Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware ?


  • This topic is locked This topic is locked
39 replies to this topic

#1 insatiable ONE

insatiable ONE

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 11 May 2012 - 09:32 PM

I applied for a job recently to jobs...something??? anyhow I keep getting copies of email sent with my address as the sender.

from sunjobinusa.com, & builder4career.com,

I tried forwarding the emails to spruce.gov. I also have reported the problem to yahoo with not much if any help, on several occasions.
I really no not like them sending continuous spam with my email address.

After some research I found an article for HijackThis. I ran it I think I have a log in file. Do I need to post it here?Attached File  hijackthis.log   1.86KB   2 downloads

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:44 AM

Posted 13 May 2012 - 04:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 insatiable ONE

insatiable ONE
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 17 May 2012 - 09:32 PM

Thank you for getting back to this.

I attempted to get a D.D.S. log.
Unfortunately after disabling my windows defender & firewall. McAfee Antivirus, firewall, antispam etc. I am still not able to get a report log.

I tried the first link yesterday for about 3 1/2 hrs.
The D.D.S. file ran, but just stopped the ################ with a blinking cursor underneath it.
Other times no cursor just locked up my PC. Tried it in safe-mode, no AV.

The second link D.D.S. log down loaded file, turned of AV as above. It crashed my computer.
Blue screen, system bug-fix? message. PC restarted, tried it in safe mode as well, AV still turned off. Confirmed all firewalls and anti-virus off.

running a Toshiba notebook. with vista business.

Am I missing something? I tried to follow your instructions step by step.
It will not open notepad with a log file to post.



I downloaded defogger.
It did everything but >DID NOT< ask me to restart my computer.
( It said finished in a little window ) I clicked OK.




gmer.log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-17 20:43:50
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\KR10I1Port1Path0Target0Lun0 TOSHIBA_ rev.____
Running: xis9vk80.exe; Driver: C:\Users\t\AppData\Local\Temp\fgldipob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x868B75A8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x868B75D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x868B75BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x868B7594]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 8246AC0E 5 Bytes JMP 868B7598 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 826419F0 5 Bytes JMP 868B75C2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 82641D79 7 Bytes JMP 868B75AC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 82651533 5 Bytes JMP 868B75D6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[532] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[532] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 00830040
.text C:\Windows\system32\svchost.exe[532] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00830025
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 009E0093
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 009E0F4D
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 009E0F06
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 009E0F17
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 009E004C
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 009E0FB9
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 009E0F9E
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 009E0078
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 009E0025
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 009E0F8D
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 009E0F72
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 009E000A
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 009E005D
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 009E0EEB
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 009E0FCA
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 009E0FEF
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!WinExec 779560CF 5 Bytes JMP 009E0F28
.text C:\Windows\system32\svchost.exe[532] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 007A0FA1
.text C:\Windows\system32\svchost.exe[532] msvcrt.dll!system 7744805B 5 Bytes JMP 007A0FB2
.text C:\Windows\system32\svchost.exe[532] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 007A0011
.text C:\Windows\system32\svchost.exe[532] msvcrt.dll!_open 7744D116 5 Bytes JMP 007A0000
.text C:\Windows\system32\svchost.exe[532] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 007A002C
.text C:\Windows\system32\svchost.exe[532] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 007A0FD7
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00A40FB9
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00A40FCA
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00A40000
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00A4005B
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00A40080
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00A40FEF
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00A4001B
.text C:\Windows\system32\svchost.exe[532] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00A40040
.text C:\Windows\system32\svchost.exe[532] WS2_32.dll!socket 777636D1 5 Bytes JMP 00B5000A
.text C:\Windows\system32\services.exe[740] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00070000
.text C:\Windows\system32\services.exe[740] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 00070FD4
.text C:\Windows\system32\services.exe[740] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00070FEF
.text C:\Windows\system32\services.exe[740] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 008C0094
.text C:\Windows\system32\services.exe[740] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 008C0083
.text C:\Windows\system32\services.exe[740] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 008C0EFD
.text C:\Windows\system32\services.exe[740] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 008C0F0E
.text C:\Windows\system32\services.exe[740] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 008C0F5F
.text C:\Windows\system32\services.exe[740] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 008C0FCD
.text C:\Windows\system32\services.exe[740] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 008C0FB2
.text C:\Windows\system32\services.exe[740] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 008C0F4E
.text C:\Windows\system32\services.exe[740] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 008C0039
.text C:\Windows\system32\services.exe[740] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 008C0F97
.text C:\Windows\system32\services.exe[740] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 008C0F7C
.text C:\Windows\system32\services.exe[740] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 008C001E
.text C:\Windows\system32\services.exe[740] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 008C005E
.text C:\Windows\system32\services.exe[740] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 008C00B9
.text C:\Windows\system32\services.exe[740] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 008C0FDE
.text C:\Windows\system32\services.exe[740] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 008C0FEF
.text C:\Windows\system32\services.exe[740] kernel32.dll!WinExec 779560CF 5 Bytes JMP 008C0F29
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 0079006F
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00790FCD
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00790FEF
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00790054
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00790080
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 0079002F
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00790014
.text C:\Windows\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00790FDE
.text C:\Windows\system32\services.exe[740] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 001E0025
.text C:\Windows\system32\services.exe[740] msvcrt.dll!system 7744805B 5 Bytes JMP 001E000A
.text C:\Windows\system32\services.exe[740] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 001E0FB5
.text C:\Windows\system32\services.exe[740] msvcrt.dll!_open 7744D116 5 Bytes JMP 001E0FE3
.text C:\Windows\system32\services.exe[740] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 001E0F9A
.text C:\Windows\system32\services.exe[740] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 001E0FD2
.text C:\Windows\system32\services.exe[740] WS2_32.dll!socket 777636D1 5 Bytes JMP 007A0000
.text C:\Windows\system32\lsass.exe[752] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 000C000A
.text C:\Windows\system32\lsass.exe[752] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 000C0FEF
.text C:\Windows\system32\lsass.exe[752] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 000C001B
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 0151008A
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 01510065
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 01510EFD
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 01510F0E
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 01510F70
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 01510025
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 01510FCA
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 01510F44
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 01510F81
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 01510F9E
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 0151004A
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 01510FAF
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 01510F55
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 01510ED8
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 01510000
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 01510FEF
.text C:\Windows\system32\lsass.exe[752] kernel32.dll!WinExec 779560CF 5 Bytes JMP 01510F1F
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 000E0051
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 000E0FC0
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 000E0000
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 000E0FAF
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 000E0076
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 000E001B
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 000E0FE5
.text C:\Windows\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 000E002C
.text C:\Windows\system32\lsass.exe[752] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 000D0F90
.text C:\Windows\system32\lsass.exe[752] msvcrt.dll!system 7744805B 5 Bytes JMP 000D0FA1
.text C:\Windows\system32\lsass.exe[752] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 000D0000
.text C:\Windows\system32\lsass.exe[752] msvcrt.dll!_open 7744D116 5 Bytes JMP 000D0FE3
.text C:\Windows\system32\lsass.exe[752] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 000D0011
.text C:\Windows\system32\lsass.exe[752] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 000D0FC6
.text C:\Windows\system32\lsass.exe[752] WS2_32.dll!socket 777636D1 5 Bytes JMP 00280FEF
.text C:\Windows\system32\svchost.exe[896] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[896] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 001B0FCD
.text C:\Windows\system32\svchost.exe[896] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 001B0FDE
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 00540F68
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 00540F79
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 005400F5
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 005400DA
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00540F9E
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00540036
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 00540FE5
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 005400A4
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 00540FAF
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00540FCA
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 0054006C
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00540051
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00540093
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 00540106
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 00540025
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00540000
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!WinExec 779560CF 5 Bytes JMP 005400BF
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 001C005F
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!system 7744805B 5 Bytes JMP 001C004E
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 001C0033
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_open 7744D116 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 001C0FDE
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 001D002C
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 001D0FA5
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 001D0000
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 001D0F94
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 001D0F65
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 001D0011
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 001D0FDB
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 001D0FCA
.text C:\Windows\system32\svchost.exe[896] WS2_32.dll!socket 777636D1 5 Bytes JMP 002A000A
.text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 001C0FD4
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 002C00D3
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 002C0F83
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 002C0F57
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 002C00E4
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 002C009A
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 002C0FDB
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 002C002C
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 002C0F9E
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 002C0089
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 002C0FCA
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 002C006C
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 002C0051
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 002C0FAF
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 002C00FF
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 002C001B
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!WinExec 779560CF 5 Bytes JMP 002C0F72
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 001D004C
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!system 7744805B 5 Bytes JMP 001D0FC1
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 001D0FD2
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_open 7744D116 3 Bytes JMP 001D000C
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_open + 4 7744D11A 1 Byte [88]
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 001D0031
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wopen 7744D511 3 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wopen + 4 7744D515 1 Byte [88]
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 001E004D
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 001E0028
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 001E0FA1
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 001E005E
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 001E0FCD
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 001E0FDE
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 001E0FBC
.text C:\Windows\system32\svchost.exe[960] WS2_32.dll!socket 777636D1 5 Bytes JMP 001F0000
.text C:\Windows\System32\svchost.exe[1032] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00160FEF
.text C:\Windows\System32\svchost.exe[1032] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 0016001B
.text C:\Windows\System32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00160000
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 00C600DA
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 00C600BF
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 00C60110
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00C60F79
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00C600A4
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00C6001B
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 00C60036
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 00C60F9E
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 00C60087
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00C6005B
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 00C6006C
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00C60FD4
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00C60FAF
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 00C6012B
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 00C6000A
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00C60FEF
.text C:\Windows\System32\svchost.exe[1032] kernel32.dll!WinExec 779560CF 5 Bytes JMP 00C600F5
.text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00180FC3
.text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!system 7744805B 5 Bytes JMP 00180044
.text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00180029
.text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_open 7744D116 5 Bytes JMP 00180FEF
.text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00180FDE
.text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 0018000C
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00190051
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00190025
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00190FE5
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00190036
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00190062
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00190FD4
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00190000
.text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00190FB9
.text C:\Windows\System32\svchost.exe[1032] WS2_32.dll!socket 777636D1 5 Bytes JMP 001A000A
.text C:\Windows\System32\svchost.exe[1032] WININET.dll!InternetOpenA 7601D688 5 Bytes JMP 00170FEF
.text C:\Windows\System32\svchost.exe[1032] WININET.dll!InternetOpenUrlA 7602E296 5 Bytes JMP 0017002F
.text C:\Windows\System32\svchost.exe[1032] WININET.dll!InternetOpenW 760372A6 5 Bytes JMP 00170014
.text C:\Windows\System32\svchost.exe[1032] WININET.dll!InternetOpenUrlW 7608D9BA 5 Bytes JMP 00170040
.text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 006B0FEF
.text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 006B0FCD
.text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 006B0FDE
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 006D0F5C
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 006D00AC
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 006D0F30
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 006D00C7
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 006D0F8B
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 006D0025
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 006D0FD4
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 006D0091
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 006D0FA8
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 006D0FB9
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 006D005B
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 006D0040
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 006D0076
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 006D0F15
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 006D0FE5
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 006D0000
.text C:\Windows\System32\svchost.exe[1092] kernel32.dll!WinExec 779560CF 5 Bytes JMP 006D0F4B
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 006C0027
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!system 7744805B 5 Bytes JMP 006C0F9C
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 006C0FC1
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_open 7744D116 5 Bytes JMP 006C0FE3
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 006C000C
.text C:\Windows\System32\svchost.exe[1092] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 006C0FD2
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 006E0F9E
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 006E0FCA
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 006E0000
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 006E0FAF
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 006E005B
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 006E002C
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 006E001B
.text C:\Windows\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 006E0FDB
.text C:\Windows\System32\svchost.exe[1092] WS2_32.dll!socket 777636D1 5 Bytes JMP 006F0FEF
.text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 008B0000
.text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 008B0025
.text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 008B0FE5
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 008C00CE
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 008C00B3
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 008C0F37
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 008C0F48
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 008C0098
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 008C001B
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 008C0036
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 008C0F92
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 008C007D
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 008C0FCA
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 008C006C
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 008C0051
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 008C0FA3
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 008C00E9
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 008C0FE5
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 008C0000
.text C:\Windows\System32\svchost.exe[1124] kernel32.dll!WinExec 779560CF 5 Bytes JMP 008C0F6D
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 009E0F97
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!system 7744805B 5 Bytes JMP 009E002C
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 009E0FD7
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_open 7744D116 5 Bytes JMP 009E0000
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 009E0FBC
.text C:\Windows\System32\svchost.exe[1124] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 009E0011
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 009F0FA8
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 009F0FCA
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 009F0000
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 009F0FB9
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 009F0F97
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 009F002C
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 009F0011
.text C:\Windows\System32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 009F0FDB
.text C:\Windows\System32\svchost.exe[1124] WS2_32.dll!socket 777636D1 5 Bytes JMP 00A0000A
.text C:\Windows\system32\svchost.exe[1156] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00950000
.text C:\Windows\system32\svchost.exe[1156] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 00950036
.text C:\Windows\system32\svchost.exe[1156] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 0095001B
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 009A00C2
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 009A0F7C
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 009A0F61
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 009A00F8
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 009A0093
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 009A001B
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 009A0040
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 009A0F8D
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 009A0082
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 009A005B
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 009A0FB9
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 009A0FD4
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 009A0F9E
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 009A0F50
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateFileW 7790B0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 009A000A
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!WinExec 779560CF 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!WinExec 779560CF 5 Bytes JMP 009A00D3
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00E00FA3
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!system 7744805B 5 Bytes JMP 00E00FB4
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00E0001D
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_open 7744D116 5 Bytes JMP 00E00FE3
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00E0002E
.text C:\Windows\system32\svchost.exe[1156] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 00E00000
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00E50F57
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00E50F8D
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00E50FEF
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00E50F7C
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00E50014
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00E50FC3
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00E50FDE
.text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00E50FB2
.text C:\Windows\system32\svchost.exe[1156] WS2_32.dll!socket 777636D1 5 Bytes JMP 00EE0000
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenA 7601D688 5 Bytes JMP 0066000A
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenUrlA 7602E296 5 Bytes JMP 00660FDE
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenW 760372A6 5 Bytes JMP 00660FEF
.text C:\Windows\system32\svchost.exe[1156] WININET.dll!InternetOpenUrlW 7608D9BA 5 Bytes JMP 00660039
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1340] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 70539A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1340] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 705399A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 000C0000
.text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 000C0025
.text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 000C0FE5
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 000D0F3A
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 000D0F55
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 000D0EFD
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 000D0F18
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 000D005B
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 000D002F
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 000D0FDE
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 000D0080
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 000D0F81
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 000D0FB9
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 000D0FA8
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 000D0040
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 000D0F66
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 000D00AF
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 000D000A
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 000D0FEF
.text C:\Windows\system32\svchost.exe[1348] kernel32.dll!WinExec 779560CF 5 Bytes JMP 000D0F29
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 000E0FBE
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!system 7744805B 5 Bytes JMP 000E003F
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 000E0FD9
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_open 7744D116 5 Bytes JMP 000E000C
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 000E002E
.text C:\Windows\system32\svchost.exe[1348] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 000E001D
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 004D0F7C
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 004D0FA8
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 004D0FEF
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 004D0F8D
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 004D0F6B
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 004D0FCD
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 004D0FDE
.text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 004D001E
.text C:\Windows\system32\svchost.exe[1348] WS2_32.dll!socket 777636D1 5 Bytes JMP 004E0FEF
.text C:\Windows\system32\svchost.exe[1420] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[1420] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 001E0FCA
.text C:\Windows\system32\svchost.exe[1420] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 005C0F4A
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 005C009A
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 005C00BC
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 005C0F25
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 005C0F6F
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 005C0011
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 005C0FC0
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 005C007F
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 005C003D
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 005C0F91
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 005C0F80
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 005C0022
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 005C0064
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 005C0F0A
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 005C0000
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 005C0FE5
.text C:\Windows\system32\svchost.exe[1420] kernel32.dll!WinExec 779560CF 5 Bytes JMP 005C00AB
.text C:\Windows\system32\svchost.exe[1420] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00D80038
.text C:\Windows\system32\svchost.exe[1420] msvcrt.dll!system 7744805B 5 Bytes JMP 00D8001D
.text C:\Windows\system32\svchost.exe[1420] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00D8000C
.text C:\Windows\system32\svchost.exe[1420] msvcrt.dll!_open 7744D116 5 Bytes JMP 00D80FEF
.text C:\Windows\system32\svchost.exe[1420] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00D80FAD
.text C:\Windows\system32\svchost.exe[1420] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 00D80FDE
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00DD0040
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00DD0F9E
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00DD0FE5
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00DD0025
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00DD0F79
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00DD0FCA
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00DD0FAF
.text C:\Windows\system32\svchost.exe[1420] WS2_32.dll!socket 777636D1 5 Bytes JMP 00E20FEF
.text C:\Windows\system32\svchost.exe[1420] WININET.dll!InternetOpenA 7601D688 5 Bytes JMP 00660FEF
.text C:\Windows\system32\svchost.exe[1420] WININET.dll!InternetOpenUrlA 7602E296 5 Bytes JMP 0066000A
.text C:\Windows\system32\svchost.exe[1420] WININET.dll!InternetOpenW 760372A6 5 Bytes JMP 00660FDE
.text C:\Windows\system32\svchost.exe[1420] WININET.dll!InternetOpenUrlW 7608D9BA 5 Bytes JMP 0066001B
.text C:\Windows\system32\svchost.exe[1772] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00760FEF
.text C:\Windows\system32\svchost.exe[1772] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 0076000A
.text C:\Windows\system32\svchost.exe[1772] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00760FDE
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 00770F46
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 0077008C
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 00770EFF
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00770F10
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00770F83
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00770FCA
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 00770FB9
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 00770F61
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 00770051
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00770F9E
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 00770040
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00770025
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00770F72
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 007700BB
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 0077000A
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00770FEF
.text C:\Windows\system32\svchost.exe[1772] kernel32.dll!WinExec 779560CF 5 Bytes JMP 00770F2B
.text C:\Windows\system32\svchost.exe[1772] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00C2005A
.text C:\Windows\system32\svchost.exe[1772] msvcrt.dll!system 7744805B 5 Bytes JMP 00C20049
.text C:\Windows\system32\svchost.exe[1772] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00C20FE3
.text C:\Windows\system32\svchost.exe[1772] msvcrt.dll!_open 7744D116 5 Bytes JMP 00C2000C
.text C:\Windows\system32\svchost.exe[1772] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00C20038
.text C:\Windows\system32\svchost.exe[1772] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 00C2001D
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00C3004A
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00C30FAF
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00C30000
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00C30F9E
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00C30F8D
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00C30FDB
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00C3001B
.text C:\Windows\system32\svchost.exe[1772] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00C30FCA
.text C:\Windows\system32\svchost.exe[1772] WS2_32.dll!socket 777636D1 5 Bytes JMP 00C40FEF
.text C:\Windows\System32\svchost.exe[2124] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00650000
.text C:\Windows\System32\svchost.exe[2124] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 00650FC0
.text C:\Windows\System32\svchost.exe[2124] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00650FE5
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 006600A9
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 00660F63
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 00660F26
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00660F37
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00660F99
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00660FD4
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 00660025
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 00660F7E
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 00660073
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00660047
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 00660062
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00660036
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 0066008E
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 00660F0B
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreateFileW 7790B0EB 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 00660FEF
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00660000
.text C:\Windows\System32\svchost.exe[2124] kernel32.dll!WinExec 779560CF 5 Bytes JMP 00660F48
.text C:\Windows\System32\svchost.exe[2124] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00810044
.text C:\Windows\System32\svchost.exe[2124] msvcrt.dll!system 7744805B 5 Bytes JMP 00810FB9
.text C:\Windows\System32\svchost.exe[2124] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00810FEF
.text C:\Windows\System32\svchost.exe[2124] msvcrt.dll!_open 7744D116 5 Bytes JMP 0081000C
.text C:\Windows\System32\svchost.exe[2124] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00810FD4
.text C:\Windows\System32\svchost.exe[2124] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 00810029
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 0082007D
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00820047
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00820000
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 0082006C
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00820098
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00820FDB
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00820011
.text C:\Windows\System32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 0082002C
.text C:\Windows\System32\svchost.exe[2124] WS2_32.dll!socket 777636D1 5 Bytes JMP 00830FE5
.text C:\Windows\system32\svchost.exe[2148] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00100FEF
.text C:\Windows\system32\svchost.exe[2148] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 0010001B
.text C:\Windows\system32\svchost.exe[2148] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 0010000A
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 00610F2F
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 00610075
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 00610EF9
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00610090
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00610053
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00610000
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 0061001B
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 00610064
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 00610F79
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00610F94
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 00610036
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00610FA5
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00610F5E
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 00610EE8
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 00610FCA
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00610FEF
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!WinExec 779560CF 5 Bytes JMP 00610F14
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00630042
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!system 7744805B 5 Bytes JMP 00630FB7
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00630FD2
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_open 7744D116 5 Bytes JMP 00630FEF
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00630027
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 0063000C
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00640076
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 0064004A
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00640FEF
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 0064005B
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00640FB9
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00640FDE
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00640014
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00640039
.text C:\Windows\system32\svchost.exe[2148] WS2_32.dll!socket 777636D1 5 Bytes JMP 00650000
.text C:\Windows\system32\svchost.exe[2216] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00330000
.text C:\Windows\system32\svchost.exe[2216] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 00330FDB
.text C:\Windows\system32\svchost.exe[2216] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00330011
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 00A00F41
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 00A00F52
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 00A000D1
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00A000B6
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00A00F92
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00A00011
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 00A0002C
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 00A00F6D
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 00A00FA3
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00A00FCA
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 00A0006C
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00A00047
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00A00087
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 00A000E2
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 00A00FE5
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00A00000
.text C:\Windows\system32\svchost.exe[2216] kernel32.dll!WinExec 779560CF 5 Bytes JMP 00A00F30
.text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00A50F64
.text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!system 7744805B 5 Bytes JMP 00A50F75
.text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00A50FB5
.text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_open 7744D116 5 Bytes JMP 00A50FEF
.text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00A50F90
.text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 00A50FC6
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00A60039
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00A60FA8
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00A60FEF
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00A60F97
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00A60F7C
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00A60FC3
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00A60FD4
.text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00A6001E
.text C:\Windows\system32\svchost.exe[2216] WS2_32.dll!socket 777636D1 5 Bytes JMP 00A70FEF
.text C:\Windows\System32\svchost.exe[2440] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2440] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 0005001B
.text C:\Windows\System32\svchost.exe[2440] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00050FE5
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 00060F2B
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 00060F3C
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 00060EFF
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00060096
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00060F83
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00060FD4
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 00060025
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 00060F57
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 00060067
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00060F9E
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 0006004A
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00060FB9
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00060F68
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 00060EEE
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreateFileW 7790B0EB 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[2440] kernel32.dll!WinExec 779560CF 5 Bytes JMP 00060F1A
.text C:\Windows\System32\svchost.exe[2440] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00080FA6
.text C:\Windows\System32\svchost.exe[2440] msvcrt.dll!system 7744805B 5 Bytes JMP 00080031
.text C:\Windows\System32\svchost.exe[2440] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00080FC1
.text C:\Windows\System32\svchost.exe[2440] msvcrt.dll!_open 7744D116 5 Bytes JMP 00080FE3
.text C:\Windows\System32\svchost.exe[2440] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00080016
.text C:\Windows\System32\svchost.exe[2440] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 00080FD2
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00090040
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00090FAF
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00090000
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00090F94
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00090051
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00090025
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00090FE5
.text C:\Windows\System32\svchost.exe[2440] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00090FD4
.text C:\Windows\Explorer.EXE[3492] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00040FEF
.text C:\Windows\Explorer.EXE[3492] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 00040011
.text C:\Windows\Explorer.EXE[3492] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00040000
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 000100B8
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 00010F72
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 00010F35
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00010F46
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 00010F9E
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00010FDE
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 00010025
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 0001009D
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 0001006C
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 00010FAF
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 0001005B
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00010036
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00010F8D
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 000100F1
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreateFileW 7790B0EB 1 Byte [E9]
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[3492] kernel32.dll!WinExec 779560CF 5 Bytes JMP 00010F61
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00330F8D
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00330FA8
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00330FEF
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 0033002F
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00330F7C
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00330FCA
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00330000
.text C:\Windows\Explorer.EXE[3492] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00330FB9
.text C:\Windows\Explorer.EXE[3492] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00340038
.text C:\Windows\Explorer.EXE[3492] msvcrt.dll!system 7744805B 5 Bytes JMP 00340FB7
.text C:\Windows\Explorer.EXE[3492] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00340FC8
.text C:\Windows\Explorer.EXE[3492] msvcrt.dll!_open 7744D116 5 Bytes JMP 00340FE3
.text C:\Windows\Explorer.EXE[3492] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 0034001D
.text C:\Windows\Explorer.EXE[3492] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 0034000C
.text C:\Windows\Explorer.EXE[3492] WS2_32.dll!socket 777636D1 5 Bytes JMP 0189000A
.text C:\Windows\Explorer.EXE[3492] WININET.dll!InternetOpenA 7601D688 5 Bytes JMP 069E0FEF
.text C:\Windows\Explorer.EXE[3492] WININET.dll!InternetOpenUrlA 7602E296 5 Bytes JMP 069E001B
.text C:\Windows\Explorer.EXE[3492] WININET.dll!InternetOpenW 760372A6 5 Bytes JMP 069E0000
.text C:\Windows\Explorer.EXE[3492] WININET.dll!InternetOpenUrlW 7608D9BA 5 Bytes JMP 069E002C
.text C:\Windows\system32\svchost.exe[3548] ntdll.dll!NtCreateFile 777F4244 5 Bytes JMP 00040FEF
.text C:\Windows\system32\svchost.exe[3548] ntdll.dll!NtCreateProcess 777F4304 5 Bytes JMP 00040FC3
.text C:\Windows\system32\svchost.exe[3548] ntdll.dll!NtProtectVirtualMemory 777F4BA4 5 Bytes JMP 00040FD4
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!GetStartupInfoW 778C1929 5 Bytes JMP 000100CE
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!GetStartupInfoA 778C19C9 5 Bytes JMP 000100BD
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!CreateProcessW 778C1BF3 5 Bytes JMP 0001011F
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!CreateProcessA 778C1C28 5 Bytes JMP 00010104
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!VirtualProtect 778C1DC3 5 Bytes JMP 0001007D
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!CreateNamedPipeA 778C2EF5 5 Bytes JMP 00010FDE
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!CreateNamedPipeW 778C5C0C 5 Bytes JMP 0001002F
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!CreatePipe 778E8F06 5 Bytes JMP 000100A2
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!LoadLibraryExW 778E927C 5 Bytes JMP 0001006C
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!LoadLibraryW 778E9400 5 Bytes JMP 0001005B
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!LoadLibraryExA 778E9554 5 Bytes JMP 00010FB9
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!LoadLibraryA 778E957C 5 Bytes JMP 00010040
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!VirtualProtectEx 778EDC52 5 Bytes JMP 00010F92
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!GetProcAddress 7790925B 5 Bytes JMP 00010F6D
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!CreateFileW 7790B0EB 5 Bytes JMP 0001000A
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!CreateFileA 7790D07F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[3548] kernel32.dll!WinExec 779560CF 5 Bytes JMP 000100E9
.text C:\Windows\system32\svchost.exe[3548] msvcrt.dll!_wsystem 77447F3F 5 Bytes JMP 00060022
.text C:\Windows\system32\svchost.exe[3548] msvcrt.dll!system 7744805B 5 Bytes JMP 00060F97
.text C:\Windows\system32\svchost.exe[3548] msvcrt.dll!_creat 7744BBF1 5 Bytes JMP 00060FBC
.text C:\Windows\system32\svchost.exe[3548] msvcrt.dll!_open 7744D116 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[3548] msvcrt.dll!_wcreat 7744D336 5 Bytes JMP 00060011
.text C:\Windows\system32\svchost.exe[3548] msvcrt.dll!_wopen 7744D511 5 Bytes JMP 00060000
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyExA 776B39AB 5 Bytes JMP 00070F83
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyA 776B3BA9 5 Bytes JMP 00070FAF
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyA 776B89C7 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyW 776C391E 5 Bytes JMP 00070F9E
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegCreateKeyExW 776C41F1 5 Bytes JMP 00070F72
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyExA 776C7C42 5 Bytes JMP 00070011
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyW 776CE2B5 5 Bytes JMP 00070FDB
.text C:\Windows\system32\svchost.exe[3548] ADVAPI32.dll!RegOpenKeyExW 776D7BA1 5 Bytes JMP 00070FC0
.text C:\Windows\system32\svchost.exe[3548] WS2_32.dll!socket 777636D1 5 Bytes JMP 00080000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\mfevtps.exe[332] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [003EA4D0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\system32\mfevtps.exe[332] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [003EA530] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Edited by insatiable ONE, 17 May 2012 - 10:48 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:44 AM

Posted 18 May 2012 - 08:03 PM

We need to decide whether these problems are system or malware. Please run aswMBR and attempt OTL too.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

And

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Posted Image
m0le is a proud member of UNITE

#5 insatiable ONE

insatiable ONE
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 22 May 2012 - 11:01 PM

aswMBR

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-22 20:32:49
-----------------------------
20:32:49.546 OS Version: Windows 6.0.6002 Service Pack 2
20:32:49.546 Number of processors: 2 586 0xF02
20:32:49.562 ComputerName: TDJ UserName: t
20:33:24.100 Initialize success
20:34:34.161 AVAST engine defs: 12052201
20:34:38.342 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\KR10I1Port1Path0Target0Lun0
20:34:38.357 Disk 0 Vendor: TOSHIBA_ ____ Size: 76317MB BusType: 1
20:34:38.373 Disk 0 MBR read successfully
20:34:38.373 Disk 0 MBR scan
20:34:38.466 Disk 0 Windows VISTA default MBR code
20:34:38.498 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
20:34:38.529 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 69312 MB offset 3074048
20:34:38.576 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 5504 MB offset 145025024
20:34:38.607 Disk 0 scanning sectors +156297216
20:34:38.856 Disk 0 scanning C:\Windows\system32\drivers
20:35:11.039 Service scanning
20:35:46.670 Modules scanning
20:35:56.342 Disk 0 trace - called modules:
20:35:56.388 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll SCSIPORT.SYS kr10i.sys
20:35:56.466 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8583fac8]
20:35:56.482 3 CLASSPNP.SYS[86dce8b3] -> nt!IofCallDriver -> \Device\THPDRV[0x85639938]
20:35:56.482 5 thpdrv.sys[86d5f6ff] -> nt!IofCallDriver -> \Device\Scsi\KR10I1Port1Path0Target0Lun0[0x84be8030]
20:35:57.465 AVAST engine scan C:\Windows
20:36:01.178 AVAST engine scan C:\Windows\system32
20:42:00.851 AVAST engine scan C:\Windows\system32\drivers
20:42:21.334 AVAST engine scan C:\Users\t
20:44:36.570 AVAST engine scan C:\ProgramData
20:45:22.263 Scan finished successfully
20:46:50.787 Disk 0 MBR has been saved successfully to "C:\Users\t\Desktop\aswMBR\MBR.dat"
20:46:50.928 The log file has been saved successfully to "C:\Users\t\Desktop\aswMBR\aswMBR.txt"






OTL.text

OTL logfile created on: 5/22/2012 8:50:09 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\t\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.19 Mb Total Physical Memory | 267.93 Mb Available Physical Memory | 26.42% Memory free
2.23 Gb Paging File | 1.08 Gb Available in Paging File | 48.30% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 67.69 Gb Total Space | 35.30 Gb Free Space | 52.15% Space Free | Partition Type: NTFS

Computer Name: TDJ | User Name: t | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/22 20:48:34 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\t\Downloads\OTL.exe
PRC - [2012/03/31 16:39:50 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/03/21 21:16:10 | 001,318,816 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2012/03/20 13:11:32 | 000,151,880 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2012/03/20 13:05:00 | 000,161,632 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2012/03/20 13:04:32 | 000,166,288 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/04/08 13:59:50 | 000,419,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MAT\McPvTray.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/19 00:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/01/25 18:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/12/20 00:16:44 | 000,411,768 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2006/12/20 00:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2006/12/03 17:51:38 | 000,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\upeksvr.exe
PRC - [2006/11/25 03:05:18 | 000,531,264 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\ThpSrv.exe
PRC - [2006/11/14 21:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2006/11/10 15:22:26 | 000,417,792 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
PRC - [2006/10/31 23:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2006/10/31 21:39:18 | 000,049,152 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
PRC - [2006/10/31 20:56:52 | 000,151,216 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Accelerometer Utilities\TAcelMgr\TAcelMgr.exe
PRC - [2006/10/31 20:55:44 | 000,057,008 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Accelerometer Utilities\Shaker\TSkrMain.exe
PRC - [2006/10/31 19:12:54 | 000,691,888 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
PRC - [2006/10/31 10:12:24 | 001,495,123 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\KRaidMan.exe
PRC - [2006/10/25 21:34:54 | 000,233,555 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
PRC - [2006/09/12 09:03:20 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/05/25 19:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/31 16:39:49 | 001,969,080 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2007/02/26 14:25:16 | 000,180,224 | ---- | M] () -- C:\Windows\System32\igfxTMM.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/04/19 23:51:58 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/22 19:29:08 | 000,361,976 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2012/03/20 13:11:32 | 000,151,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2012/03/20 13:05:00 | 000,161,632 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2012/03/20 13:04:32 | 000,166,288 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2009/06/03 02:41:40 | 000,068,528 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2008/01/19 00:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/01/25 18:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/12/20 00:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2006/11/25 03:05:18 | 000,531,264 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\ThpSrv.exe -- (Thpsrv)
SRV - [2006/11/14 21:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/10/31 23:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2006/10/25 21:34:54 | 000,233,555 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe -- (kraidsvc)
SRV - [2006/09/12 09:03:20 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/05/25 19:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\t\AppData\Local\Temp\aswMBR.sys -- (aswMBR)
DRV - [2012/02/22 13:29:46 | 000,464,304 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2012/02/22 13:29:46 | 000,340,920 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2012/02/22 13:29:46 | 000,180,848 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2012/02/22 13:29:46 | 000,169,608 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2012/02/22 13:29:46 | 000,121,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2012/02/22 13:29:46 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2012/02/22 13:29:46 | 000,064,912 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2012/02/22 13:29:46 | 000,059,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2012/02/22 13:29:46 | 000,057,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/05/18 08:13:46 | 000,231,112 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2011/04/11 14:29:16 | 000,064,048 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\McPvDrv.sys -- (McPvDrv)
DRV - [2010/04/13 20:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/06/01 06:58:52 | 000,009,728 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2008/11/17 15:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®
DRV - [2008/02/15 22:27:00 | 000,330,752 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/01/19 00:42:12 | 000,045,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2007/09/26 13:12:22 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/09/04 01:30:24 | 000,013,336 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\Thpevm.sys -- (Thpevm)
DRV - [2007/02/08 13:46:16 | 000,016,896 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\Thpdrv.sys -- (Thpdrv)
DRV - [2006/11/21 14:57:36 | 000,113,792 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2006/11/20 18:55:16 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2006/11/09 15:32:28 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/02 18:41:00 | 000,053,504 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfSnd.sys -- (TosRfSnd)
DRV - [2006/10/30 09:42:28 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2006/10/28 01:29:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2006/10/18 12:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/18 02:51:04 | 000,010,496 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TBtnKey.sys -- (TBtnKey)
DRV - [2006/10/10 20:33:22 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosporte.sys -- (tosporte)
DRV - [2006/10/05 23:13:12 | 000,016,768 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ.SYS -- (TVALZ)
DRV - [2006/10/05 17:07:46 | 000,073,600 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfhid.sys -- (Tosrfhid)
DRV - [2006/09/27 20:06:56 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/08/31 07:53:00 | 001,161,152 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/08/30 10:35:58 | 000,140,800 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2006/07/06 14:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/09/27 16:57:38 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2005/08/01 17:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2005/07/11 19:58:56 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Toshidpt.sys -- (toshidpt)
DRV - [2005/01/06 14:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfnds.sys -- (tosrfnds)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\..\SearchScopes,DefaultScope = {9D1AE282-6553-47AC-A971-F8B3A355F7F5}
IE - HKLM\..\SearchScopes\{9D1AE282-6553-47AC-A971-F8B3A355F7F5}: "URL" = http://www.google.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.xdtalk.com/
IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..\SearchScopes\{75E0DEAA-A1EA-4AE8-973A-9EAD33DBCC10}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&mkt=en-us&FORM=IE7COM
IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..\SearchScopes\{9D1AE282-6553-47AC-A971-F8B3A355F7F5}: "URL" = http://www.google.com
IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={searchTerms}
IE - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.4.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: web@veoh.com:1.4
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.0.20080712
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files\McAfee\Supportability\MVT\npmvtplugin.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/01/16 03:04:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/03/03 05:25:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012/05/20 16:18:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/31 16:44:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/31 16:44:19 | 000,000,000 | ---D | M]

[2008/09/08 03:39:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\t\AppData\Roaming\Mozilla\Extensions
[2012/05/20 16:02:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\t\AppData\Roaming\Mozilla\Firefox\Profiles\xxj8ktde.default\extensions
[2012/05/20 16:02:28 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\t\AppData\Roaming\Mozilla\Firefox\Profiles\xxj8ktde.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/03/04 11:23:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/04 11:23:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/03/04 11:23:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/03/04 11:23:31 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/05/20 16:18:21 | 000,000,000 | ---D | M] (McAfee ScriptScan for Firefox) -- C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE
[2012/03/22 16:25:15 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\T\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XXJ8KTDE.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/03/31 16:39:52 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/10/13 22:28:54 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2012/03/31 16:39:43 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/03/31 16:39:43 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120428013719.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Kraidman] C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\KRaidMan.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [MBkLogonHook] File not found
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [McPvTray_exe] C:\Program Files\McAfee\MAT\McPvTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\TOSHIBA Accelerometer Utilities\TAcelMgr\TAcelMgr.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ThpSrv] C:\Windows\System32\thpsrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosAutLk] C:\Program Files\TOSHIBA\WirelessKeyLogon\TosAutLk.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [TOSDCR] C:\Program Files\TOSHIBA\PasswordUtility\TOSDCR.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TRot.exe] C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TSkrMain] C:\Program Files\TOSHIBA\TOSHIBA Accelerometer Utilities\Shaker\TSkrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1342928048-1027911057-246362943-1003..\Run: [JiKJGqSIsOjjAl.exe] C:\ProgramData\JiKJGqSIsOjjAl.exe File not found
O4 - HKU\S-1-5-21-1342928048-1027911057-246362943-1003..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1342928048-1027911057-246362943-1003\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{676DB318-7004-4BF6-89DC-B0165B65F649}: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{892F3FE5-A78C-4A94-8E69-A99365BBEE41}: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\psfus: DllName - (C:\Windows\system32\psqlpwd.dll) - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Toshiba-Tablet3.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Toshiba-Tablet3.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/22 20:46:25 | 000,000,000 | ---D | C] -- C:\Users\t\Desktop\aswMBR
[2012/05/17 20:45:15 | 000,172,032 | ---- | C] (Intel Corporation) -- C:\Windows\System32\igfxres.dll
[2012/05/08 17:21:38 | 001,069,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2012/05/08 17:21:37 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2012/05/08 17:21:37 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2012/05/08 17:21:36 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2012/05/08 17:21:35 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2012/05/08 17:21:15 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2012/05/08 17:21:14 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/05/08 17:21:12 | 002,044,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/05/01 00:30:36 | 000,000,000 | ---D | C] -- C:\Users\t\AppData\Roaming\Leadertech

========== Files - Modified Within 30 Days ==========

[2012/05/22 20:39:04 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/22 20:21:32 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/22 20:21:32 | 000,003,296 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/22 20:21:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/17 19:59:24 | 000,000,539 | ---- | M] () -- C:\Users\t\Desktop\Defogger - Shortcut.lnk
[2012/05/17 19:58:58 | 000,000,508 | ---- | M] () -- C:\Users\t\Desktop\dds - Shortcut.lnk
[2012/05/17 19:54:09 | 000,000,000 | ---- | M] () -- C:\Users\t\defogger_reenable
[2012/05/17 16:55:59 | 000,001,356 | ---- | M] () -- C:\Users\t\AppData\Local\d3d9caps.dat
[2012/05/09 17:39:13 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/05/09 17:39:12 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/05/09 03:53:09 | 000,385,176 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/05/09 03:19:02 | 000,613,080 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/05/09 03:19:02 | 000,108,110 | ---- | M] () -- C:\Windows\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2012/05/17 19:59:24 | 000,000,539 | ---- | C] () -- C:\Users\t\Desktop\Defogger - Shortcut.lnk
[2012/05/17 19:58:58 | 000,000,508 | ---- | C] () -- C:\Users\t\Desktop\dds - Shortcut.lnk
[2012/05/17 19:54:09 | 000,000,000 | ---- | C] () -- C:\Users\t\defogger_reenable
[2012/04/14 05:12:05 | 000,001,356 | ---- | C] () -- C:\Users\t\AppData\Local\d3d9caps.dat
[2012/03/30 23:17:08 | 000,000,000 | ---- | C] () -- C:\ProgramData\-8PWR8e71ZgSwUZr

< End of report >





EXTRAS.Txt

OTL Extras logfile created on: 5/22/2012 8:50:09 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\t\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.19 Mb Total Physical Memory | 267.93 Mb Available Physical Memory | 26.42% Memory free
2.23 Gb Paging File | 1.08 Gb Available in Paging File | 48.30% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 67.69 Gb Total Space | 35.30 Gb Free Space | 52.15% Space Free | Partition Type: NTFS

Computer Name: TDJ | User Name: t | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1342928048-1027911057-246362943-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" /n /dde
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{26D350CC-444B-45DF-A61B-5B8DA1470AD6}" = lport=2869 | protocol=6 | dir=in | app=system |
"{8DC9E5E8-0700-45EF-AF3B-874296B758F1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0DCDCD7D-2AB1-47B7-B01A-1B7950730092}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{15B0AE70-10C0-425A-A995-18DD6B172E76}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{18596DF6-70A8-44EA-BABF-513751D57DF7}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{4B1FB9E8-7636-4D94-9663-074E7759535D}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{71ACC9EA-1304-4323-B86B-5AEA1091E7C8}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{848910A1-D508-40CA-B47A-9791F6804737}" = protocol=6 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{872D4CBB-0A19-41CE-81C6-84014FA3CD49}" = protocol=17 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{957B289D-622A-400E-BC16-7C062DE965AD}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{AC8FBED7-31FB-4478-9061-ADAF480D7CCB}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{AEF9D503-FAE3-434C-AAB7-81C2A212CA83}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{B9346A7A-743E-470A-9E01-D4914D122533}" = protocol=17 | dir=out | app=c:\program files\windows media player\wmplayer.exe |
"{CA7EA196-32E4-46AC-B974-DC59D6DAE23C}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{D4DFC924-C8F1-414A-8FF4-EFBE0025F880}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F732D7C6-EF5A-4DE6-B7A0-FBB6C16F9450}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F9522A7F-8494-447A-BB70-5E78E9811B9D}" = protocol=17 | dir=in | app=c:\program files\windows media player\wmplayer.exe |
"{FA3D743D-9F42-4F5A-BDD1-79D48296863B}" = protocol=6 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{FDB53A27-E7BE-4FF8-A429-10F2D83A1A1D}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"TCP Query User{4207BFAA-3C4D-4EA3-B6DF-D5E3D58982A4}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"TCP Query User{F55296D8-E37C-4EED-ACAC-94CA472E7CF8}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"UDP Query User{8CCE14D7-1313-44F7-AC71-715F490CBB6F}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"UDP Query User{B1CA7288-F913-4F47-A31E-A357708154F8}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{10113A44-CBFF-4FF7-8A13-BD1EC4180C56}" = Protector Suite QL 5.6
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1E63ACB5-D45E-4856-8FC9-78F4B0D7BB80}" = TOSHIBA Security Assist
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3AAA33B1-908B-42B0-A766-6EF3D15D8CE3}" = TOSHIBA Mic Effect MUI
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E6FA9D9-D4CA-492B-AE98-83A2D853A355}" = TOSHIBA RAID Utility
"{3FA13137-DE7F-47CF-ABC8-6BE20863E329}" = TOSHIBA Tablet PC Extension
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.1
"{AC971CEE-1480-479D-81AF-1CB4D10467B0}" = TOSHIBA Tablet Access Code Logon Utility
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{BBF5493A-05FB-4449-90DE-84A61EB78154}" = TOSHIBA SD Memory Boot Utility
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = TIPCI
"{FC4C645F-8EBC-4F1E-A517-D1505B43A374}" = TOSHIBA Wireless Key Logon
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"Agere Systems Soft Modem" = TOSHIBA Software Modem
"Desktop Dialer" = Desktop Dialer
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"InstallShield_{3FA13137-DE7F-47CF-ABC8-6BE20863E329}" = TOSHIBA Tablet PC Extension
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"McAfee MBack" = McAfee Backup and Restore
"McAfee Virtual Technician" = McAfee Virtual Technician
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"MSC" = McAfee Total Protection
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/22/2012 7:49:16 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:16 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:22 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:23 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:28 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:28 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:32 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:32 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:36 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

Error - 3/22/2012 7:49:36 PM | Computer Name = TDJ | Source = Windows Search Service | ID = 3013
Description =

[ System Events ]
Error - 5/18/2012 2:27:49 PM | Computer Name = TDJ | Source = WacomPen | ID = 327683
Description = The device has been removed.

Error - 5/19/2012 1:13:26 PM | Computer Name = TDJ | Source = WacomPen | ID = 327683
Description = The device has been removed.

Error - 5/19/2012 1:14:06 PM | Computer Name = TDJ | Source = Service Control Manager | ID = 7011
Description =

Error - 5/20/2012 7:12:49 PM | Computer Name = TDJ | Source = EventLog | ID = 6008
Description = The previous system shutdown at 4:11:13 PM on 5/20/2012 was unexpected.

Error - 5/20/2012 7:14:20 PM | Computer Name = TDJ | Source = Service Control Manager | ID = 7034
Description =

Error - 5/20/2012 7:16:14 PM | Computer Name = TDJ | Source = Service Control Manager | ID = 7026
Description =

Error - 5/20/2012 7:26:55 PM | Computer Name = TDJ | Source = PlugPlayManager | ID = 12
Description = The device 'Wacom Serial Pen Tablet' (ACPI\WACF004\4&95472de&0) disappeared
from the system without first being prepared for removal.

Error - 5/20/2012 7:26:58 PM | Computer Name = TDJ | Source = WacomPen | ID = 327683
Description = The device has been removed.

Error - 5/20/2012 11:56:43 PM | Computer Name = TDJ | Source = WacomPen | ID = 327683
Description = The device has been removed.

Error - 5/22/2012 8:09:44 PM | Computer Name = TDJ | Source = WacomPen | ID = 327683
Description = The device has been removed.


< End of report >

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:44 AM

Posted 23 May 2012 - 07:46 PM

I can't find a single thing to show any evidence of an attack so please run a longer, more detailed scan with ESET. If I can find some remnants then I can work backwards

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#7 insatiable ONE

insatiable ONE
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 24 May 2012 - 10:03 AM

Hmm...



No threats found. after running scan

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:44 AM

Posted 24 May 2012 - 02:40 PM

Looks like the system itself is clean - ESET rarely comes back absolutely clean. However, it is generally accepted that you should err on the side of caution and carry out these precautions.

Anytime you encounter a malware infection on your computer or believe it has been hacked, especially if that computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer as a precaution, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.


Have you had any further spam since I started looking at your machine?
Posted Image
m0le is a proud member of UNITE

#9 insatiable ONE

insatiable ONE
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 24 May 2012 - 07:44 PM

yes I am getting the same spam emails with my address as the sender.
I just now checked, two that I saw as of yesterday.

I have changed my passwords several times in the past couple weeks.
Will try from another machine as suggested.

Here is a simple copy/paste from my yahoo page
I could forward it if you would like to look at it.
They keep changing the contact email.



Part-Time Work
Hide Details

FROM:



TO:



Message flagged
Wednesday, May 23, 2012 12:18 PM
I would like to take this time to welcome you to our hiring process and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is $2000 per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (US time).

Region: United States.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position please reply to Marla@usaopmgov.com with your personal identification number for this position IDNO: 8259

Edited by m0le, 04 June 2012 - 06:05 PM.
removed email addresses


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:44 AM

Posted 25 May 2012 - 05:23 PM

Yeah, you have to change it from a clean machine. Do that and let's see if they continue.
Posted Image
m0le is a proud member of UNITE

#11 insatiable ONE

insatiable ONE
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 27 May 2012 - 06:43 PM

OK, this truly sucks.
I changed all my passwords again from a different computer. Asked my mom to use hers yesterday.

Today this...






Open Vacancy - Working Part or Full Time
Hide Details

FROM:



TO:



Message flagged
Sunday, May 27, 2012 1:13 PM
I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is $2000 per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (US time).

Region: United States.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position
please reply to Linda@usaopmgov.com with your personal identification number for this position IDNO: 6532

Edited by m0le, 03 June 2012 - 06:19 AM.
removed email address


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:44 AM

Posted 27 May 2012 - 07:25 PM

Okay, let's see if we can find something here

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


And SAS

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.

Posted Image
m0le is a proud member of UNITE

#13 insatiable ONE

insatiable ONE
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 29 May 2012 - 05:14 PM

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.29.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
t :: TDJ [administrator]

5/29/2012 1:44:21 PM
mbam-log-2012-05-29 (13-44-21).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 291995
Time elapsed: 1 hour(s), 28 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|JiKJGqSIsOjjAl.exe (Rogue.Agent.SA) -> Data: C:\ProgramData\JiKJGqSIsOjjAl.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)









SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/29/2012 at 04:47 PM

Application Version : 5.0.1150

Core Rules Database Version : 8655
Trace Rules Database Version: 6467

Scan type : Complete Scan
Total Scan Time : 01:00:50

Operating System Information
Windows Vista Business 32-bit, Service Pack 2 (Build 6.00.6002)
UAC On - Limited User (Administrator User)

Memory items scanned : 784
Memory threats detected : 0
Registry items scanned : 32997
Registry threats detected : 0
File items scanned : 34533
File threats detected : 2

Adware.Tracking Cookie
.imrworldwide.com [ C:\USERS\T\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XXJ8KTDE.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\T\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XXJ8KTDE.DEFAULT\COOKIES.SQLITE ]






There are six more email in my spam folder as above this morning.
See if this helps.

Edited by insatiable ONE, 29 May 2012 - 06:52 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:44 AM

Posted 29 May 2012 - 07:31 PM

There's a couple of registry entries but nothing that could be causing this.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 insatiable ONE

insatiable ONE
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 30 May 2012 - 08:08 AM

I have been having a little bit of a time loading internet pages this morning.

Anyways I tried running the above after changing the program to comfix.exe, disabling AV & firewall.
Received the blue screen saying... some sort of file drive warning.... my computer did a bug dump? well it crashed and restarted with the option to start normally or in safe mode start up page.

I will try it again after getting up this afternoon.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users