD106 5 Bytes JMP 00150FEF
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00150033
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00150018
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 005E0FB9
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 005E0051
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 005E0000
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 005E0FCA
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 005E0FA8
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 005E0025
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 005E0FE5
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 005E0036
    .text C:\Windows\System32\svchost.exe[3920] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00600FEF
    .text C:\Windows\system32\svchost.exe[3956] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 002D000A
    .text C:\Windows\system32\svchost.exe[3956] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 002D0FCA
    .text C:\Windows\system32\svchost.exe[3956] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 002D0FEF
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00270F92
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 002700D8
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00270F4B
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00270F5C
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00270FB7
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0027002C
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00270FE5
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 002700C7
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00270091
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00270FD4
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00270076
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00270051
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 002700B6
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00270107
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0027001B
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 0027000A
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00270F6D
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 001B0036
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!system 765C804B 5 Bytes JMP 001B0FAB
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 001B0011
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_open 765CD106 5 Bytes JMP 001B0000
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 001B0FBC
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 001B0FE3
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00250051
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00250FC3
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00250000
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00250040
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00250062
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0025001B
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00250FE5
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00250FD4
    .text C:\Windows\system32\svchost.exe[3956] WS2_32.dll!socket 77C536D1 5 Bytes JMP 002C0000
    .text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[4012] ntdll.dll!DbgBreakPoint 77DB8B2E 1 Byte [90]
    .text C:\Windows\system32\svchost.exe[4220] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00040000
    .text C:\Windows\system32\svchost.exe[4220] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0004001B
    .text C:\Windows\system32\svchost.exe[4220] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00040FDB
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00060F50
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00060F61
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00060EFF
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00060F1A
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00060078
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00060FC3
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00060014
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreatePipe 77778E6E 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00060F72
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00060F9E
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00060040
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0006005B
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 0006002F
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00060F8D
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 000600A7
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00060FD4
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00060FEF
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00060F35
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00080FAB
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!system 765C804B 5 Bytes JMP 00080FC6
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0008001B
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_open 765CD106 5 Bytes JMP 00080FEF
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 0008002C
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00080000
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00090FB9
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 0009005B
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00090FEF
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00090FCA
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00090FA8
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0009001B
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 0009000A
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00090036
    .text C:\Windows\system32\svchost.exe[4220] WS2_32.dll!socket 77C536D1 5 Bytes JMP 000B0FEF
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[4624] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 697F9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[4624] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 697F9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs MOBK518.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:324] 8721E53C
    Thread System [4:328] 8722052D

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\AC5F6FF803E4B3E49B1502C4AA2A17A6\[email protected] 1043930331
    Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\[email protected] C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report1fee4633
    Reg HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\[email protected] WniJKbPISOGLcvhTomXOuD
    Reg HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\[email protected] EWwS?L]Ur}[yTwZHEESOLOjMw]MAs^oP

    ---- Files - GMER 1.0.15 ----

    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8A3E7B2-289E-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3FADDB62-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B49A513-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96BF9742-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{96BF9743-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E8A3E7B3-289E-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B49A512-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{144CF7D3-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDCAEA82-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A7AC33-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{144CF7D2-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BD94CDA3-289E-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD94CDA2-289E-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2A7AC32-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0F9C47GO\errorPageStrings[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0F9C47GO\noConnect[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UPO70MQ\ErrorPageTemplate[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UPO70MQ\favcenter[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DFA51.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF90A.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF6C61.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF5A9F.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DFA28.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF20DA.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF2106.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\WER1BF9.tmp.version.txt 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\WER1D03.tmp.appcompat.txt 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\WER1D42.tmp.hdmp 0 bytes

    ---- EOF - GMER 1.0.15 ----

    GooredFix by jpshortstuff (03.07.10.1)
    Log created at 11:10 on 25/01/2011 (Rashaun McGee)
    Firefox version 3.6.13 (en-US)

    ========== GooredScan ==========


    ========== GooredLog ==========

    C:\Program Files\Mozilla Firefox\extensions\
    {972ce4c6-7e08-4474-a285-3208198ce6fd} [06:26 02/01/2011]
    {AB2CE124-6272-4b12-94A9-7303C7397BD1} [17:19 29/03/2010]
    {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [06:03 18/03/2009]
    {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [03:31 14/05/2009]
    {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [18:21 09/12/2009]
    {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [18:08 30/03/2010]
    {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [17:57 22/05/2010]
    {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [00:09 23/08/2010]
    {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [14:42 22/10/2010]
    {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [18:34 09/01/2011]

    C:\Users\Rashaun McGee\Application Data\Mozilla\Firefox\Profiles\3uqso46z.default\extensions\
    [email protected] [16:31 30/09/2008]
    {12e4c684-c03e-4e4d-85bc-0c065e7a9489} [02:02 20/06/2009]
    {20a82645-c095-46ed-80e3-08825760534b} [09:38 25/07/2010]
    {3112ca9c-de6d-4884-a869-9855de68056c}(258) [01:55 28/04/2010]
    {635abd67-4fe9-1b23-4f01-e679fa7484c1} [01:34 18/02/2010]
    {dd3d7613-0246-469d-bc65-2a3cc1668adc} [17:47 09/08/2010]

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    "{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\ProgramData\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}" [21:03 09/10/2007]
    "{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [23:52 18/05/2009]
    "[email protected]"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [18:09 03/02/2010]
    "{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [07:57 31/10/2008]

    -=E.O.F=-
     
  5. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-25 11:09:21
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 FUJITSU_MHW2120BH rev.00400013
    Running: r8m1gz10.exe; Driver: C:\Users\RASHAU~1\AppData\Local\Temp\fgldypow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x892380B8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x892380E2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x892380CE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x892380A4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 836759D2 5 Bytes JMP 892380A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 8383ADA3 5 Bytes JMP 892380E6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 8385A4FA 7 Bytes JMP 892380BC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8385A7BD 5 Bytes JMP 892380D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x895B5000, 0x4036D, 0xE8000020]
    .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x895FE000, 0x510, 0x40000040]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\services.exe[756] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00180FEF
    .text C:\Windows\system32\services.exe[756] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0018001B
    .text C:\Windows\system32\services.exe[756] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0018000A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00130F04
    .text C:\Windows\system32\services.exe[756] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00130F15
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00130EC7
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00130ED8
    .text C:\Windows\system32\services.exe[756] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00130F55
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00130FD4
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00130FB9
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 0013004A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00130F70
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00130F9E
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00130F8D
    .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00130025
    .text C:\Windows\system32\services.exe[756] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00130F3A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00130079
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0013000A
    .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00130FEF
    .text C:\Windows\system32\services.exe[756] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00130EE9
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 002C005B
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 002C0FB9
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 002C0000
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 002C0040
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 002C006C
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 002C0FD4
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 002C0FEF
    .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 002C0025
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00190FA8
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!system 765C804B 5 Bytes JMP 00190FC3
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00190029
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_open 765CD106 5 Bytes JMP 0019000C
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00190FDE
    .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00190FEF
    .text C:\Windows\system32\services.exe[756] WS2_32.dll!socket 77C536D1 5 Bytes JMP 002D0FEF
    .text C:\Windows\system32\lsass.exe[768] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00220000
    .text C:\Windows\system32\lsass.exe[768] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00220036
    .text C:\Windows\system32\lsass.exe[768] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0022001B
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 002100E2
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00210FA6
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00210111
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00210F70
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 002100AC
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00210036
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00210047
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 002100D1
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00210091
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00210FE5
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00210FD4
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00210062
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00210FB7
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00210F55
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0021001B
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00210000
    .text C:\Windows\system32\lsass.exe[768] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00210F81
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00840FAF
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00840036
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00840000
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00840047
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0084006C
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0084001B
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00840FEF
    .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00840FCA
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 0023004E
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!system 765C804B 5 Bytes JMP 00230033
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00230FD4
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_open 765CD106 5 Bytes JMP 00230FEF
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00230FC3
    .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00230018
    .text C:\Windows\system32\lsass.exe[768] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00880FEF
    .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00CE0FEF
    .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00CE0FC3
    .text C:\Windows\system32\svchost.exe[940] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00CE0FDE
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00CD00B3
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00CD0F6D
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00CD0F1C
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00CD0F41
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00CD006C
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00CD0014
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00CD0025
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00CD00A2
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00CD0F94
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00CD0040
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00CD0051
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00CD0FC3
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00CD0087
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00CD00D8
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00CD0FD4
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00CD0FEF
    .text C:\Windows\system32\svchost.exe[940] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00CD0F5C
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00CF0FA1
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!system 765C804B 5 Bytes JMP 00CF0FB2
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00CF0FDE
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_open 765CD106 5 Bytes JMP 00CF0000
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00CF0FCD
    .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00CF0FEF
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00D00062
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00D00040
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00D0000A
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00D00051
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00D0007D
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00D00FEF
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00D0001B
    .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00D00FD4
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenA 77CAD690 5 Bytes JMP 00D20000
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenW 77CADB09 5 Bytes JMP 00D20FE5
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenUrlA 77CAF3A4 5 Bytes JMP 00D2001B
    .text C:\Windows\system32\svchost.exe[940] wininet.dll!InternetOpenUrlW 77CF6D77 5 Bytes JMP 00D20FC0
    .text C:\Windows\system32\svchost.exe[940] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00D10FEF
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 009C0FEF
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 009C001B
    .text C:\Windows\system32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 009C000A
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00970F54
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00970F6F
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00970F1E
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 009700B5
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00970089
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0097002C
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00970047
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00970F8A
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00970078
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00970FCA
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00970FB9
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00970FDB
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 0097009A
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00970F03
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0097001B
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00970000
    .text C:\Windows\system32\svchost.exe[1092] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00970F39
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 009D0FAD
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!system 765C804B 5 Bytes JMP 009D0038
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 009D0FD2
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_open 765CD106 5 Bytes JMP 009D0FEF
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 009D0027
    .text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 009D000C
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00960FAF
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00960FCA
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00960000
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00960051
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00960062
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0096002C
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00960011
    .text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00960FDB
    .text C:\Windows\system32\svchost.exe[1092] WS2_32.dll!socket 77C536D1 5 Bytes JMP 009E000A
    .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01630000
    .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0163001B
    .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01630FEF
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 016100CE
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 016100BD
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 016100DF
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 01610F52
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 01610076
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 01610FD4
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 01610025
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 016100A2
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 01610FA8
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 01610FB9
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0161005B
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 01610036
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 01610091
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 016100FA
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0161000A
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 01610FEF
    .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 01610F63
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00BE0F89
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!system 765C804B 5 Bytes JMP 00BE0014
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00BE0FB5
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_open 765CD106 5 Bytes JMP 00BE0FEF
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00BE0FA4
    .text C:\Windows\system32\svchost.exe[1168] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00BE0FD2
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00BF0FAF
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00BF0047
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00BF0000
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00BF0FCA
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00BF0062
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00BF0FE5
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00BF0011
    .text C:\Windows\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00BF0036
    .text C:\Windows\system32\svchost.exe[1168] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01620000
    .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01070FEF
    .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01070000
    .text C:\Windows\System32\svchost.exe[1224] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01070FCA
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 77751929 3 Bytes JMP 01010F44
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoW + 4 7775192D 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 777519C9 3 Bytes JMP 01010F55
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoA + 4 777519CD 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessW 77751BF3 3 Bytes JMP 01010F0E
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessW + 4 77751BF7 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessA 77751C28 3 Bytes JMP 01010F29
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateProcessA + 4 77751C2C 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!VirtualProtect 77751DC3 3 Bytes JMP 01010F88
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!VirtualProtect + 4 77751DC7 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 77752EF5 3 Bytes JMP 01010FD4
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA + 4 77752EF9 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 77755C0C 3 Bytes JMP 01010025
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW + 4 77755C10 1 Byte [89]
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 01010F66
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 01010062
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 01010051
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 01010FA5
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 01010036
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 01010F77
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 01010EF3
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0101000A
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 01010FEF
    .text C:\Windows\System32\svchost.exe[1224] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 010100A5
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00810042
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!system 765C804B 5 Bytes JMP 00810027
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00810016
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_open 765CD106 5 Bytes JMP 00810FEF
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00810FB7
    .text C:\Windows\System32\svchost.exe[1224] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00810FD2
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 0100005B
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 0100002F
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 01000FEF
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 0100004A
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 01000076
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 01000FC3
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 01000FDE
    .text C:\Windows\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0100001E
    .text C:\Windows\System32\svchost.exe[1224] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01020FEF
    .text C:\Windows\System32\svchost.exe[1320] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01A50FE5
    .text C:\Windows\System32\svchost.exe[1320] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01A50025
    .text C:\Windows\System32\svchost.exe[1320] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01A50000
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 019F0F26
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 019F0F37
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 019F0098
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 019F0087
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 019F0047
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 019F0011
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 019F0FC0
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 019F0F48
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 019F0F6F
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 019F0F9B
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 019F0F80
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 019F0022
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 019F0058
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 019F00A9
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 019F0000
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 019F0FEF
    .text C:\Windows\System32\svchost.exe[1320] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 019F0F0B
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 018E0FE5
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!system 765C804B 5 Bytes JMP 018E0066
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 018E0044
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_open 765CD106 5 Bytes JMP 018E000C
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 018E0055
    .text C:\Windows\System32\svchost.exe[1320] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 018E0029
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 019A0F9E
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 019A0036
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 019A0FE5
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 019A0FAF
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 019A0F83
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 019A0025
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 019A0000
    .text C:\Windows\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 019A0FD4
    .text C:\Windows\System32\svchost.exe[1320] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01A00FEF
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 012D0000
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 012D0FDB
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 012D0011
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 009B009A
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 009B0F54
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 009B0F03
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 009B0F1E
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 009B0F8A
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 009B0FDB
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 009B0022
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 009B007F
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 009B0F9B
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 009B0047
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 009B0058
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 009B0FB6
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 009B0F79
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 009B0EF2
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 009B0011
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 009B0000
    .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 009B0F39
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00990FAD
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!system 765C804B 5 Bytes JMP 00990042
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0099001D
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_open 765CD106 5 Bytes JMP 00990FEF
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00990FD2
    .text C:\Windows\system32\svchost.exe[1372] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 0099000C
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 009A0036
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 009A001B
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 009A0FEF
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 009A0F94
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 009A0F79
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 009A0FB9
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 009A0FCA
    .text C:\Windows\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 009A000A
    .text C:\Windows\system32\svchost.exe[1372] WS2_32.dll!socket 77C536D1 5 Bytes JMP 009C0FEF
    .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 009A0FEF
    .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 009A0FD4
    .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 009A0014
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00980EFD
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00980043
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00980EB3
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00980ECE
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00980F44
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00980FC3
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00980014
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00980F22
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00980F61
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00980F8D
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00980F72
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00980FA8
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00980F33
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00980EA2
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00980FD4
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00980FEF
    .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00980054
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00800064
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!system 765C804B 5 Bytes JMP 00800049
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00800FD9
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_open 765CD106 5 Bytes JMP 00800000
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 0080002E
    .text C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00800011
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00850051
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00850FC3
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00850FEF
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00850040
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0085006C
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00850FD4
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 0085000A
    .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00850025
    .text C:\Windows\system32\svchost.exe[1476] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00990000
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 0158000A
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01580036
    .text C:\Windows\system32\svchost.exe[1548] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0158001B
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 010D00B1
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 010D0096
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 010D0F46
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 010D00D3
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 010D0056
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 010D0FC3
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 010D0014
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 010D007B
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 010D0F7C
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 010D0F8D
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 010D002F
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 010D0FA8
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 010D0F6B
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 010D0102
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 010D0FDE
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 010D0FEF
    .text C:\Windows\system32\svchost.exe[1548] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 010D00C2
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00120053
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!system 765C804B 5 Bytes JMP 00120FBE
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0012001D
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_open 765CD106 5 Bytes JMP 00120FEF
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00120038
    .text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 0012000C
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 010C003D
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 010C002C
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 010C0000
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 010C0F9B
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 010C0058
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 010C0FE5
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 010C0011
    .text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 010C0FC0
    .text C:\Windows\system32\svchost.exe[1548] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01120FEF
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenA 77CAD690 5 Bytes JMP 01570FE5
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenW 77CADB09 5 Bytes JMP 01570FCA
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenUrlA 77CAF3A4 5 Bytes JMP 01570FB9
    .text C:\Windows\system32\svchost.exe[1548] WinInet.dll!InternetOpenUrlW 77CF6D77 5 Bytes JMP 01570F9E
    .text C:\Windows\system32\svchost.exe[1576] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 01010FEF
    .text C:\Windows\system32\svchost.exe[1576] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 01010FB9
    .text C:\Windows\system32\svchost.exe[1576] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 01010FCA
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00840F5E
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 008400A4
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 008400EB
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 008400DA
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00840078
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00840FCA
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00840FAF
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00840F79
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00840051
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 0084002F
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00840040
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00840F9E
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00840089
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00840F39
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00840FEF
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 0084000A
    .text C:\Windows\system32\svchost.exe[1576] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 008400BF
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 007C0044
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!system 765C804B 5 Bytes JMP 007C0033
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 007C0FCD
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_open 765CD106 5 Bytes JMP 007C0FEF
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 007C0022
    .text C:\Windows\system32\svchost.exe[1576] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 007C0FDE
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 0083002F
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00830014
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00830FEF
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00830F8D
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00830040
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00830FC3
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00830FDE
    .text C:\Windows\system32\svchost.exe[1576] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00830FB2
    .text C:\Windows\system32\svchost.exe[1576] WS2_32.dll!socket 77C536D1 5 Bytes JMP 01000FEF
    .text C:\Windows\system32\svchost.exe[2008] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 005F0FE5
    .text C:\Windows\system32\svchost.exe[2008] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 005F001B
    .text C:\Windows\system32\svchost.exe[2008] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 005F000A
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 005900CE
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00590F88
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00590101
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 005900F0
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 0059008E
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0059002C
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00590FD1
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 005900A9
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 0059007D
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00590FC0
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0059006C
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00590047
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00590F99
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00590F4F
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0059001B
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 0059000A
    .text C:\Windows\system32\svchost.exe[2008] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 005900DF
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00540F90
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!system 765C804B 5 Bytes JMP 00540FA1
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00540FC6
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_open 765CD106 5 Bytes JMP 00540FE3
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00540011
    .text C:\Windows\system32\svchost.exe[2008] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00540000
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00550F9E
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00550040
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00550FEF
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00550FAF
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0055005B
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00550014
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00550FDE
    .text C:\Windows\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0055002F
    .text C:\Windows\system32\svchost.exe[2008] WS2_32.dll!socket 77C536D1 5 Bytes JMP 005A0FEF
    .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 0079000A
    .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00790025
    .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00790FEF
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 006800D3
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 006800B8
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00680F68
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 006800FF
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00680071
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00680FC3
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00680014
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 006800A7
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00680060
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00680FB2
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00680F97
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00680039
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00680082
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00680F4D
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00680FDE
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00680FEF
    .text C:\Windows\system32\svchost.exe[2172] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 006800EE
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00660F93
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!system 765C804B 5 Bytes JMP 0066001E
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00660FB5
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_open 765CD106 5 Bytes JMP 00660FEF
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00660FA4
    .text C:\Windows\system32\svchost.exe[2172] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00660FD2
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyExA 775C39AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00670FAF
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00670051
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00670000
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00670FCA
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00670F9E
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00670036
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 0067001B
    .text C:\Windows\system32\svchost.exe[2172] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00670FEF
    .text C:\Windows\system32\svchost.exe[2172] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00780000
    .text C:\Windows\Explorer.EXE[2420] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 04780FEF
    .text C:\Windows\Explorer.EXE[2420] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 04780FD4
    .text C:\Windows\Explorer.EXE[2420] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 04780000
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 04650080
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 04650F3A
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 04650F15
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 046500B6
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 04650F77
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0465001B
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 04650FCA
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 04650F4B
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 04650051
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 04650F9E
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 04650040
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 04650FAF
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 04650F66
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 046500D1
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 04650FEF
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 04650000
    .text C:\Windows\Explorer.EXE[2420] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 046500A5
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 04640FDE
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 04640065
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 04640000
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 04640076
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 0464009B
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 04640025
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 04640FEF
    .text C:\Windows\Explorer.EXE[2420] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 04640040
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 04620FB4
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!system 765C804B 5 Bytes JMP 0462003F
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0462002E
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_open 765CD106 5 Bytes JMP 04620000
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 04620FCF
    .text C:\Windows\Explorer.EXE[2420] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 0462001D
    .text C:\Windows\Explorer.EXE[2420] WS2_32.dll!socket 77C536D1 5 Bytes JMP 04710000
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenA 77CAD690 5 Bytes JMP 04760000
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenW 77CADB09 5 Bytes JMP 04760FE5
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenUrlA 77CAF3A4 5 Bytes JMP 0476001B
    .text C:\Windows\Explorer.EXE[2420] WININET.dll!InternetOpenUrlW 77CF6D77 5 Bytes JMP 04760036
    .text C:\Windows\system32\svchost.exe[2976] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 007D0FEF
    .text C:\Windows\system32\svchost.exe[2976] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 007D002F
    .text C:\Windows\system32\svchost.exe[2976] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 007D0014
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 007C0F61
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 007C0F72
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 007C00DD
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 007C0F46
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 007C0082
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 007C002F
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 007C0040
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 007C0F83
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 007C0067
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 007C0FB9
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 007C0FA8
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 007C0FCA
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 007C009D
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 007C0F2B
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 007C0014
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 007C0FEF
    .text C:\Windows\system32\svchost.exe[2976] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 007C00C2
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 007A0FBE
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!system 765C804B 5 Bytes JMP 007A0049
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 007A001D
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_open 765CD106 5 Bytes JMP 007A000C
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 007A002E
    .text C:\Windows\system32\svchost.exe[2976] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 007A0FE3
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 007B0FA5
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 007B0FD1
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 007B0000
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 007B0FC0
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 007B0058
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 007B002C
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 007B0011
    .text C:\Windows\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 007B003D
    .text C:\Windows\System32\svchost.exe[3472] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 006D0000
    .text C:\Windows\System32\svchost.exe[3472] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 006D0FD4
    .text C:\Windows\System32\svchost.exe[3472] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 006D0FE5
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00680F65
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 006800AB
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 006800D0
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00680F43
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00680FA5
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0068001B
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00680FCA
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 0068009A
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 0068007D
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00680051
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0068006C
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00680040
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00680F94
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00680F28
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0068000A
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00680FEF
    .text C:\Windows\System32\svchost.exe[3472] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00680F54
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 0065004C
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!system 765C804B 5 Bytes JMP 00650FB7
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0065000C
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_open 765CD106 5 Bytes JMP 00650FEF
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00650027
    .text C:\Windows\System32\svchost.exe[3472] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00650FD2
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00670FD4
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 0067005B
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 0067000A
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00670076
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00670FC3
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0067002F
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00670FEF
    .text C:\Windows\System32\svchost.exe[3472] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00670040
    .text C:\Windows\System32\svchost.exe[3472] WS2_32.dll!socket 77C536D1 5 Bytes JMP 007C0FE5
    .text C:\Windows\System32\svchost.exe[3676] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00140000
    .text C:\Windows\System32\svchost.exe[3676] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 00140011
    .text C:\Windows\System32\svchost.exe[3676] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00140FE5
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 001100BA
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 001100A9
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00110F23
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00110F48
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00110073
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0011001B
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00110FCA
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 0011008E
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00110062
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00110FA5
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00110047
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 0011002C
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00110F7E
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00110F12
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00110000
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00110FEF
    .text C:\Windows\System32\svchost.exe[3676] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00110F59
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 000F0FB0
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!system 765C804B 5 Bytes JMP 000F0FC1
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 000F0027
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_open 765CD106 5 Bytes JMP 000F0000
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 000F0FD2
    .text C:\Windows\System32\svchost.exe[3676] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 000F0FE3
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00100058
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00100036
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00100000
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00100047
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00100073
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00100FCA
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00100FE5
    .text C:\Windows\System32\svchost.exe[3676] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0010001B
    .text C:\Windows\System32\svchost.exe[3676] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00130000
    .text C:\Windows\system32\svchost.exe[3864] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00040000
    .text C:\Windows\system32\svchost.exe[3864] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0004002F
    .text C:\Windows\system32\svchost.exe[3864] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00040FEF
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00060F30
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00060F41
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00060F15
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 000600AC
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00060F88
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00060011
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00060FC0
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00060F52
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 0006006C
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00060036
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00060051
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00060FAF
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00060F77
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 000600D1
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00060000
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00060FEF
    .text C:\Windows\system32\svchost.exe[3864] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00060091
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wsystem 765C7F2F 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00080033
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!system 765C804B 5 Bytes JMP 00080FA8
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00080018
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_open 765CD106 5 Bytes JMP 00080FEF
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00080FB9
    .text C:\Windows\system32\svchost.exe[3864] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00080FDE
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00090F9E
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00090FB9
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00090000
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00090040
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00090065
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 00090FD4
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00090FE5
    .text C:\Windows\system32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 0009001B
    .text C:\Windows\system32\svchost.exe[3864] WS2_32.dll!socket 77C536D1 5 Bytes JMP 000F000A
    .text C:\Windows\System32\svchost.exe[3920] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00610FEF
    .text C:\Windows\System32\svchost.exe[3920] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0061001B
    .text C:\Windows\System32\svchost.exe[3920] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 0061000A
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 005F0F51
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 005F0097
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 005F00C3
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateProcessA 77751C28 1 Byte [E9]
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 005F0F2C
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 005F0075
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 005F002C
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 005F0FDB
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 005F0F6C
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 005F005A
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 005F0FA5
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 005F003D
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 005F0FC0
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 005F0086
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 005F00E8
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 005F001B
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 005F0000
    .text C:\Windows\System32\svchost.exe[3920] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 005F00A8
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00150FC3
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!system 765C804B 5 Bytes JMP 0015004E
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 00150FDE
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_open 765CD106 5 Bytes JMP 00150FEF
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 00150033
    .text C:\Windows\System32\svchost.exe[3920] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00150018
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 005E0FB9
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 005E0051
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 005E0000
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 005E0FCA
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 005E0FA8
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 005E0025
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 005E0FE5
    .text C:\Windows\System32\svchost.exe[3920] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 005E0036
    .text C:\Windows\System32\svchost.exe[3920] WS2_32.dll!socket 77C536D1 5 Bytes JMP 00600FEF
    .text C:\Windows\system32\svchost.exe[3956] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 002D000A
    .text C:\Windows\system32\svchost.exe[3956] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 002D0FCA
    .text C:\Windows\system32\svchost.exe[3956] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 002D0FEF
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00270F92
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 002700D8
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00270F4B
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00270F5C
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00270FB7
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 0027002C
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00270FE5
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 002700C7
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00270091
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00270FD4
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 00270076
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 00270051
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 002700B6
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 00270107
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 0027001B
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 0027000A
    .text C:\Windows\system32\svchost.exe[3956] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00270F6D
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 001B0036
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!system 765C804B 5 Bytes JMP 001B0FAB
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 001B0011
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_open 765CD106 5 Bytes JMP 001B0000
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 001B0FBC
    .text C:\Windows\system32\svchost.exe[3956] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 001B0FE3
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00250051
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 00250FC3
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00250000
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00250040
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00250062
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0025001B
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 00250FE5
    .text C:\Windows\system32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00250FD4
    .text C:\Windows\system32\svchost.exe[3956] WS2_32.dll!socket 77C536D1 5 Bytes JMP 002C0000
    .text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[4012] ntdll.dll!DbgBreakPoint 77DB8B2E 1 Byte [90]
    .text C:\Windows\system32\svchost.exe[4220] ntdll.dll!NtCreateFile 77DD43D4 5 Bytes JMP 00040000
    .text C:\Windows\system32\svchost.exe[4220] ntdll.dll!NtCreateProcess 77DD4494 5 Bytes JMP 0004001B
    .text C:\Windows\system32\svchost.exe[4220] ntdll.dll!NtProtectVirtualMemory 77DD4D34 5 Bytes JMP 00040FDB
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!GetStartupInfoW 77751929 5 Bytes JMP 00060F50
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!GetStartupInfoA 777519C9 5 Bytes JMP 00060F61
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateProcessW 77751BF3 5 Bytes JMP 00060EFF
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateProcessA 77751C28 5 Bytes JMP 00060F1A
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!VirtualProtect 77751DC3 5 Bytes JMP 00060078
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateNamedPipeA 77752EF5 5 Bytes JMP 00060FC3
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateNamedPipeW 77755C0C 5 Bytes JMP 00060014
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreatePipe 77778E6E 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreatePipe 77778E6E 5 Bytes JMP 00060F72
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryExW 77779109 5 Bytes JMP 00060F9E
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 00060040
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryExA 777794B4 5 Bytes JMP 0006005B
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 0006002F
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!VirtualProtectEx 7777DBDA 5 Bytes JMP 00060F8D
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!GetProcAddress 7779903B 5 Bytes JMP 000600A7
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateFileW 7779AECB 5 Bytes JMP 00060FD4
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!CreateFileA 7779CE5F 5 Bytes JMP 00060FEF
    .text C:\Windows\system32\svchost.exe[4220] kernel32.dll!WinExec 777E5CF7 5 Bytes JMP 00060F35
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_wsystem 765C7F2F 5 Bytes JMP 00080FAB
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!system 765C804B 5 Bytes JMP 00080FC6
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_creat 765CBBE1 5 Bytes JMP 0008001B
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_open 765CD106 5 Bytes JMP 00080FEF
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_wcreat 765CD326 5 Bytes JMP 0008002C
    .text C:\Windows\system32\svchost.exe[4220] msvcrt.dll!_wopen 765CD501 5 Bytes JMP 00080000
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyExA 775C39AB 5 Bytes JMP 00090FB9
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyA 775C3BA9 5 Bytes JMP 0009005B
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyA 775C89C7 5 Bytes JMP 00090FEF
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyW 775D391E 5 Bytes JMP 00090FCA
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegCreateKeyExW 775D41F1 5 Bytes JMP 00090FA8
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyExA 775D7C42 5 Bytes JMP 0009001B
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyW 775DE2B5 5 Bytes JMP 0009000A
    .text C:\Windows\system32\svchost.exe[4220] ADVAPI32.dll!RegOpenKeyExW 775E7BA1 5 Bytes JMP 00090036
    .text C:\Windows\system32\svchost.exe[4220] WS2_32.dll!socket 77C536D1 5 Bytes JMP 000B0FEF
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[4624] kernel32.dll!LoadLibraryW 77779362 5 Bytes JMP 697F9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[4624] kernel32.dll!LoadLibraryA 777794DC 5 Bytes JMP 697F9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs MOBK518.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:324] 8721E53C
    Thread System [4:328] 8722052D

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\AC5F6FF803E4B3E49B1502C4AA2A17A6\[email protected] 1043930331
    Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\[email protected] C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report1fee4633
    Reg HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\[email protected] WniJKbPISOGLcvhTomXOuD
    Reg HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\[email protected] EWwS?L]Ur}[yTwZHEESOLOjMw]MAs^oP

    ---- Files - GMER 1.0.15 ----

    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8A3E7B2-289E-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3FADDB62-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B49A513-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96BF9742-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{96BF9743-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E8A3E7B3-289E-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B49A512-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{144CF7D3-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDCAEA82-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A7AC33-289F-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{144CF7D2-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BD94CDA3-289E-11E0-88BA-ECC9117A7F65}.dat 4608 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD94CDA2-289E-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2A7AC32-289F-11E0-88BA-ECC9117A7F65}.dat 3584 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0F9C47GO\errorPageStrings[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0F9C47GO\noConnect[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UPO70MQ\ErrorPageTemplate[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UPO70MQ\favcenter[1] 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DFA51.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF90A.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF6C61.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF5A9F.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DFA28.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF20DA.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\~DF2106.tmp 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\WER1BF9.tmp.version.txt 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\WER1D03.tmp.appcompat.txt 0 bytes
    File C:\Users\Rashaun McGee\AppData\Local\Temp\WER1D42.tmp.hdmp 0 bytes

    ---- EOF - GMER 1.0.15 ----
     
  6. Blottedisk

    Blottedisk

    Joined:
    May 24, 2009
    Messages:
    94
    Hi,

    You are using peer-to-peer programs, specifically uTorrent.
    These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
    If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.


    Ok, please follow these steps:


    Step 1 | Please go here: http://virusscan.jotti.org/

    • When the jotti page has finished loading, click the "Browse" button and navigate to the following files and click Submit:
      • c:\windows\system32\drivers\MOBK518.sys
        c:\windows\system32\drivers\OxUSBLF.sys
    • Copy the results and paste them here
    • Note: You will not be able to upload and scan all files at once. You will have to submit and scan each file separately.


    Step 2 | Please download SystemLook from the link below and save it to your Desktop.

    Download Mirror


    --------------------------------------------------------------------
    • Right-Click SystemLook.exe and choose "Run as administrator" to run it.
    • Copy the content of the following codebox into the main textfield:

      Code:
      :regfind
      2578FF91-F2B0-D5CA-E634-3B015D1338F1
      
      :reg
      HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1} /sub
      
      :file
      c:\windows\system32\drivers\MOBK518.sys
      c:\windows\system32\drivers\OxUSBLF.sys
      
      :service
      MOBK518Filter
      OxUSBLF
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    Step 3 | Let's perform an ESET Online Scan

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    • Please go here then click on: [​IMG]
      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
    • Select the option YES, I accept the Terms of Use then click on: [​IMG]
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on: [​IMG]
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic.
    • Now click on: [​IMG] (Selecting Uninstall application on close if you so wish)
     
  7. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    The MOBK518.sys file wouldn't upload. uTorrent was uninstalled, but I hadn't used that in a long time.



    Filename: OxUSBLF.sys
    Status:
    Scan finished. 0 out of 19 scanners reported malware.
    Scan taken on: Thu 27 Jan 2011 02:34:57 (CET) Permalink



    SystemLook 04.09.10 by jpshortstuff
    Log created at 19:28 on 26/01/2011 by Rashaun McGee
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "2578FF91-F2B0-D5CA-E634-3B015D1338F1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}]

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}]
    (No values found)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\AutoConvertTo]
    @="{00020803-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\BcqDsa]
    @="[email protected]``NQ}__V~"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\dnawvrk]
    @="fIQQw]Of]ZDP"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\Dxhudhgsh]
    @="GCfk_dKegx\\{NhNAg`L"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\erSNoVgnNko]
    @="pbdSjHQOFhB_KhnI{@xdwl"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\fdalRn]
    @="Iyffv\pdunDfHjUuXDutV`"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\ffoi]
    @="`Ik_fjzBQSGfyIHPy\se"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\fmNGjuxneg]
    @="\pdunDfHjUuXDutV"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\hckocdAadK]
    @="LfcCSQWGniJKaiz\wELcvhTomXOuD"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\HVmts]
    @="xKJm^oKe`{N}LfcCQyV"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\ipdHOA]
    @="{ZuAbsfpXYyoWWGZ}lQfn_i|N^~wNIB"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\Jrmuqkfu]
    @="WniJK`ZQsKGLcvhTomXOuD"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\jVweEy]
    @="quaXDEOdldAOt{ZooGVP|"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\ldvCTU]
    @="EWwSL]Ur}[yTwZHEESN"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\LkzohwhmwtdCi]
    @="{[ianQsdfztGCfk_d"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\mZlxzi]
    @="[email protected]``NQ}__V~dLLodIIYB"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\oqhke]
    @="Ik_fjzBQSGfyIHPy\sexMKMFkKebSOm"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\ovpRGdq]
    @="t{ZooGVP|{[ianQsdfzt"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\suzdSUfVCg]
    @="Kegx\\{NhNAg`L{ZuFVmfpXYyoWWGZ"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\tWrQkZscztklf]
    @="pbdSjHQOFhB_KhnI{@xdw"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\vnAqoMrmQq]
    @="dLLodIIYBquaXDEOdldAO"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\vtuztWn]
    @="}lQfn_i|N^~wNIBIyffv"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\wZBF]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\xFbWHweiteakl]
    @="EWwSL]Ur}[yTwZHEESOgWZMw]FXvD]T"


    ========== file ==========

    c:\windows\system32\drivers\MOBK518.sys - File found and opened.
    MD5: 720F2E1759526EC6D6D95CB284CF62D9
    Created at 14:37 on 16/11/2010
    Modified at 13:52 on 06/10/2010
    Size: 54776 bytes
    Attributes: --a----
    FileDescription: Mozy Change Monitor Filter Driver
    FileVersion: 1,15,0,2
    ProductVersion: 1,15,0,2
    OriginalFilename: mozy.sys
    InternalName: mozy.sys
    ProductName: Mozy
    CompanyName: Mozy, Inc.
    LegalCopyright: Copyright © 2005-2009 - Mozy, Inc.

    c:\windows\system32\drivers\OxUSBLF.sys - File found and opened.
    MD5: DFE39855F629B2718F6708185CADD5CA
    Created at 08:17 on 06/04/2008
    Modified at 18:56 on 04/10/2006
    Size: 7296 bytes
    Attributes: --a----
    FileDescription: OXUxxxx USB filter Driver
    FileVersion: 1.01.0000
    ProductVersion: 1.01.0000
    OriginalFilename: oxusb.sys
    InternalName: oxusb.sys (01 Feb 2005, 2:00pm)
    ProductName: OXUxxxx
    CompanyName: OEM
    LegalCopyright: © OEM 2002-2005

    ========== service ==========

    MOBK518Filter
    MOBK518Filter
    "McAfee Online Backup Change Monitor"
    Current Status: Started
    Startup Type: System
    Error Control: Normal
    Binary: system32\DRIVERS\MOBK518.sys
    Group: FSFilter Activity Monitor
    SafeBoot:
    Dependencies:
    (none)
    Dependant Services:
    (none)

    OxUSBLF
    Oxsemi USB filter driver
    (No Description)
    Current Status: Stopped
    Startup Type: Demand
    Error Control: Critical
    Binary: System32\DRIVERS\OxUSBLF.sys
    Group: Base
    SafeBoot: Minimal(Group) Network(Group)
    Dependencies:
    (none)
    Dependant Services:
    (none)

    -= EOF =-


    [email protected] as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=4e3c455f8226ca429c7adcc8b5d1e448
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-01-27 08:52:50
    # local_time=2011-01-27 01:52:50 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16777213 100 75 1414958 9089354 0 0
    # compatibility_mode=5892 16776574 100 91 1416961 132703886 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=401090
    # found=5
    # cleaned=0
    # scan_time=22012
    C:\Users\Rashaun McGee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\7c92aa45-7d8481d8 a variant of Java/TrojanDownloader.OpenStream.NAU trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Rashaun McGee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\14b7b4f4-72025a26 a variant of Java/TrojanDownloader.OpenStream.NAU trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Rashaun McGee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\5d532e34-65034022 a variant of Java/TrojanDownloader.OpenStream.NAU trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Rashaun McGee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\6ad6a9bc-3d0c4c0a a variant of Java/TrojanDownloader.OpenStream.NAU trojan (unable to clean) 00000000000000000000000000000000 I
     
  8. Blottedisk

    Blottedisk

    Joined:
    May 24, 2009
    Messages:
    94
    Hi,


    Please download Combofix from either of the links below but rename it to landscape.exe before saving it to your desktop.

    Link 1
    Link 2


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------
    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    --------------------------------------------------------------------

    • Right-click and choose "Run as administrator" on the renamed Combofix.exe & follow the prompts. When finished, it will produce a report for you.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    [​IMG]

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    If you need help, see this link:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
     
  9. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    ComboFix 11-01-27.05 - Rashaun McGee 01/28/2011 8:09.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1128 [GMT -7:00]
    Running from: c:\users\Rashaun McGee\Desktop\landscape.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\INSTALL.LOG
    c:\programdata\xp
    c:\programdata\xp\EBLib.dll
    c:\programdata\xp\TPwSav.sys
    c:\users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\www.leawo.com_favicon.ico
    c:\users\Rashaun McGee\AppData\Local\Microsoft\Windows\Temporary Internet Files\www.youtube.com_favicon.ico
    c:\windows\system32\Thumbs.db

    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
    .

    2011-01-28 15:38 . 2011-01-28 15:59 -------- d-----w- c:\users\Rashaun McGee\AppData\Local\temp
    2011-01-28 15:38 . 2011-01-28 15:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-28 15:38 . 2011-01-28 15:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-01-28 15:38 . 2011-01-28 15:38 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2011-01-26 15:21 . 2011-01-26 15:21 -------- d-----w- c:\program files\Feedback Tool
    2011-01-24 03:24 . 2011-01-24 03:24 -------- d-----w- c:\programdata\MFAData
    2011-01-21 19:24 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-21 19:24 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-16 22:45 . 2011-01-16 22:45 -------- d-----w- c:\programdata\TomTom
    2011-01-16 22:44 . 2011-01-16 22:44 -------- d-----w- c:\users\Rashaun McGee\AppData\Roaming\TomTom
    2011-01-16 22:44 . 2011-01-16 22:44 -------- d-----w- c:\users\Rashaun McGee\AppData\Local\TomTom
    2011-01-16 22:44 . 2011-01-16 22:44 -------- d-----w- c:\program files\TomTom International B.V
    2011-01-16 22:43 . 2011-01-16 22:43 -------- d-----w- c:\program files\TomTom HOME 2
    2011-01-16 22:42 . 2011-01-16 22:42 -------- d-----w- c:\program files\TomTom DesktopSuite
    2011-01-16 02:20 . 2011-01-16 02:20 -------- d-----w- c:\programdata\NVIDIA Corporation
    2011-01-16 02:11 . 2010-10-16 18:55 5473896 ----a-w- c:\windows\system32\nvwgf2um.dll
    2011-01-16 02:11 . 2010-10-16 18:55 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
    2011-01-16 02:11 . 2010-10-16 18:55 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
    2011-01-16 02:11 . 2010-10-16 18:55 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
    2011-01-16 02:11 . 2010-10-16 18:55 10084360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-01-16 02:11 . 2010-10-16 18:55 57960 ----a-w- c:\windows\system32\OpenCL.dll
    2011-01-16 02:11 . 2010-10-16 18:55 4837480 ----a-w- c:\windows\system32\nvcuda.dll
    2011-01-16 02:11 . 2010-10-16 18:55 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-01-16 02:11 . 2010-10-16 18:55 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-01-16 02:11 . 2010-10-16 18:55 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-01-16 02:10 . 2011-01-16 02:26 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-01-16 02:09 . 2011-01-16 02:09 -------- d-----w- C:\NVIDIA
    2011-01-16 02:06 . 2011-01-16 02:06 -------- d-----w- c:\program files\SystemRequirementsLab
    2011-01-16 02:06 . 2011-01-16 02:06 -------- d-----w- c:\users\Rashaun McGee\AppData\Roaming\SystemRequirementsLab
    2011-01-12 14:32 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 14:32 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-01-12 14:32 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-01-12 14:32 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-01-12 14:32 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-01-12 14:32 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-01-12 14:32 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2011-01-07 14:51 . 2011-01-07 14:51 -------- d-----w- c:\users\Rashaun McGee\AppData\Roaming\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1
    2011-01-07 14:44 . 2011-01-07 14:44 -------- d-----w- c:\program files\Times Reader
    2011-01-07 14:39 . 2011-01-07 14:39 -------- d-----w- c:\program files\McAfee Security Scan
    2011-01-07 14:28 . 2011-01-07 14:28 -------- d-----w- c:\users\Rashaun McGee\AppData\Roaming\McAfee
    2011-01-02 06:38 . 2011-01-04 14:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-01-02 06:38 . 2011-01-02 19:22 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-01-02 04:45 . 2011-01-02 04:45 -------- d-----w- c:\users\Rashaun McGee\AppData\Roaming\Malwarebytes
    2011-01-02 04:45 . 2011-01-02 04:45 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-02 04:45 . 2011-01-21 19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-13 01:53 . 2010-05-22 17:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-04 18:56 . 2010-12-15 17:40 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55 . 2010-12-15 17:40 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55 . 2010-12-15 17:40 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55 . 2010-12-15 17:40 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34 . 2010-12-15 17:40 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01 . 2010-12-15 17:40 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57 . 2010-12-15 17:40 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57 . 2010-12-15 17:40 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57 . 2010-12-15 17:40 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57 . 2010-12-15 17:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01 . 2010-12-15 17:40 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26 . 2010-12-15 17:40 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24 . 2010-12-15 17:40 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2006-06-16 03:33 . 2009-12-21 04:35 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
    2006-05-26 01:43 . 2009-12-21 04:35 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
    2005-09-29 21:41 . 2009-12-21 04:35 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
    2006-06-19 20:10 . 2009-12-21 04:35 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
    2005-02-02 19:19 . 2009-12-21 04:33 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
    2006-04-11 01:35 . 2009-12-21 04:35 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
    2005-11-09 18:10 . 2009-12-21 04:33 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
    2005-11-09 18:42 . 2009-12-21 04:33 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
    2006-01-04 18:22 . 2009-12-21 04:33 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
    2006-01-04 18:21 . 2009-12-21 04:33 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
    2010-10-14 05:28 . 2010-11-02 23:50 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK518]
    @="{2e07fc09-f344-4604-e690-25cbea82a288}"
    [HKEY_CLASSES_ROOT\CLSID\{2e07fc09-f344-4604-e690-25cbea82a288}]
    2010-10-06 13:52 3481912 ----a-w- c:\program files\McAfee Online Backup\MOBK518shell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK5182]
    @="{8683e284-5dce-d532-1669-b07e26f71bb8}"
    [HKEY_CLASSES_ROOT\CLSID\{8683e284-5dce-d532-1669-b07e26f71bb8}]
    2010-10-06 13:52 3481912 ----a-w- c:\program files\McAfee Online Backup\MOBK518shell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK5183]
    @="{ec8114bd-f8b1-904e-6efa-e0a999d8f32c}"
    [HKEY_CLASSES_ROOT\CLSID\{ec8114bd-f8b1-904e-6efa-e0a999d8f32c}]
    2010-10-06 13:52 3481912 ----a-w- c:\program files\McAfee Online Backup\MOBK518shell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-11-14 17:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-11-14 17:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" [2007-10-22 99608]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-29 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2008-06-09 3215360]
    "Steam"="c:\program files\Steam\Steam.exe" [2010-11-17 1242448]
    "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]
    "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-07 26211624]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "Google Update"="c:\users\Rashaun McGee\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-10-18 136176]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
    "SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
    "KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
    "WD Button Manager"="WDBtnMgr.exe" [2010-03-07 364544]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-25 96929]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 204800]
    "MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2007-10-24 245760]
    "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-11-14 49416]
    "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
    "Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
    "WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2009-06-26 450560]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-21 443728]

    c:\users\Rashaun McGee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Oneeko.lnk - c:\program files\Oneeko\ONEEKO.EXE [2009-12-12 1555968]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-3-4 97384]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-11-14 17:07 96008 ----a-w- c:\windows\System32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-27 133104]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver; [x]
    R3 MAFW;%FW.SvcDesc%;c:\windows\system32\DRIVERS\mafw.sys [2007-10-24 186368]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-14 84264]
    R3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\DRIVERS\OxUSBLF.sys [2006-10-04 7296]
    R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
    R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
    R3 TpChoice;Touch Pad Detection Filter driver; [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-04-16 11520]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-14 64304]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-14 164840]
    S1 MOBK518Filter;MOBK518Filter;c:\windows\system32\DRIVERS\MOBK518.sys [2010-10-06 54776]
    S1 OxFWLF;OxFWLF;c:\windows\system32\drivers\OxFWLF.sys [2006-05-19 12043]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-12-21 363344]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-21 88176]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-14 188136]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-14 141792]
    S2 MOBK518backup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBK518backup.exe [2010-10-06 207160]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-16 369256]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
    S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2009-06-26 102400]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-14 55840]
    S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-21 20952]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-14 313288]
    S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2007-01-16 31616]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    bthsvcs REG_MULTI_SZ BthServ
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-27 22:43]

    2011-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-27 22:43]

    2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2353300641-1160583922-2161134152-1000Core.job
    - c:\users\Rashaun McGee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-10 05:14]

    2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2353300641-1160583922-2161134152-1000UA.job
    - c:\users\Rashaun McGee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-10 05:14]

    2011-01-27 c:\windows\Tasks\vtscheduletask.job
    - c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-01-23 21:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\wpclsp.dll
    Trusted Zone: 164.109.25.72
    Trusted Zone: 207.130.86.35
    Trusted Zone: acura.com
    Trusted Zone: ahm-ownerlink.com
    Trusted Zone: ahmdealer.com
    Trusted Zone: edcor.com
    Trusted Zone: honda.com
    Trusted Zone: honda.com\www.in
    Trusted Zone: hondacars.com
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: microsoft.com\download.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: xmradio.com
    TCP: {8AB7000C-39AF-44BD-A2B8-6C34DA07F5D3} = 192.168.2.254
    DPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
    FF - ProfilePath - c:\users\Rashaun McGee\AppData\Roaming\Mozilla\Firefox\Profiles\3uqso46z.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Move Media Player: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: SHOUTcast Radio Toolbar: {12e4c684-c03e-4e4d-85bc-0c065e7a9489} - %profile%\extensions\{12e4c684-c03e-4e4d-85bc-0c065e7a9489}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    AddRemove-AtomixMP3 v2.3 Trial - c:\progra~1\ATOMIX~1\UNWISE.EXE
    AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"

    [HKEY_USERS\S-1-5-21-2353300641-1160583922-2161134152-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:f4,47,68,f5,01,97,48,48,40,c4,08,72,0b,e6,79,04,fc,92,77,c7,1e,8a,ab,
    ce,6c,b1,c3,ed,2b,60,3f,61,5f,30,cd,8d,b1,2b,e1,86,8b,71,1d,a8,d6,66,a6,a4,\
    "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(7104)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\program files\McAfee Online Backup\MOBK518shell.dll
    c:\program files\Protector Suite QL\farchns.dll
    c:\program files\Protector Suite QL\infql2.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Protector Suite QL\upeksvr.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\toshiba\IVP\ISM\pinger.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
    c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
    c:\program files\Toshiba\Power Saver\TPwrMain.exe
    c:\program files\Toshiba\SmoothView\SmoothView.exe
    c:\program files\Toshiba\FlashCards\TCrdMain.exe
    c:\windows\System32\WDBtnMgr.exe
    c:\program files\Protector Suite QL\psqltray.exe
    c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Razer\DeathAdder\razertra.exe
    c:\program files\Synaptics\SynTP\SynToshiba.exe
    c:\program files\Razer\DeathAdder\razerofa.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\users\Rashaun McGee\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\program files\Zune\ZuneNss.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-28 09:40:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-28 16:39

    Pre-Run: 28,531,163,136 bytes free
    Post-Run: 29,051,764,736 bytes free

    - - End Of File - - 8DA60AEB55AEE36F331FAFD120432FF5
     
  10. Blottedisk

    Blottedisk

    Joined:
    May 24, 2009
    Messages:
    94
    Hi,

    How's the computer now? Are you still being redirected? How about the sounds? Please follow these steps:


    Step 1 | Go into the Control Panel (classic view) and double-click the Java Icon (looks like a coffee cup).

    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window (Note: This deletes ALL the Downloaded Applications and Applets from the CACHE).
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.

    Step 2 | Download: CCleaner (freeware)
    http://www.majorgeeks.com/download4191.html

    • Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
    • Once installed, run CCleaner click the Windows [tab]
    • The following should be selected by default, if not, please select:

      [​IMG]
    • Next: click Options click the Settings tab. Locate the "Advanced Sction"
    • Uncheck: "Only delete files older than 48 hrs.", click Ok
    • Then click Run Cleaner (bottom right) then Exit


    Step 3 | As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates
    • After the update have been completed, Select the Scanner tab.
    • Select Perform Quick scan, then click on Scan
    • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
    • Check all items then click on Remove Selected
    • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:

    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

    Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
    Failure to reboot will prevent MBAM from removing all the malware.


    Step 4 | Please go HERE to run Panda's ActiveScan.

    • Once you are on the Panda site click the Scan your PC Now button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location (i.e. your desktop)
    • Post the contents of the ActiveScan report


    Please post back including:

    Panda Active Scan log
    Malwarebytes's Antimalware log
    How's the computer running now? Do you still experience redirects?
     
  11. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5633

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18999

    1/29/2011 12:08:08 AM
    mbam-log-2011-01-29 (00-08-08).txt

    Scan type: Quick scan
    Objects scanned: 173482
    Time elapsed: 17 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2011-01-29 20:58:02
    PROTECTIONS: 1
    MALWARE: 2
    SUSPECTS: 0
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    McAfee Anti-Virus and Anti-Spyware Yes Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00039991 Trj/Downloader.AZU Virus/Trojan No 0 Yes No c:\users\rashaun mcgee\desktop\old docs\911\.assets\swf\graphics\2_search_2\graphics_vars.txt
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\guest\appdata\roaming\microsoft\windows\cookies\[email protected][1].txt
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
     
  12. Blottedisk

    Blottedisk

    Joined:
    May 24, 2009
    Messages:
    94
    Hi,

    How's the computer now? Are you still being redirected? How about the sounds?


    Please go to the following site to scan two files: Virus Total

    • Click on Browse, and upload the following files for analysis:
      • C:\Qoobox\Quarantine\C:\programdata\xp\TPwSav.sys.vir
        C:\Qoobox\Quarantine\C:\programdata\xp\EBLib.dll.vir
    • Then click Submit. Allow each file to be scanned, and then please copy and paste the links to VT page to see the results
    • If it says already scanned -- click "reanalyze now"

    Note: You will not be able to upload and scan all files at once. You will have to submit and scan each file separately.
    Note: Please don't post the results here, but the link to both VT pages which contain the results.
     
  13. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
  14. Blottedisk

    Blottedisk

    Joined:
    May 24, 2009
    Messages:
    94
    Hi there,


    Thanks for the links. Let's run one last scan just to be certain there are no reminings of the infection.


    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.
     
  15. rkmcgee818

    rkmcgee818 Thread Starter

    Joined:
    Jan 23, 2011
    Messages:
    9
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: TOSHIBA
    BIOS Manufacturer: TOSHIBA
    System Manufacturer: TOSHIBA
    System Product Name: Satellite X205
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 178):
    0x83604000 \SystemRoot\system32\ntkrnlpa.exe
    0x839BD000 \SystemRoot\system32\hal.dll
    0x80408000 \SystemRoot\system32\kdcom.dll
    0x8040F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8047F000 \SystemRoot\system32\PSHED.dll
    0x80490000 \SystemRoot\system32\BOOTVID.dll
    0x80498000 \SystemRoot\system32\CLFS.SYS
    0x804D9000 \SystemRoot\system32\CI.dll
    0x80605000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x80676000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80684000 \SystemRoot\system32\drivers\acpi.sys
    0x806CA000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806D3000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806DB000 \SystemRoot\system32\drivers\pci.sys
    0x80702000 \SystemRoot\system32\DRIVERS\LPCFilter.sys
    0x8070C000 \SystemRoot\System32\drivers\partmgr.sys
    0x8071B000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8071E000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x80728000 \SystemRoot\system32\drivers\volmgr.sys
    0x80737000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80781000 \SystemRoot\system32\drivers\intelide.sys
    0x80788000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80796000 \SystemRoot\system32\DRIVERS\pcmcia.sys
    0x807C3000 \SystemRoot\System32\drivers\mountmgr.sys
    0x807D3000 \SystemRoot\system32\drivers\pavboot.sys
    0x807D9000 \SystemRoot\system32\drivers\atapi.sys
    0x807E1000 \SystemRoot\system32\drivers\ataport.SYS
    0x805B9000 \SystemRoot\system32\drivers\msahci.sys
    0x805C3000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8920B000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8921B000 \SystemRoot\system32\drivers\mfehidk.sys
    0x89278000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x89281000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x892F2000 \SystemRoot\system32\drivers\ndis.sys
    0x89404000 \SystemRoot\system32\drivers\msrpc.sys
    0x8942F000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8946A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8957A000 \SystemRoot\system32\drivers\volsnap.sys
    0x895B3000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x8960F000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
    0x8965A000 \SystemRoot\System32\Drivers\spldr.sys
    0x89662000 \SystemRoot\system32\DRIVERS\sbp2port.sys
    0x89678000 \SystemRoot\System32\Drivers\mup.sys
    0x89687000 \SystemRoot\System32\drivers\ecache.sys
    0x896AE000 \SystemRoot\system32\drivers\disk.sys
    0x896BF000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x896E0000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8970B000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x89716000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8971F000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x8E200000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x8EB9D000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
    0x8972E000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8EB9F000 \SystemRoot\System32\drivers\watchdog.sys
    0x8EBAB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8EBB6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x897CF000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8DE02000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8DE8F000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8EC08000 \SystemRoot\system32\DRIVERS\NETw4v32.sys
    0x8EE37000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x8EE47000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x8EE55000 \SystemRoot\system32\drivers\tifm21.sys
    0x8EEA1000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0x8EEBB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8EEBF000 \SystemRoot\system32\DRIVERS\tosrfec.sys
    0x8EEC2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8EED5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8EEE0000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8EF12000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8EF14000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8EF1F000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8EF37000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8EF66000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8EFA7000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8EFB2000 \SystemRoot\system32\drivers\srs_sscfilter_i386.sys
    0x8EFBC000 \SystemRoot\system32\drivers\ks.sys
    0x8EFE6000 \SystemRoot\system32\drivers\wowhd_kern_i386.sys
    0x8EFEE000 \SystemRoot\system32\drivers\csiidecoder_kern_i386.sys
    0x8DED0000 \SystemRoot\system32\drivers\surroundhp_kern_i386.sys
    0x8DEDC000 \SystemRoot\system32\drivers\tshd4_kern_i386.sys
    0x8EC00000 \SystemRoot\system32\DRIVERS\livecamv.sys
    0x8DEE8000 \SystemRoot\system32\DRIVERS\portcls.sys
    0x8DF15000 \SystemRoot\system32\DRIVERS\drmk.sys
    0x8DF3A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8DF51000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8DF5C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8DF7F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8DF8E000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8DFA2000 \SystemRoot\System32\Drivers\RasSstp.SYS
    0x8DFB7000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8EFF9000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8EFFB000 \SystemRoot\system32\drivers\WmBEnum.sys
    0x8DFC7000 \SystemRoot\system32\drivers\WmXlCore.sys
    0x8DFD2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8DFDC000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x895B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8DFE9000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x90E04000 \SystemRoot\system32\drivers\HdAudio.sys
    0x90E43000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0x90F5F000 \SystemRoot\system32\drivers\modem.sys
    0x90F6C000 \SystemRoot\system32\DRIVERS\MOBK518.sys
    0x90F7F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x90F88000 \SystemRoot\System32\Drivers\Null.SYS
    0x90F8F000 \SystemRoot\System32\Drivers\Beep.SYS
    0x90F96000 \??\C:\Windows\system32\drivers\OxFWLF.sys
    0x90FA2000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x90FA9000 \SystemRoot\System32\drivers\vga.sys
    0x90FB5000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x90FD6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x90FDE000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x90FE6000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x90FF1000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x90F99000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x91202000 \SystemRoot\System32\drivers\tcpip.sys
    0x912EC000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x91307000 \SystemRoot\system32\drivers\mfewfpk.sys
    0x9132E000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x91344000 \SystemRoot\system32\DRIVERS\smb.sys
    0x91358000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x9138A000 \SystemRoot\system32\drivers\afd.sys
    0x913D2000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x913E9000 \SystemRoot\system32\drivers\ws2ifsl.sys
    0x897DE000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x913F2000 \SystemRoot\System32\Drivers\UVCFTR_S.SYS
    0x89600000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
    0x91801000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x91822000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x91830000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x91843000 \SystemRoot\System32\Drivers\tcusb.sys
    0x9184D000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x91889000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x91893000 \SystemRoot\System32\Drivers\dfsc.sys
    0x918AA000 \SystemRoot\system32\drivers\mfeavfk.sys
    0x918CE000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x918D7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x918E7000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x918F0000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x918F8000 \SystemRoot\system32\drivers\mfefirek.sys
    0x91943000 \SystemRoot\system32\drivers\dadder.sys
    0x91949000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x91956000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x91961000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x9D830000 \SystemRoot\System32\win32k.sys
    0x9196B000 \SystemRoot\System32\drivers\Dxapi.sys
    0x91975000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x9DA50000 \SystemRoot\System32\TSDDD.dll
    0x9DA70000 \SystemRoot\System32\cdd.dll
    0x91984000 \SystemRoot\system32\drivers\luafv.sys
    0x9199F000 \SystemRoot\system32\drivers\WudfPf.sys
    0xA3207000 \SystemRoot\system32\drivers\spsys.sys
    0xA32B7000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0xA32C7000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0xA32F1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA32FB000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xA330E000 \SystemRoot\system32\drivers\HTTP.sys
    0xA337B000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA3398000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xA33B1000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xA33C6000 \SystemRoot\system32\drivers\mrxdav.sys
    0x919C1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA4201000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xA423A000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA4252000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA427A000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA42E0000 \SystemRoot\System32\Drivers\MCSTRM.SYS
    0xA42E2000 \SystemRoot\system32\drivers\peauth.sys
    0xA43C0000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xA43CA000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xA42C8000 \SystemRoot\system32\drivers\cfwids.sys
    0xA43D8000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0x919E0000 \SystemRoot\system32\drivers\tdtcp.sys
    0x919EB000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
    0xB5C01000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0xB5C34000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0xB5C4A000 \??\C:\Windows\system32\drivers\mbam.sys
    0xB5C82000 \SystemRoot\system32\drivers\mfeapfk.sys
    0x76EF0000 \Windows\System32\ntdll.dll

    Processes (total 119):
    0 System Idle Process
    4 System
    564 C:\Windows\System32\smss.exe
    640 csrss.exe
    692 C:\Windows\System32\wininit.exe
    700 csrss.exe
    736 C:\Windows\System32\services.exe
    748 C:\Windows\System32\lsass.exe
    756 C:\Windows\System32\lsm.exe
    844 C:\Windows\System32\winlogon.exe
    948 C:\Windows\System32\svchost.exe
    992 C:\Windows\System32\nvvsvc.exe
    1008 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    1052 C:\Windows\System32\svchost.exe
    1164 C:\Windows\System32\svchost.exe
    1232 C:\Windows\System32\svchost.exe
    1252 C:\Windows\System32\svchost.exe
    1372 C:\Windows\System32\audiodg.exe
    1400 C:\Windows\System32\svchost.exe
    1420 C:\Windows\System32\SLsvc.exe
    1444 C:\Windows\System32\svchost.exe
    1520 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    1536 C:\Windows\System32\nvvsvc.exe
    1672 C:\Program Files\Protector Suite QL\upeksvr.exe
    1892 C:\Windows\System32\svchost.exe
    580 C:\Windows\System32\spoolsv.exe
    620 C:\Windows\System32\svchost.exe
    1036 C:\Windows\System32\wlanext.exe
    2124 C:\Windows\System32\dwm.exe
    2160 C:\Windows\System32\taskeng.exe
    2196 C:\Windows\explorer.exe
    2288 C:\Windows\System32\taskeng.exe
    2576 C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
    2656 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    2688 C:\Program Files\Toshiba\Utilities\KeNotify.exe
    2696 C:\Windows\System32\WDBtnMgr.exe
    2704 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    2732 C:\Windows\System32\maFwTray.exe
    2756 C:\Program Files\Razer\DeathAdder\razerhid.exe
    2764 C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    2776 C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
    2796 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2804 C:\Windows\WindowsMobile\wmdc.exe
    2836 C:\Program Files\Zune\ZuneLauncher.exe
    2844 C:\Program Files\McAfee.com\Agent\mcagent.exe
    2888 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    2900 C:\Windows\ehome\ehtray.exe
    2908 C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
    2960 C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    2992 C:\Windows\System32\agrsmsvc.exe
    3024 C:\Windows\System32\svchost.exe
    3036 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
    3072 C:\Program Files\Steam\Steam.exe
    3088 C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
    3096 C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
    3128 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    3184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    3364 C:\Program Files\Razer\DeathAdder\razertra.exe
    3388 C:\Windows\System32\svchost.exe
    3432 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    3452 C:\Program Files\Protector Suite QL\psqltray.exe
    3468 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    3568 C:\Windows\ehome\ehmsas.exe
    3680 C:\Windows\System32\mfevtps.exe
    3712 C:\Windows\System32\svchost.exe
    3748 C:\Toshiba\IVP\ISM\pinger.exe
    3772 C:\Windows\System32\svchost.exe
    3788 C:\Windows\System32\rundll32.exe
    3880 C:\Windows\System32\PnkBstrA.exe
    3908 C:\Windows\System32\svchost.exe
    3928 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    3948 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    4008 C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    4080 C:\Windows\System32\svchost.exe
    2068 C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    608 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    2340 C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    2348 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    1724 C:\Program Files\Razer\DeathAdder\razerofa.exe
    1580 C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
    728 C:\Windows\System32\svchost.exe
    944 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    2416 C:\Windows\System32\SearchIndexer.exe
    2544 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    3276 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    1188 C:\Program Files\Windows Media Player\wmpnscfg.exe
    2852 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    2532 C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
    3856 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    3848 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    1636 C:\Program Files\Oneeko\ONEEKO.EXE
    3248 C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    4304 C:\Users\Rashaun McGee\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    4448 C:\Program Files\Windows Live\Contacts\wlcomm.exe
    4704 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
    4732 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    4768 C:\Windows\System32\mobsync.exe
    4828 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    4900 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    5924 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    1696 C:\Windows\System32\svchost.exe
    5440 C:\Program Files\Windows Media Player\wmpnetwk.exe
    5456 C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
    5668 C:\Windows\System32\alg.exe
    2724 C:\Windows\System32\svchost.exe
    2368 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    3872 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    788 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    5816 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    2588 C:\Program Files\McAfee Online Backup\MOBK518backup.exe
    5380 C:\Program Files\McAfee Online Backup\MOBK518backup.exe
    3504 C:\Windows\System32\VSSVC.exe
    6188 C:\Program Files\Zune\ZuneNss.exe
    6304 C:\Windows\servicing\TrustedInstaller.exe
    2464 C:\Users\Rashaun McGee\AppData\Local\Google\Chrome\Application\chrome.exe
    4632 C:\Users\Rashaun McGee\AppData\Local\Google\Chrome\Application\chrome.exe
    6572 C:\Users\Rashaun McGee\AppData\Local\Google\Chrome\Application\chrome.exe
    7164 taskeng.exe
    7924 C:\Users\Rashaun McGee\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00200000 (NTFS)

    PhysicalDrive0 Model Number: FUJITSUMHW2120BH, Rev: 00400013
    PhysicalDrive1 Model Number: TOSHIBAMK1237GSX, Rev: DL130M

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61
    111 GB \\.\PhysicalDrive1 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Done!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Website redirect unwanted
  1. comp.idiot
    Replies:
    14
    Views:
    1,326
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/976577

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice