Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

isearch.fantasigames malware infected my computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 8th, 2013, 11:39 am

Whenever I pull up a web browser (I.E. or Google Chrome) it puts Isearch.fantasigames in the URL. I got this from downloading a bad version of Adobe PDF reader. Not paying attention! Please help if you can. Logs posted below

Thanks Matt



DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/29/2013 12:58:46 PM
System Uptime: 4/5/2013 10:22:50 AM (1 hours ago)
.
Motherboard: LENOVO | | LENOVO
Processor: Intel(R) Celeron(R) CPU E3400 @ 2.60GHz | CPU 1 | 2603/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 287 GiB total, 133.647 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 149.956 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 1 GiB total, 0.446 GiB free.
Z: is FIXED (NTFS) - 10 GiB total, 2.371 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP24: 4/2/2013 1:51:57 PM - Windows Backup
RP25: 4/3/2013 3:00:15 AM - Windows Update
RP26: 4/4/2013 3:00:14 AM - Windows Update
RP27: 4/5/2013 3:00:14 AM - Windows Update
RP28: 4/5/2013 8:54:22 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.02)
avast! Free Antivirus
Canon Easy-PhotoPrint EX
Canon Easy-WebPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MG2100 series MP Drivers
Canon MG2100 series On-screen Manual
Canon MG2100 series User Registration
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
CCleaner
FileHippo.com Update Checker
Google Chrome
Google Update Helper
Microsoft .NET Framework 4 Client Profile
Microsoft Mouse and Keyboard Center
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
NETGEAR WNDA3100v2 wireless USB 2.0 adapter
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
.
==== Event Viewer Messages From Past Week ========
.
4/5/2013 8:56:34 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition.
4/5/2013 8:56:31 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Service Pack 1 for Microsoft Office 2010 (KB2510690) 32-bit Edition.
4/5/2013 8:56:16 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition.
4/5/2013 8:56:13 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition.
4/5/2013 8:56:09 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2566458), 32-Bit Edition.
4/5/2013 8:56:06 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Office File Validation 2010 (KB2553065), 32-bit Edition.
4/5/2013 8:56:03 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition.
4/5/2013 8:56:00 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition.
4/5/2013 8:55:56 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2584066), 32-Bit Edition.
4/5/2013 8:55:53 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition.
4/5/2013 8:55:50 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition.
4/5/2013 8:55:46 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition.
4/5/2013 8:55:43 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft SharePoint Workspace 2010 (KB2566445), 32-Bit Edition.
4/5/2013 8:55:40 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2553096), 32-Bit Edition.
4/5/2013 8:55:36 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition.
4/5/2013 8:55:33 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition.
4/5/2013 8:55:30 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2553091), 32-Bit Edition.
4/5/2013 8:55:26 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition.
4/5/2013 8:55:23 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition.
4/5/2013 8:55:20 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition.
4/5/2013 8:55:16 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition.
4/5/2013 8:55:13 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition.
4/5/2013 8:55:06 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition.
4/5/2013 8:54:53 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition.
4/5/2013 8:54:50 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition.
4/5/2013 8:54:46 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition.
4/5/2013 8:54:42 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition.
4/5/2013 8:54:37 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition.
4/5/2013 10:24:21 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
4/2/2013 9:00:16 AM, Error: Service Control Manager [7000] - The Office Source Engine service failed to start due to the following error: The system cannot find the file specified.
4/1/2013 9:50:53 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070103: Microsoft - Other hardware - HID Non-User Input Data Filter (KB 911895).
4/1/2013 8:42:27 AM, Error: Service Control Manager [7030] - The WSWNDA3100v2 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
4/1/2013 8:34:25 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0xfffffa8005c82010, 0xfffff88004031cb0, 0x0000000000000000, 0x000000000000000c). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040113-30810-01.
3/31/2013 4:01:36 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Update for Internet Explorer 8 Compatibility View List for Windows 7 for x64-based Systems (KB2598845).
3/31/2013 3:59:25 AM, Error: Service Control Manager [7023] -
3/31/2013 3:55:39 AM, Error: Service Control Manager [7034] - The Canon Inkjet Printer/Scanner/Fax Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
3/31/2013 3:55:39 AM, Error: Service Control Manager [7031] - The Microsoft .NET Framework NGEN v2.0.50727_X86 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/29/2013 12:52:12 PM, Error: Service Control Manager [7023] - The Windows Search service terminated with the following error: The media is write protected.
.
==== End Of File ===========================



DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16521
Run by Matt VanLoon at 11:03:23 on 2013-04-05
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3965.2528 [GMT -7:00]

.AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\splwow64.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_6_602_180_ActiveX.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.fantastigames.com/465
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{089AD004-C0DF-491B-833F-64787D11A68F} : DHCPNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs=
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-4-1 65336]
R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2013-4-1 25056]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-4-1 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-4-1 377920]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-4-1 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-4-1 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-4-1 45248]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 WSWNDA3100v2;WSWNDA3100v2;C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [2013-3-29 303360]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\Windows\System32\drivers\bcmwlhigh664.sys [2013-4-1 1256192]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]
S3 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-4-1 178624]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-4-1 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-4-1 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-4-1 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-3-31 1255736]
.
=============== Created Last 30 ================
.
2013-04-05 16:19:00 -------- d-----w- C:\Users\Matt VanLoon\AppData\Roaming\DriverCure
2013-04-05 16:18:59 -------- d-----w- C:\Users\Matt VanLoon\AppData\Roaming\SpeedyPC Software
2013-04-05 16:18:40 -------- d-----w- C:\ProgramData\SpeedyPC Software
2013-04-05 14:47:29 -------- d-----w- C:\Program Files (x86)\FGIcon
2013-04-05 14:47:20 -------- d-----w- C:\ProgramData\Tarma Installer
2013-04-05 06:31:34 9311288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0E70ED42-CF1D-46A8-A148-06A7D960432A}\mpengine.dll
2013-04-02 15:54:13 -------- d-----w- C:\MATS
2013-04-02 15:05:12 -------- d-----w- C:\Windows\PCHEALTH
2013-04-02 14:59:21 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2013-04-02 14:58:29 -------- d-----w- C:\Users\Matt VanLoon\AppData\Local\Microsoft Help
2013-04-01 18:22:36 70992 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-04-01 18:22:34 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-04-01 18:22:33 178624 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-04-01 18:22:32 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-04-01 18:22:29 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-04-01 18:22:24 -------- d-----w- C:\Program Files (x86)\FileHippo.com
2013-04-01 18:21:05 41664 ----a-w- C:\Windows\avastSS.scr
2013-04-01 18:20:52 -------- d-----w- C:\Program Files\AVAST Software
2013-04-01 18:20:18 -------- d-----w- C:\ProgramData\AVAST Software
2013-04-01 18:05:10 -------- d-----w- C:\Program Files\CCleaner
2013-04-01 16:46:58 -------- d-----w- C:\Program Files\Microsoft Mouse and Keyboard Center
2013-04-01 16:40:12 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll
2013-04-01 16:38:23 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-04-01 16:38:23 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-04-01 16:38:22 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2013-04-01 16:38:22 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-04-01 16:38:22 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2013-04-01 16:38:21 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-04-01 16:38:21 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-04-01 16:38:15 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2013-04-01 16:38:15 366592 ----a-w- C:\Windows\System32\qdvd.dll
2013-04-01 15:40:15 1256192 ----a-w- C:\Windows\System32\drivers\bcmwlhigh664.sys
2013-04-01 15:40:12 25056 ----a-w- C:\Windows\System32\drivers\SCMNdisP.sys
2013-04-01 15:07:40 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-01 15:07:40 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-04-01 15:05:45 -------- d-----w- C:\Users\Matt VanLoon\AppData\Local\Google
2013-04-01 15:04:55 -------- d-----w- C:\Users\Matt VanLoon\AppData\Local\Deployment
2013-03-31 10:54:26 -------- d-----w- C:\Windows\SysWow64\Wat
2013-03-31 10:54:26 -------- d-----w- C:\Windows\System32\Wat
2013-03-31 10:20:51 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2013-03-31 10:20:51 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2013-03-31 10:20:51 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2013-03-31 10:20:51 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-03-31 10:07:03 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2013-03-31 10:07:03 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-03-31 10:07:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2013-03-31 10:07:03 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-03-31 10:07:03 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-03-31 10:07:03 100864 ----a-w- C:\Windows\System32\fontsub.dll
2013-03-31 10:06:16 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-03-31 10:06:16 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-03-31 10:06:15 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-03-31 10:06:15 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-03-31 10:06:15 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-03-31 10:06:15 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-03-31 10:06:15 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-03-31 10:03:51 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-03-31 10:03:51 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-03-31 10:03:51 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-03-31 10:03:51 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-03-31 10:03:51 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-03-30 10:15:49 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2013-03-30 10:14:53 478208 ----a-w- C:\Windows\System32\dpnet.dll
2013-03-30 10:13:59 715776 ----a-w- C:\Windows\System32\kerberos.dll
2013-03-30 10:05:10 77312 ----a-w- C:\Windows\System32\packager.dll
2013-03-30 10:05:10 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-03-30 10:04:47 9311288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-03-30 06:05:16 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-03-30 06:05:16 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-03-30 06:05:16 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-03-30 01:01:15 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-03-30 01:01:07 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-03-30 01:00:58 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-03-30 01:00:58 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-03-29 21:58:18 -------- d--h--w- C:\ProgramData\CanonIJSolutionMenuEX
2013-03-29 21:58:18 -------- d--h--w- C:\ProgramData\CanonIJMyPrinter
2013-03-29 21:58:17 -------- d--h--w- C:\ProgramData\CanonIJEPPEX2
2013-03-29 21:58:17 -------- d--h--w- C:\ProgramData\CanonEPP
2013-03-29 21:57:06 -------- d-----w- C:\ProgramData\CanonIJPLM
2013-03-29 21:52:27 -------- d-----w- C:\Program Files\Common Files\CANON
2013-03-29 21:52:15 -------- d-----w- C:\ProgramData\CanonIJWSpt
2013-03-29 21:50:19 -------- d-----w- C:\Program Files\Canon
2013-03-29 21:40:57 -------- d-----w- C:\Program Files (x86)\Canon
2013-03-29 20:51:57 -------- d-----w- C:\Users\Matt VanLoon\AppData\Local\ElevatedDiagnostics
2013-03-29 20:51:00 373248 ----a-w- C:\Windows\System32\CNC_AQL.dll
2013-03-29 20:51:00 323584 ----a-w- C:\Windows\SysWow64\CNC_AQL.dll
2013-03-29 20:51:00 302080 ----a-w- C:\Windows\System32\CNC_AQC.dll
2013-03-29 20:51:00 17920 ----a-w- C:\Windows\System32\CNHMCA6.dll
2013-03-29 20:51:00 15872 ----a-w- C:\Windows\SysWow64\CNHMCA.dll
2013-03-29 20:51:00 114688 ----a-w- C:\Windows\SysWow64\CNC_AQU.dll
2013-03-29 20:51:00 112128 ----a-w- C:\Windows\System32\CNC_AQI.dll
2013-03-29 20:45:39 98816 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPPAQ.DLL
2013-03-29 20:45:39 30208 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPDAQ.DLL
2013-03-29 20:45:39 30208 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\2_CNMPDAQ.DLL
2013-03-29 20:45:39 30208 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\1_CNMPDAQ.DLL
2013-03-29 20:45:33 385536 ----a-w- C:\Windows\System32\CNMLMAQ.DLL
2013-03-29 20:34:09 -------- d-----w- C:\Windows\Panther
2013-03-29 20:23:16 -------- d-----w- C:\Windows.old
2013-03-29 20:20:05 -------- d-----w- C:\Users\Matt VanLoon\AppData\Local\Diagnostics
2013-03-29 20:16:33 -------- d-sh--w- C:\Windows\Installer
2013-03-29 20:16:31 95544 ----a-w- C:\Windows\System32\bcmwlcoi.dll
2013-03-29 20:16:31 3566592 ----a-w- C:\Windows\System32\bcmihvui64.dll
2013-03-29 20:16:30 3900928 ----a-w- C:\Windows\System32\bcmihvsrv64.dll
2013-03-29 20:16:30 1721576 ----a-w- C:\Windows\System32\WdfCoInstaller01009.dll
2013-03-29 20:16:28 96784 ----a-w- C:\Windows\SysWow64\Packet.dll
2013-03-29 20:16:28 53299 ----a-w- C:\Windows\SysWow64\pthreadVC.dll
2013-03-29 20:16:28 47632 ----a-w- C:\Windows\System32\drivers\npf.sys
2013-03-29 20:16:28 281104 ----a-w- C:\Windows\SysWow64\wpcap.dll
2013-03-29 20:16:23 -------- d-----w- C:\Program Files (x86)\NETGEAR
2013-03-29 20:06:07 -------- d-----w- C:\Users\Matt VanLoon\AppData\Local\Apps
2013-03-29 19:59:07 -------- d-----w- C:\Users\Matt VanLoon\AppData\Local\VirtualStore
2013-03-27 18:36:06 -------- d--h--w- C:\SkyDriveTemp
.
==================== Find3M ====================
.
2013-03-12 08:10:56 282744 ------w- C:\Windows\System32\MpSigStub.exe
2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-01-30 01:15:06 862664 ----a-w- C:\Windows\SysWow64\msvcr110.dll
2013-01-30 01:15:06 828872 ----a-w- C:\Windows\System32\msvcr110.dll
2013-01-30 01:15:06 661448 ----a-w- C:\Windows\System32\msvcp110.dll
2013-01-30 01:15:06 534480 ----a-w- C:\Windows\SysWow64\msvcp110.dll
2013-01-30 01:15:06 354264 ----a-w- C:\Windows\System32\vccorlib110.dll
2013-01-30 01:15:06 251864 ----a-w- C:\Windows\SysWow64\vccorlib110.dll
2013-01-30 01:15:04 50800 ----a-w- C:\Windows\System32\drivers\point64.sys
2013-01-30 01:15:04 29312 ----a-w- C:\Windows\System32\drivers\nuidfltr.sys
2013-01-21 18:12:12 2177664 ----a-w- C:\Windows\System32\coin93.dll
2013-01-13 21:17:03 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17:02 2560 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16:42 10752 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12:46 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11:21 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11:08 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11:07 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:35:31 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 20:35:31 2560 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 20:35:18 10752 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 20:32:07 3584 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 20:31:48 4096 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 20:31:41 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 20:31:40 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31:00 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-01-13 20:22:22 1988096 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-01-13 20:20:31 293376 ----a-w- C:\Windows\SysWow64\dxgi.dll
2013-01-13 20:09:00 249856 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2013-01-13 20:08:43 220160 ----a-w- C:\Windows\SysWow64\d3d10core.dll
2013-01-13 20:08:35 1504768 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-01-13 19:59:04 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2013-01-13 19:58:28 1175552 ----a-w- C:\Windows\System32\FntCache.dll
2013-01-13 19:54:01 604160 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2013-01-13 19:53:58 207872 ----a-w- C:\Windows\SysWow64\WindowsCodecsExt.dll
2013-01-13 19:53:14 187392 ----a-w- C:\Windows\SysWow64\UIAnimation.dll
2013-01-13 19:51:30 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2013-01-13 19:49:17 363008 ----a-w- C:\Windows\System32\dxgi.dll
2013-01-13 19:48:47 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2013-01-13 19:46:25 1080832 ----a-w- C:\Windows\SysWow64\d3d10.dll
2013-01-13 19:43:21 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-01-13 19:38:39 333312 ----a-w- C:\Windows\System32\d3d10_1core.dll
2013-01-13 19:38:32 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2013-01-13 19:38:21 296960 ----a-w- C:\Windows\System32\d3d10core.dll
2013-01-13 19:37:57 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll
2013-01-13 19:25:04 245248 ----a-w- C:\Windows\System32\WindowsCodecsExt.dll
2013-01-13 19:24:33 648192 ----a-w- C:\Windows\System32\d3d10level9.dll
2013-01-13 19:24:30 221184 ----a-w- C:\Windows\System32\UIAnimation.dll
2013-01-13 19:20:42 194560 ----a-w- C:\Windows\System32\d3d10_1.dll
2013-01-13 19:20:04 1238528 ----a-w- C:\Windows\System32\d3d10.dll
2013-01-13 19:15:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-01-13 19:10:36 3928064 ----a-w- C:\Windows\System32\d2d1.dll
2013-01-13 19:02:06 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-01-13 18:34:58 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2013-01-13 18:32:43 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-01-13 18:09:52 522752 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2013-01-13 17:26:42 1158144 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2013-01-13 17:05:09 1682432 ----a-w- C:\Windows\System32\XpsPrint.dll
.
============= FINISH: 11:04:01.87 ===============
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm
Advertisement
Register to Remove

Re: isearch.fantasigames malware infected my computer

Unread postby deltalima » April 8th, 2013, 3:02 pm

checking you log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: isearch.fantasigames malware infected my computer

Unread postby deltalima » April 8th, 2013, 3:13 pm

Hi mvanloon,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Windows 7 and Vista users
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill (Right click and choose "Run as administrator" in Vista/Win7).
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Image Please download Junkware Removal Tool and save it to your desktop.
  • Shut down your protection software as shown in This topic now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please post the contents of JRT.txt into your next reply.

Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 10:57 am

Here is the Rkill log and the JRT Log. When I open either browser it no longer comes up with the isearch.fantasigames URL

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/09/2013 07:30:24 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\Matt VanLoon\Desktop\rkill\rkill-04-09-2013-07-30-42.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
* HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!

* HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!


Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 04/09/2013 07:30:52 AM
Execution time: 0 hours(s), 0 minute(s), and 27 seconds(s)



Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.3 (04.05.2013:1)
OS: Windows 7 Professional x64
Ran by Matt VanLoon on Tue 04/09/2013 at 7:32:47.83
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-2826719538-1761031791-2706135774-1000\software\microsoft\internet explorer\main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\datamngr
Successfully deleted: [Registry Key] hkey_current_user\software\datamngr_toolbar



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\speedypc software"
Successfully deleted: [Folder] "C:\ProgramData\tarma installer"
Successfully deleted: [Folder] "C:\Users\Matt VanLoon\AppData\Roaming\drivercure"
Successfully deleted: [Folder] "C:\Users\Matt VanLoon\AppData\Roaming\speedypc software"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 04/09/2013 at 7:54:59.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby deltalima » April 9th, 2013, 12:31 pm

Hi mvanloon,

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it (Right click and choose "Run as administrator" in Vista/Win7).
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file (Right click and choose "Run as administrator" in Vista/Win7). If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 6:31 pm

Isearch.fantasigames in the URL is back in google chrome not in I.E. as of yet. I only have used chrome for browsing since my last post.


OTL logfile created on: 4/9/2013 2:18:02 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Matt VanLoon\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16521)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.87 Gb Total Physical Memory | 2.52 Gb Available Physical Memory | 65.02% Memory free
7.74 Gb Paging File | 6.08 Gb Available in Paging File | 78.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 287.15 Gb Total Space | 130.11 Gb Free Space | 45.31% Space Free | Partition Type: NTFS
Drive F: | 1.17 Gb Total Space | 0.45 Gb Free Space | 38.06% Space Free | Partition Type: NTFS
Drive Z: | 9.77 Gb Total Space | 2.37 Gb Free Space | 24.28% Space Free | Partition Type: NTFS

Computer Name: WFBD01 | User Name: Matt VanLoon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Matt VanLoon\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()
PRC - C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe ()
PRC - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE (CANON INC.)
PRC - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)
PRC - C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe ()


========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\ppgooglenaclpluginchrome.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\pdf.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\libglesv2.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\libegl.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\ffmpegsumo.dll ()
MOD - C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()
MOD - C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvcLib.dll ()


========== Services (SafeList) ==========

SRV:64bit: - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (WSWNDA3100v2) -- C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe ()
SRV - (IJPLMSVC) -- C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (libusb0) -- C:\Windows\SysNative\drivers\libusb0.sys (http://libusb-win32.sourceforge.net)
DRV:64bit: - (aswSnx) -- C:\Windows\SysNative\drivers\aswSnx.sys (AVAST Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (AVAST Software)
DRV:64bit: - (aswVmm) -- C:\Windows\SysNative\drivers\aswVmm.sys ()
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\drivers\aswRdr2.sys (AVAST Software)
DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (AVAST Software)
DRV:64bit: - (aswRvrt) -- C:\Windows\SysNative\drivers\aswRvrt.sys ()
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (AVAST Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (AVAST Software)
DRV:64bit: - (Point64) -- C:\Windows\SysNative\drivers\point64.sys (Microsoft Corporation)
DRV:64bit: - (NuidFltr) -- C:\Windows\SysNative\drivers\nuidfltr.sys (Microsoft Corporation)
DRV:64bit: - (dc3d) -- C:\Windows\SysNative\drivers\dc3d.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (BCMH43XX) -- C:\Windows\SysNative\drivers\bcmwlhigh664.sys (Broadcom Corporation)
DRV:64bit: - (SCMNdisP) -- C:\Windows\SysNative\drivers\SCMNdisP.sys (Windows (R) Win 7 DDK provider)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (dmvsc) -- C:\Windows\SysNative\drivers\dmvsc.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (NPF) -- C:\Windows\SysNative\drivers\npf.sys (CACE Technologies, Inc.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek Corporation )
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}: "URL" = http://isearch.fantastigames.com/web?sr ... mid=465&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}: "URL" = http://isearch.fantastigames.com/web?sr ... mid=465&q={searchTerms}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4E 0C 24 54 E5 2E CE 01 [binary data]
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}: "URL" = http://isearch.fantastigames.com/web?sr ... mid=465&q={searchTerms}
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\SearchScopes\{C95448A4-136B-4569-B0EB-9A32381D93AA}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://isearch.fantastigames.com/465
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\pdf.dll
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility for IJ (Enabled) = C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - Extension: avast! WebRep = C:\Users\Matt VanLoon\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\8.0.1483_0\
CHR - Extension: Red 70 Boss = C:\Users\Matt VanLoon\AppData\Local\Google\Chrome\User Data\Default\Extensions\offdlogieefppmjpdihmmgfpjaifgboi\0.2_0\

O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4:64bit: - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Jawbone Updater.lnk = C:\Program Files (x86)\Jawbone\LaunchJU.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{089AD004-C0DF-491B-833F-64787D11A68F}: DhcpNameServer = 192.168.1.1 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/10 09:32:46 | 000,000,049 | -HS- | M] () - Z:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\{71808f46-9e15-11e2-a2ad-c89cdc54b1ed}\Shell - "" = AutoRun
O33 - MountPoints2\{71808f46-9e15-11e2-a2ad-c89cdc54b1ed}\Shell\AutoRun\command - "" = D:\VZW_Software_upgrade_assistant_installer.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/04/09 10:22:18 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Adobe
[2013/04/09 08:10:16 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jawbone
[2013/04/09 08:10:07 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\JawboneUpdater
[2013/04/09 08:10:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Jawbone
[2013/04/09 07:32:44 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/04/09 07:32:35 | 000,000,000 | ---D | C] -- C:\JRT
[2013/04/09 07:30:42 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\Desktop\rkill
[2013/04/05 10:27:43 | 069,796,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MRT.exe
[2013/04/05 10:00:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2013/04/05 10:00:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Adobe
[2013/04/05 09:56:09 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2013/04/05 07:53:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2013/04/05 07:47:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FGIcon
[2013/04/02 11:45:37 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\Documents\Outlook Files
[2013/04/02 09:01:35 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2013/04/02 08:54:13 | 000,000,000 | ---D | C] -- C:\MATS
[2013/04/02 08:06:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2013/04/02 08:05:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2013/04/02 08:05:12 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2013/04/02 07:59:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Analysis Services
[2013/04/02 07:58:29 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Microsoft Help
[2013/04/02 07:58:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office
[2013/04/02 07:58:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2013/04/01 12:09:23 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\Desktop\WFBD
[2013/04/01 11:22:39 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013/04/01 11:22:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013/04/01 11:22:38 | 000,377,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013/04/01 11:22:36 | 000,070,992 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013/04/01 11:22:35 | 000,068,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013/04/01 11:22:34 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013/04/01 11:22:29 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2013/04/01 11:22:29 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013/04/01 11:22:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FileHippo.com
[2013/04/01 11:21:05 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013/04/01 11:20:52 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013/04/01 11:20:18 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013/04/01 11:05:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2013/04/01 11:05:10 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2013/04/01 09:51:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Intel
[2013/04/01 09:51:05 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2013/04/01 09:47:41 | 001,054,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2013/04/01 09:47:41 | 000,226,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\elshyph.dll
[2013/04/01 09:47:41 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\elshyph.dll
[2013/04/01 09:47:41 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe
[2013/04/01 09:47:40 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/04/01 09:47:40 | 001,509,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/04/01 09:47:40 | 001,441,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/04/01 09:47:40 | 001,400,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dat
[2013/04/01 09:47:40 | 001,400,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dat
[2013/04/01 09:47:40 | 000,905,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2013/04/01 09:47:40 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/04/01 09:47:40 | 000,762,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2013/04/01 09:47:40 | 000,719,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2013/04/01 09:47:40 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/04/01 09:47:40 | 000,629,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2013/04/01 09:47:40 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/04/01 09:47:40 | 000,599,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/04/01 09:47:40 | 000,526,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/04/01 09:47:40 | 000,452,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2013/04/01 09:47:40 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2013/04/01 09:47:40 | 000,391,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/04/01 09:47:40 | 000,361,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2013/04/01 09:47:40 | 000,281,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2013/04/01 09:47:40 | 000,235,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/04/01 09:47:40 | 000,232,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013/04/01 09:47:40 | 000,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msls31.dll
[2013/04/01 09:47:40 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2013/04/01 09:47:40 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/04/01 09:47:40 | 000,167,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iexpress.exe
[2013/04/01 09:47:40 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2013/04/01 09:47:40 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iexpress.exe
[2013/04/01 09:47:40 | 000,149,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2013/04/01 09:47:40 | 000,144,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wextract.exe
[2013/04/01 09:47:40 | 000,138,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wextract.exe
[2013/04/01 09:47:40 | 000,137,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/04/01 09:47:40 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2013/04/01 09:47:40 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2013/04/01 09:47:40 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\IEAdvpack.dll
[2013/04/01 09:47:40 | 000,125,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2013/04/01 09:47:40 | 000,117,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2013/04/01 09:47:40 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\IEAdvpack.dll
[2013/04/01 09:47:40 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2013/04/01 09:47:40 | 000,102,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inseng.dll
[2013/04/01 09:47:40 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/04/01 09:47:40 | 000,092,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SetIEInstalledDate.exe
[2013/04/01 09:47:40 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe
[2013/04/01 09:47:40 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inseng.dll
[2013/04/01 09:47:40 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\icardie.dll
[2013/04/01 09:47:40 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/04/01 09:47:40 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tdc.ocx
[2013/04/01 09:47:40 | 000,073,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\SetIEInstalledDate.exe
[2013/04/01 09:47:40 | 000,069,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\icardie.dll
[2013/04/01 09:47:40 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2013/04/01 09:47:40 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\pngfilt.dll
[2013/04/01 09:47:40 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tdc.ocx
[2013/04/01 09:47:40 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2013/04/01 09:47:40 | 000,057,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\pngfilt.dll
[2013/04/01 09:47:40 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2013/04/01 09:47:40 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\imgutil.dll
[2013/04/01 09:47:40 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmler.dll
[2013/04/01 09:47:40 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmler.dll
[2013/04/01 09:47:40 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2013/04/01 09:47:40 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2013/04/01 09:47:40 | 000,027,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll
[2013/04/01 09:47:40 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
[2013/04/01 09:47:40 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshta.exe
[2013/04/01 09:47:40 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2013/04/01 09:47:40 | 000,011,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2013/04/01 09:47:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse and Keyboard Center
[2013/04/01 09:46:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Mouse and Keyboard Center
[2013/04/01 09:46:08 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys
[2013/04/01 09:46:08 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\TsUsbGD.sys
[2013/04/01 09:46:08 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys
[2013/04/01 09:46:08 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RdpGroupPolicyExtension.dll
[2013/04/01 09:46:08 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbRedirectionGroupPolicyExtension.dll
[2013/04/01 09:46:08 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbRedirectionGroupPolicyControl.exe
[2013/04/01 09:46:07 | 001,048,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
[2013/04/01 09:46:07 | 000,384,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wksprt.exe
[2013/04/01 09:46:07 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aaclient.dll
[2013/04/01 09:46:07 | 000,269,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\aaclient.dll
[2013/04/01 09:46:07 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpudd.dll
[2013/04/01 09:46:07 | 000,228,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpendp_winip.dll
[2013/04/01 09:46:07 | 000,192,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rdpendp_winip.dll
[2013/04/01 09:46:07 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TSWbPrxy.exe
[2013/04/01 09:46:07 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsRdpWebAccess.dll
[2013/04/01 09:46:07 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MsRdpWebAccess.dll
[2013/04/01 09:46:07 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tsgqec.dll
[2013/04/01 09:46:07 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbGDCoInstaller.dll
[2013/04/01 09:46:07 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tsgqec.dll
[2013/04/01 09:46:07 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wksprtPS.dll
[2013/04/01 09:46:07 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wksprtPS.dll
[2013/04/01 09:46:06 | 005,773,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2013/04/01 09:46:06 | 004,916,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2013/04/01 09:46:06 | 003,174,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorets.dll
[2013/04/01 09:46:06 | 001,123,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
[2013/04/01 09:40:12 | 002,776,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msmpeg2vdec.dll
[2013/04/01 09:40:12 | 002,284,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msmpeg2vdec.dll
[2013/04/01 09:40:12 | 000,221,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\UIAnimation.dll
[2013/04/01 09:40:12 | 000,187,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIAnimation.dll
[2013/04/01 09:40:11 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMPhoto.dll
[2013/04/01 09:40:11 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMPhoto.dll
[2013/04/01 09:40:08 | 000,194,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll
[2013/04/01 09:40:08 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013/04/01 09:40:08 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013/04/01 09:40:08 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013/04/01 09:40:08 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013/04/01 09:40:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013/04/01 09:40:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013/04/01 09:40:08 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013/04/01 09:40:08 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013/04/01 09:40:07 | 002,565,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll
[2013/04/01 09:40:07 | 001,887,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d11.dll
[2013/04/01 09:40:07 | 001,504,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d11.dll
[2013/04/01 09:40:07 | 000,648,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10level9.dll
[2013/04/01 09:40:07 | 000,522,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2013/04/01 09:40:07 | 000,364,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2013/04/01 09:40:07 | 000,363,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxgi.dll
[2013/04/01 09:40:07 | 000,333,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll
[2013/04/01 09:40:07 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10core.dll
[2013/04/01 09:40:07 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013/04/01 09:40:07 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013/04/01 09:40:07 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013/04/01 09:40:07 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013/04/01 09:40:07 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
[2013/04/01 09:40:07 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-user32-l1-1-0.dll
[2013/04/01 09:40:07 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
[2013/04/01 09:40:07 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-version-l1-1-0.dll
[2013/04/01 09:40:07 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013/04/01 09:40:07 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013/04/01 09:40:06 | 003,928,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll
[2013/04/01 09:40:06 | 001,682,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsPrint.dll
[2013/04/01 09:40:06 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2013/04/01 09:40:06 | 001,424,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll
[2013/04/01 09:40:06 | 001,238,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10.dll
[2013/04/01 09:40:06 | 001,158,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll
[2013/04/01 09:40:06 | 000,245,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecsExt.dll
[2013/04/01 09:38:22 | 001,448,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lsasrv.dll
[2013/04/01 09:38:15 | 000,514,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\qdvd.dll
[2013/04/01 09:38:15 | 000,366,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\qdvd.dll
[2013/04/01 08:56:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2013/04/01 08:40:15 | 001,256,192 | ---- | C] (Broadcom Corporation) -- C:\Windows\SysNative\drivers\bcmwlhigh664.sys
[2013/04/01 08:40:12 | 000,025,056 | ---- | C] (Windows (R) Win 7 DDK provider) -- C:\Windows\SysNative\drivers\SCMNdisP.sys
[2013/04/01 08:34:08 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2013/04/01 08:07:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2013/04/01 08:07:50 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Macromedia
[2013/04/01 08:07:50 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Adobe
[2013/04/01 08:07:40 | 000,693,976 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/04/01 08:07:40 | 000,073,432 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/04/01 08:07:39 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2013/04/01 08:07:38 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2013/04/01 08:05:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2013/04/01 08:05:45 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Google
[2013/04/01 08:04:55 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Deployment
[2013/03/31 14:29:41 | 000,325,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usbport.sys
[2013/03/31 14:29:41 | 000,007,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usbd.sys
[2013/03/31 14:29:37 | 002,565,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\esent.dll
[2013/03/31 14:29:37 | 001,699,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\esent.dll
[2013/03/31 14:29:37 | 000,189,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\storport.sys
[2013/03/31 14:29:37 | 000,107,904 | ---- | C] (Advanced Micro Devices) -- C:\Windows\SysNative\drivers\amdsata.sys
[2013/03/31 14:29:37 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\fsutil.exe
[2013/03/31 14:29:37 | 000,074,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\fsutil.exe
[2013/03/31 14:29:37 | 000,027,008 | ---- | C] (Advanced Micro Devices) -- C:\Windows\SysNative\drivers\amdxata.sys
[2013/03/31 03:54:26 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2013/03/31 03:54:26 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2013/03/31 03:20:51 | 000,054,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\WdfLdr.sys
[2013/03/31 03:20:51 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wdfres.dll
[2013/03/31 03:07:03 | 000,367,616 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2013/03/31 03:07:03 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2013/03/31 03:07:03 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\fontsub.dll
[2013/03/31 03:07:03 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\fontsub.dll
[2013/03/31 03:07:03 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2013/03/31 03:07:03 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2013/03/31 03:06:15 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFx.dll
[2013/03/31 03:06:15 | 000,229,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFHost.exe
[2013/03/31 03:06:15 | 000,194,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFPlatform.dll
[2013/03/31 03:06:15 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WUDFCoinstaller.dll
[2013/03/31 03:03:51 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\imagehlp.dll
[2013/03/31 03:03:51 | 000,023,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\fs_rec.sys
[2013/03/30 03:16:07 | 005,553,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013/03/30 03:16:07 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013/03/30 03:16:07 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013/03/30 03:16:05 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\xmllite.dll
[2013/03/30 03:16:01 | 000,750,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2013/03/30 03:16:01 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2013/03/30 03:16:01 | 000,319,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbcjt32.dll
[2013/03/30 03:16:01 | 000,212,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbctrac.dll
[2013/03/30 03:16:01 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbctrac.dll
[2013/03/30 03:16:01 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbccp32.dll
[2013/03/30 03:16:01 | 000,122,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbccp32.dll
[2013/03/30 03:16:01 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbccu32.dll
[2013/03/30 03:16:01 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\odbccr32.dll
[2013/03/30 03:16:01 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbccu32.dll
[2013/03/30 03:16:01 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\odbccr32.dll
[2013/03/30 03:15:48 | 000,142,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\poqexec.exe
[2013/03/30 03:15:48 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\poqexec.exe
[2013/03/30 03:15:47 | 000,226,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dhcpcore6.dll
[2013/03/30 03:15:47 | 000,193,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dhcpcore6.dll
[2013/03/30 03:15:47 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dhcpcsvc6.dll
[2013/03/30 03:15:45 | 002,871,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\explorer.exe
[2013/03/30 03:15:45 | 002,616,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\explorer.exe
[2013/03/30 03:15:45 | 001,572,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\quartz.dll
[2013/03/30 03:15:45 | 001,328,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\quartz.dll
[2013/03/30 03:15:43 | 001,118,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbe.dll
[2013/03/30 03:15:43 | 000,961,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\CPFilters.dll
[2013/03/30 03:15:43 | 000,850,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbe.dll
[2013/03/30 03:15:43 | 000,642,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\CPFilters.dll
[2013/03/30 03:15:43 | 000,259,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mpg2splt.ax
[2013/03/30 03:15:43 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mpg2splt.ax
[2013/03/30 03:15:33 | 000,509,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntshrui.dll
[2013/03/30 03:15:32 | 002,315,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tquery.dll
[2013/03/30 03:15:31 | 002,223,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssrch.dll
[2013/03/30 03:15:31 | 001,549,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tquery.dll
[2013/03/30 03:15:31 | 001,401,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mssrch.dll
[2013/03/30 03:15:31 | 000,778,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssvp.dll
[2013/03/30 03:15:31 | 000,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mssvp.dll
[2013/03/30 03:15:31 | 000,491,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssph.dll
[2013/03/30 03:15:31 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mssph.dll
[2013/03/30 03:15:31 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mssphtb.dll
[2013/03/30 03:15:31 | 000,249,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SearchProtocolHost.exe
[2013/03/30 03:15:31 | 000,113,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\SearchFilterHost.exe
[2013/03/30 03:15:31 | 000,075,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msscntrs.dll
[2013/03/30 03:15:31 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msscntrs.dll
[2013/03/30 03:15:29 | 000,515,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\timedate.cpl
[2013/03/30 03:15:29 | 000,478,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\timedate.cpl
[2013/03/30 03:15:29 | 000,395,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\webio.dll
[2013/03/30 03:15:29 | 000,314,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\webio.dll
[2013/03/30 03:15:28 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2013/03/30 03:15:20 | 001,395,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfc42.dll
[2013/03/30 03:15:20 | 001,359,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfc42u.dll
[2013/03/30 03:15:19 | 001,164,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc42u.dll
[2013/03/30 03:15:19 | 001,137,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfc42.dll
[2013/03/30 03:15:17 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\RNDISMP.sys
[2013/03/30 03:15:16 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usb8023.sys
[2013/03/30 03:15:14 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdrmemptylst.exe
[2013/03/30 03:15:13 | 000,149,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorekmts.dll
[2013/03/30 03:15:13 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpwsx.dll
[2013/03/30 03:15:11 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspicli.dll
[2013/03/30 03:15:11 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspisrv.dll
[2013/03/30 03:15:11 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secur32.dll
[2013/03/30 03:15:09 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2013/03/30 03:15:09 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml3r.dll
[2013/03/30 03:15:07 | 000,246,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netcorehc.dll
[2013/03/30 03:15:07 | 000,216,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncsi.dll
[2013/03/30 03:15:07 | 000,175,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\netcorehc.dll
[2013/03/30 03:15:07 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ncsi.dll
[2013/03/30 03:15:06 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\netevent.dll
[2013/03/30 03:15:06 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netevent.dll
[2013/03/30 03:15:04 | 000,027,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\Diskdump.sys
[2013/03/30 03:15:03 | 000,357,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dnsapi.dll
[2013/03/30 03:15:03 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dnscacheugc.exe
[2013/03/30 03:15:03 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dnscacheugc.exe
[2013/03/30 03:14:53 | 000,478,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dpnet.dll
[2013/03/30 03:14:53 | 000,376,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dpnet.dll
[2013/03/30 03:14:52 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2013/03/30 03:14:51 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2013/03/30 03:14:50 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2013/03/30 03:14:50 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2013/03/30 03:14:50 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2013/03/30 03:14:50 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2013/03/30 03:14:50 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2013/03/30 03:14:50 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2013/03/30 03:14:48 | 000,245,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\OxpsConverter.exe
[2013/03/30 03:14:29 | 000,800,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\usp10.dll
[2013/03/30 03:14:29 | 000,376,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\netio.sys
[2013/03/30 03:14:29 | 000,288,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[2013/03/30 03:14:27 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\fpb.rs
[2013/03/30 03:14:27 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc-nz.rs
[2013/03/30 03:14:27 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc-nz.rs
[2013/03/30 03:14:27 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\csrr.rs
[2013/03/30 03:14:27 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysNative\csrr.rs
[2013/03/30 03:14:26 | 002,746,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gameux.dll
[2013/03/30 03:14:26 | 002,576,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gameux.dll
[2013/03/30 03:14:26 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wpc.dll
[2013/03/30 03:14:26 | 000,308,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Wpc.dll
[2013/03/30 03:14:26 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cero.rs
[2013/03/30 03:14:26 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cero.rs
[2013/03/30 03:14:26 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\esrb.rs
[2013/03/30 03:14:26 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysNative\esrb.rs
[2013/03/30 03:14:26 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysNative\fpb.rs
[2013/03/30 03:14:26 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegibbfc.rs
[2013/03/30 03:14:26 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegibbfc.rs
[2013/03/30 03:14:26 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cob-au.rs
[2013/03/30 03:14:26 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cob-au.rs
[2013/03/30 03:14:26 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\usk.rs
[2013/03/30 03:14:26 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysNative\usk.rs
[2013/03/30 03:14:26 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc.rs
[2013/03/30 03:14:26 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc.rs
[2013/03/30 03:14:26 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\grb.rs
[2013/03/30 03:14:26 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysNative\grb.rs
[2013/03/30 03:14:26 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-pt.rs
[2013/03/30 03:14:26 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-pt.rs
[2013/03/30 03:14:26 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-fi.rs
[2013/03/30 03:14:26 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-fi.rs
[2013/03/30 03:14:26 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi.rs
[2013/03/30 03:14:26 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi.rs
[2013/03/30 03:14:26 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\djctq.rs
[2013/03/30 03:14:26 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysNative\djctq.rs
[2013/03/30 03:14:20 | 000,613,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\psisdecd.dll
[2013/03/30 03:14:20 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\psisdecd.dll
[2013/03/30 03:14:20 | 000,108,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\psisrndr.ax
[2013/03/30 03:14:20 | 000,075,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\psisrndr.ax
[2013/03/30 03:13:57 | 003,216,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msi.dll
[2013/03/30 03:13:53 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2013/03/30 03:13:53 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2013/03/30 03:13:53 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2013/03/30 03:13:53 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2013/03/30 03:13:52 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2013/03/30 03:13:52 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2013/03/30 03:13:52 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2013/03/30 03:13:52 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2013/03/30 03:13:52 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2013/03/30 03:13:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2013/03/30 03:13:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2013/03/30 03:13:51 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2013/03/30 03:13:51 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2013/03/30 03:13:51 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2013/03/30 03:13:51 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2013/03/30 03:13:51 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2013/03/30 03:13:51 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2013/03/30 03:13:45 | 000,095,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\synceng.dll
[2013/03/30 03:13:45 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\synceng.dll
[2013/03/30 03:13:44 | 000,642,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winload.efi
[2013/03/30 03:13:44 | 000,605,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winload.exe
[2013/03/30 03:13:44 | 000,566,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winresume.efi
[2013/03/30 03:13:44 | 000,518,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winresume.exe
[2013/03/30 03:13:44 | 000,020,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kdusb.dll
[2013/03/30 03:13:44 | 000,019,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kd1394.dll
[2013/03/30 03:13:44 | 000,017,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kdcom.dll
[2013/03/30 03:13:41 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskhost.exe
[2013/03/30 03:13:39 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll
[2013/03/30 03:13:39 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll
[2013/03/30 03:13:39 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll
[2013/03/30 03:13:38 | 000,252,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\drvinst.exe
[2013/03/30 03:13:38 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\devrtl.dll
[2013/03/30 03:13:34 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\prevhost.exe
[2013/03/30 03:13:34 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\prevhost.exe
[2013/03/30 03:13:33 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2013/03/30 03:13:28 | 000,267,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\FXSCOVER.exe
[2013/03/30 03:13:27 | 000,634,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msvcrt.dll
[2013/03/30 03:13:25 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2013/03/30 03:13:23 | 000,861,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\oleaut32.dll
[2013/03/30 03:13:23 | 000,331,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\oleacc.dll
[2013/03/30 03:13:21 | 001,133,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdosys.dll
[2013/03/30 03:13:21 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cdosys.dll
[2013/03/30 03:13:17 | 000,723,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2013/03/30 03:13:17 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2013/03/30 03:13:15 | 001,731,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll
[2013/03/30 03:13:15 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe
[2013/03/30 03:13:11 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2013/03/30 03:13:11 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
[2013/03/30 03:05:10 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\packager.dll
[2013/03/30 03:05:10 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\packager.dll
[2013/03/29 23:05:16 | 001,031,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcore.dll
[2013/03/29 23:05:16 | 000,826,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rdpcore.dll
[2013/03/29 18:01:15 | 002,622,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll
[2013/03/29 18:01:15 | 000,057,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe
[2013/03/29 18:01:15 | 000,044,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups2.dll
[2013/03/29 18:01:07 | 000,701,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll
[2013/03/29 18:01:07 | 000,099,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll
[2013/03/29 18:01:07 | 000,038,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll
[2013/03/29 18:00:58 | 000,186,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll
[2013/03/29 18:00:58 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe
[2013/03/29 14:58:18 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJSolutionMenuEX
[2013/03/29 14:58:18 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJMyPrinter
[2013/03/29 14:58:17 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJEPPEX2
[2013/03/29 14:58:17 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonEPP
[2013/03/29 14:58:17 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Canon
[2013/03/29 14:57:06 | 000,000,000 | ---D | C] -- C:\ProgramData\CanonIJPLM
[2013/03/29 14:53:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG2100 series User Registration
[2013/03/29 14:52:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CANON
[2013/03/29 14:52:15 | 000,000,000 | ---D | C] -- C:\ProgramData\CanonIJWSpt
[2013/03/29 14:50:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
[2013/03/29 14:50:19 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2013/03/29 14:49:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG2100 series Manual
[2013/03/29 14:49:39 | 000,000,000 | -H-D | C] -- C:\Windows\SysNative\CanonIJ Uninstaller Information
[2013/03/29 14:49:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG2100 series
[2013/03/29 14:49:15 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2013/03/29 14:40:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Canon
[2013/03/29 13:51:57 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\ElevatedDiagnostics
[2013/03/29 13:51:00 | 000,373,248 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNC_AQL.dll
[2013/03/29 13:51:00 | 000,323,584 | ---- | C] (CANON INC.) -- C:\Windows\SysWow64\CNC_AQL.dll
[2013/03/29 13:51:00 | 000,302,080 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNC_AQC.dll
[2013/03/29 13:51:00 | 000,114,688 | ---- | C] (CANON INC.) -- C:\Windows\SysWow64\CNC_AQU.dll
[2013/03/29 13:51:00 | 000,112,128 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNC_AQI.dll
[2013/03/29 13:51:00 | 000,017,920 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNHMCA6.dll
[2013/03/29 13:51:00 | 000,015,872 | ---- | C] (CANON INC.) -- C:\Windows\SysWow64\CNHMCA.dll
[2013/03/29 13:45:40 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ
[2013/03/29 13:45:33 | 000,385,536 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNMLMAQ.DLL
[2013/03/29 13:34:09 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2013/03/29 13:23:16 | 000,000,000 | ---D | C] -- C:\Windows.old
[2013/03/29 13:20:05 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Diagnostics
[2013/03/29 13:16:33 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2013/03/29 13:16:31 | 003,566,592 | ---- | C] (Broadcom Corporation) -- C:\Windows\SysNative\bcmihvui64.dll
[2013/03/29 13:16:31 | 000,095,544 | ---- | C] (Broadcom Corporation) -- C:\Windows\SysNative\bcmwlcoi.dll
[2013/03/29 13:16:30 | 003,900,928 | ---- | C] (Broadcom Corporation) -- C:\Windows\SysNative\bcmihvsrv64.dll
[2013/03/29 13:16:30 | 001,721,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WdfCoInstaller01009.dll
[2013/03/29 13:16:28 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\SysWow64\wpcap.dll
[2013/03/29 13:16:28 | 000,096,784 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\SysWow64\Packet.dll
[2013/03/29 13:16:28 | 000,047,632 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\SysNative\drivers\npf.sys
[2013/03/29 13:16:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NETGEAR WNDA3100v2 Genie
[2013/03/29 13:16:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NETGEAR
[2013/03/29 13:16:22 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\InstallShield Installation Information
[2013/03/29 13:15:02 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\InstallShield
[2013/03/29 13:06:07 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Apps
[2013/03/29 12:59:21 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2013/03/29 12:59:21 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Searches
[2013/03/29 12:59:21 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2013/03/29 12:59:21 | 000,000,000 | -H-D | C] -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2013/03/29 12:59:11 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Identities
[2013/03/29 12:59:09 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Contacts
[2013/03/29 12:59:07 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\VirtualStore
[2013/03/29 12:58:54 | 000,000,000 | --SD | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Videos
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Saved Games
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Pictures
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Music
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Links
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Favorites
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Downloads
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Documents
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\Desktop
[2013/03/29 12:58:54 | 000,000,000 | R--D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\AppData\Local\Temporary Internet Files
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Templates
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Start Menu
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\SendTo
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Recent
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\PrintHood
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\NetHood
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Documents\My Videos
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Documents\My Pictures
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Documents\My Music
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\My Documents
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Local Settings
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\AppData\Local\History
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Cookies
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\Application Data
[2013/03/29 12:58:54 | 000,000,000 | -HSD | C] -- C:\Users\Matt VanLoon\AppData\Local\Application Data
[2013/03/29 12:58:54 | 000,000,000 | -H-D | C] -- C:\Users\Matt VanLoon\AppData
[2013/03/29 12:58:54 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Temp
[2013/03/29 12:58:54 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Local\Microsoft
[2013/03/29 12:58:54 | 000,000,000 | ---D | C] -- C:\Users\Matt VanLoon\AppData\Roaming\Media Center Programs
[2013/03/29 12:58:44 | 000,000,000 | -HSD | C] -- C:\Recovery
[2013/03/29 12:38:33 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2013/03/29 12:36:23 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2013/03/28 15:22:21 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2013/03/27 11:36:06 | 000,000,000 | -H-D | C] -- C:\SkyDriveTemp
[2013/03/14 14:41:56 | 000,076,384 | ---- | C] (http://libusb-win32.sourceforge.net) -- C:\Windows\SysNative\libusb0.dll
[2013/03/14 14:41:56 | 000,067,680 | ---- | C] (http://libusb-win32.sourceforge.net) -- C:\Windows\SysWow64\libusb0.dll
[2013/03/14 14:41:56 | 000,052,320 | ---- | C] (http://libusb-win32.sourceforge.net) -- C:\Windows\SysNative\drivers\libusb0.sys

========== Files - Modified Within 30 Days ==========

[2013/04/09 14:15:51 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/04/09 14:15:51 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/04/09 14:13:05 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/04/09 14:11:42 | 000,730,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/04/09 14:11:42 | 000,626,844 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/04/09 14:11:42 | 000,107,160 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/04/09 14:10:00 | 000,000,910 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/04/09 14:07:58 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/04/09 14:07:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/04/09 14:06:53 | 3118,391,296 | -HS- | M] () -- C:\hiberfil.sys
[2013/04/09 09:12:46 | 000,743,066 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/04/09 08:10:16 | 000,001,043 | ---- | M] () -- C:\Users\Matt VanLoon\Desktop\Jawbone Updater.lnk
[2013/04/09 08:10:07 | 000,000,842 | ---- | M] () -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Jawbone Updater.lnk
[2013/04/05 10:01:09 | 000,002,030 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/04/05 08:59:13 | 000,417,456 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/04/05 08:52:40 | 000,002,252 | ---- | M] () -- C:\Users\Matt VanLoon\Documents\cc_20130405_085235.reg
[2013/04/02 13:38:42 | 000,002,926 | ---- | M] () -- C:\Users\Matt VanLoon\Documents\cc_20130402_133839.reg
[2013/04/02 13:38:26 | 000,134,466 | ---- | M] () -- C:\Users\Matt VanLoon\Documents\cc_20130402_133821.reg
[2013/04/02 13:28:49 | 000,038,445 | ---- | M] () -- C:\Users\Matt VanLoon\AppData\Roaming\Comma Separated Values (Windows).ADR
[2013/04/02 11:45:39 | 000,001,146 | ---- | M] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2013/04/01 11:22:29 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2013/04/01 11:06:20 | 000,006,682 | ---- | M] () -- C:\Users\Matt VanLoon\Documents\cc_20130401_110533.reg
[2013/04/01 11:05:11 | 000,000,833 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/04/01 09:47:41 | 001,054,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2013/04/01 09:47:41 | 000,226,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\elshyph.dll
[2013/04/01 09:47:41 | 000,185,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\elshyph.dll
[2013/04/01 09:47:41 | 000,071,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe
[2013/04/01 09:47:40 | 003,958,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/04/01 09:47:40 | 001,509,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/04/01 09:47:40 | 001,441,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/04/01 09:47:40 | 001,400,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dat
[2013/04/01 09:47:40 | 001,400,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dat
[2013/04/01 09:47:40 | 000,905,728 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2013/04/01 09:47:40 | 000,855,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/04/01 09:47:40 | 000,762,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2013/04/01 09:47:40 | 000,719,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2013/04/01 09:47:40 | 000,690,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/04/01 09:47:40 | 000,629,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2013/04/01 09:47:40 | 000,603,136 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/04/01 09:47:40 | 000,599,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/04/01 09:47:40 | 000,526,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/04/01 09:47:40 | 000,452,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2013/04/01 09:47:40 | 000,441,856 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2013/04/01 09:47:40 | 000,391,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/04/01 09:47:40 | 000,361,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2013/04/01 09:47:40 | 000,281,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2013/04/01 09:47:40 | 000,235,008 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/04/01 09:47:40 | 000,232,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013/04/01 09:47:40 | 000,216,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msls31.dll
[2013/04/01 09:47:40 | 000,197,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2013/04/01 09:47:40 | 000,173,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/04/01 09:47:40 | 000,167,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iexpress.exe
[2013/04/01 09:47:40 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2013/04/01 09:47:40 | 000,150,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iexpress.exe
[2013/04/01 09:47:40 | 000,149,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2013/04/01 09:47:40 | 000,144,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\wextract.exe
[2013/04/01 09:47:40 | 000,138,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\wextract.exe
[2013/04/01 09:47:40 | 000,137,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/04/01 09:47:40 | 000,136,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2013/04/01 09:47:40 | 000,136,192 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2013/04/01 09:47:40 | 000,135,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\IEAdvpack.dll
[2013/04/01 09:47:40 | 000,125,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2013/04/01 09:47:40 | 000,117,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2013/04/01 09:47:40 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\IEAdvpack.dll
[2013/04/01 09:47:40 | 000,109,056 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2013/04/01 09:47:40 | 000,102,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\inseng.dll
[2013/04/01 09:47:40 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/04/01 09:47:40 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\SetIEInstalledDate.exe
[2013/04/01 09:47:40 | 000,089,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe
[2013/04/01 09:47:40 | 000,082,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\inseng.dll
[2013/04/01 09:47:40 | 000,081,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\icardie.dll
[2013/04/01 09:47:40 | 000,079,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/04/01 09:47:40 | 000,077,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\tdc.ocx
[2013/04/01 09:47:40 | 000,073,728 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\SetIEInstalledDate.exe
[2013/04/01 09:47:40 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\icardie.dll
[2013/04/01 09:47:40 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2013/04/01 09:47:40 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\pngfilt.dll
[2013/04/01 09:47:40 | 000,061,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\tdc.ocx
[2013/04/01 09:47:40 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2013/04/01 09:47:40 | 000,057,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\pngfilt.dll
[2013/04/01 09:47:40 | 000,051,712 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2013/04/01 09:47:40 | 000,051,200 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\imgutil.dll
[2013/04/01 09:47:40 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmler.dll
[2013/04/01 09:47:40 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmler.dll
[2013/04/01 09:47:40 | 000,039,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2013/04/01 09:47:40 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2013/04/01 09:47:40 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll
[2013/04/01 09:47:40 | 000,025,185 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2013/04/01 09:47:40 | 000,025,185 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2013/04/01 09:47:40 | 000,023,040 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
[2013/04/01 09:47:40 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshta.exe
[2013/04/01 09:47:40 | 000,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2013/04/01 09:47:40 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2013/04/01 09:47:24 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_point64_01011.Wdf
[2013/04/01 09:47:12 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_NuidFltr_01011.Wdf
[2013/04/01 09:43:15 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_dc3d_01011.Wdf
[2013/04/01 09:40:03 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_dc3d_01009.Wdf
[2013/04/01 08:40:10 | 000,001,186 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Genie.lnk
[2013/04/01 08:35:00 | 000,002,294 | ---- | M] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/04/01 08:07:54 | 000,002,270 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/04/01 08:07:40 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/04/01 08:07:40 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/04/01 07:17:23 | 000,001,452 | ---- | M] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/03/29 23:05:41 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2013/03/29 13:18:38 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_bcmwlhigh664_01009.Wdf
[2013/03/29 12:39:18 | 000,041,450 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2013/03/29 12:39:18 | 000,041,450 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2013/03/14 14:41:56 | 000,076,384 | ---- | M] (http://libusb-win32.sourceforge.net) -- C:\Windows\SysNative\libusb0.dll
[2013/03/14 14:41:56 | 000,067,680 | ---- | M] (http://libusb-win32.sourceforge.net) -- C:\Windows\SysWow64\libusb0.dll
[2013/03/14 14:41:56 | 000,052,320 | ---- | M] (http://libusb-win32.sourceforge.net) -- C:\Windows\SysNative\drivers\libusb0.sys

========== Files Created - No Company Name ==========

[2013/04/09 09:12:46 | 000,743,066 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/04/09 08:10:16 | 000,001,043 | ---- | C] () -- C:\Users\Matt VanLoon\Desktop\Jawbone Updater.lnk
[2013/04/09 08:10:07 | 000,000,842 | ---- | C] () -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Jawbone Updater.lnk
[2013/04/05 10:01:08 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2013/04/05 10:01:08 | 000,002,030 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/04/05 08:52:38 | 000,002,252 | ---- | C] () -- C:\Users\Matt VanLoon\Documents\cc_20130405_085235.reg
[2013/04/02 13:38:40 | 000,002,926 | ---- | C] () -- C:\Users\Matt VanLoon\Documents\cc_20130402_133839.reg
[2013/04/02 13:38:23 | 000,134,466 | ---- | C] () -- C:\Users\Matt VanLoon\Documents\cc_20130402_133821.reg
[2013/04/02 13:26:11 | 000,038,445 | ---- | C] () -- C:\Users\Matt VanLoon\AppData\Roaming\Comma Separated Values (Windows).ADR
[2013/04/02 11:45:39 | 000,001,146 | ---- | C] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2013/04/01 11:22:33 | 000,178,624 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013/04/01 11:22:32 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013/04/01 11:22:29 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2013/04/01 11:22:24 | 000,002,014 | ---- | C] () -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Update Checker.lnk
[2013/04/01 11:06:17 | 000,006,682 | ---- | C] () -- C:\Users\Matt VanLoon\Documents\cc_20130401_110533.reg
[2013/04/01 11:05:11 | 000,000,833 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/04/01 09:47:40 | 000,025,185 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2013/04/01 09:47:40 | 000,025,185 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2013/04/01 09:47:24 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_point64_01011.Wdf
[2013/04/01 09:47:12 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_NuidFltr_01011.Wdf
[2013/04/01 09:43:15 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_dc3d_01011.Wdf
[2013/04/01 09:40:03 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_dc3d_01009.Wdf
[2013/04/01 08:07:54 | 000,002,294 | ---- | C] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/04/01 08:07:54 | 000,002,270 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/04/01 08:07:43 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/04/01 08:05:50 | 000,000,910 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/04/01 08:05:49 | 000,000,906 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/03/31 03:20:52 | 000,000,003 | ---- | C] () -- C:\Windows\SysNative\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
[2013/03/31 03:06:15 | 000,000,003 | ---- | C] () -- C:\Windows\SysNative\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
[2013/03/29 23:05:41 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2013/03/29 13:51:00 | 000,063,744 | ---- | C] () -- C:\Windows\SysWow64\CNC1751D.TBL
[2013/03/29 13:51:00 | 000,063,744 | ---- | C] () -- C:\Windows\SysNative\CNC1751D.TBL
[2013/03/29 13:18:38 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_bcmwlhigh664_01009.Wdf
[2013/03/29 13:16:28 | 000,053,299 | ---- | C] () -- C:\Windows\SysWow64\pthreadVC.dll
[2013/03/29 13:16:23 | 000,001,186 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Genie.lnk
[2013/03/29 13:00:29 | 000,001,452 | ---- | C] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/03/29 12:59:23 | 000,001,428 | ---- | C] () -- C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2013/03/29 12:58:54 | 000,000,290 | ---- | C] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2013/03/29 12:58:54 | 000,000,272 | ---- | C] () -- C:\Users\Matt VanLoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2013/03/29 12:38:55 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2013/03/29 12:38:55 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2013/03/29 12:35:25 | 3118,391,296 | -HS- | C] () -- C:\hiberfil.sys

========== ZeroAccess Check ==========

[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 22:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 21:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 20:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 6:32 pm

OTL Extras logfile created on: 4/9/2013 2:18:02 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Matt VanLoon\Downloads
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16521)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.87 Gb Total Physical Memory | 2.52 Gb Available Physical Memory | 65.02% Memory free
7.74 Gb Paging File | 6.08 Gb Available in Paging File | 78.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 287.15 Gb Total Space | 130.11 Gb Free Space | 45.31% Space Free | Partition Type: NTFS
Drive F: | 1.17 Gb Total Space | 0.45 Gb Free Space | 38.06% Space Free | Partition Type: NTFS
Drive Z: | 9.77 Gb Total Space | 2.37 Gb Free Space | 24.28% Space Free | Partition Type: NTFS

Computer Name: WFBD01 | User Name: Matt VanLoon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2826719538-1761031791-2706135774-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{017F82CE-CF2B-4F10-A259-1AA14CE2B6BB}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{052B97CD-844C-45C8-BCA9-C655349E7631}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe |
"{17322156-B981-41B9-B7F2-55770CC4E690}" = rport=445 | protocol=6 | dir=out | app=system |
"{1D40B8B0-6FDC-4747-86C0-48782828B4AC}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{224B771C-5331-48C3-A614-49382D09C165}" = lport=139 | protocol=6 | dir=in | app=system |
"{27F208AF-8FDC-42DE-8C49-48B953E87F84}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{28471D0A-2D91-4298-9803-8AC599DAD0A4}" = lport=445 | protocol=6 | dir=in | app=system |
"{2C99A80F-B95B-4828-88A0-7784F5F9B9A4}" = lport=137 | protocol=17 | dir=in | app=system |
"{3DFE9E94-E955-4502-A563-4F98B6EA559B}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{522C321A-4A95-4495-A1DA-326289961A59}" = lport=138 | protocol=17 | dir=in | app=system |
"{543F2BD6-91F4-405C-B37D-3D0F4BD593D7}" = rport=139 | protocol=6 | dir=out | app=system |
"{604CB0B0-B8D0-45D6-A577-81BF9A46D85C}" = rport=137 | protocol=17 | dir=out | app=system |
"{658B34EE-3CCC-4014-B11D-74A861F51805}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{8E724B54-D4C0-4B99-A1F5-1057726E5B7E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{95EDD785-B001-41B8-943C-B86EA34DC9C3}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{98279992-01D6-44E5-9455-19D1DDA03DD6}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9B452A35-0CD8-46D6-92B5-9A2FE1D4644C}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{9D74537E-54E9-4A41-8466-3716503A0997}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{AFCBEB59-1724-433A-A81F-06ABAC999CEF}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{BD3205F2-F584-4339-A601-D09A49DC210E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{E14E568E-0CC8-4717-B259-C912A47CB524}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{F2F2A754-0F2F-4F98-9DBB-7E0CC15A231F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{F819EF23-7A84-460C-A5AB-4B423FE0816A}" = rport=138 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1D083F61-B573-4A8E-818F-717A9BFBDEDA}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4CB5FE77-26EC-4294-A7B9-AEBA26C9654C}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{7B1E4030-F20A-42EA-9F9B-B21435288B24}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{877EF6BA-8D8D-4607-8AF1-0A10AC84333B}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{A4509F23-247A-4078-94E2-8DE5D872E635}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{B2A95009-5C87-4C09-B9BB-F2EE7FF0A5FF}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{C8184C93-5672-4DEF-B21B-A7E786C7BFBA}" = protocol=6 | dir=in | app=c:\program files (x86)\jawbone\jawboneupdater.exe |
"{D9DF896A-8AC7-4FE4-893D-CF88704A1338}" = protocol=17 | dir=in | app=c:\program files (x86)\jawbone\jawboneupdater.exe |
"{E7294B69-0ADF-4CA5-9E53-E0A50840BEF2}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2100_series" = Canon MG2100 series MP Drivers
"{24F93B56-61F5-415F-85B9-AA444DA34AFC}" = Microsoft Mouse and Keyboard Center
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Mouse and Keyboard Center" = Microsoft Mouse and Keyboard Center

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{3C7839E7-21F4-49E0-B4D5-AC8ED818CCB0}" = NETGEAR WNDA3100v2 wireless USB 2.0 adapter
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.02)
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"avast" = avast! Free Antivirus
"Canon MG2100 series On-screen Manual" = Canon MG2100 series On-screen Manual
"Canon MG2100 series User Registration" = Canon MG2100 series User Registration
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenuEX" = Canon Solution Menu EX
"Easy-PhotoPrint EX" = Canon Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"FileHippo.com" = FileHippo.com Update Checker
"Google Chrome" = Google Chrome
"Jawbone Updater" = Jawbone Updater
"MP Navigator EX 5.0" = Canon MP Navigator EX 5.0
"Office14.SingleImage" = Microsoft Office Home and Business 2010

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 4/9/2013 5:08:54 PM | Computer Name = WFBD01 | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 4/9/2013 5:04:33 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Security Update for Microsoft Office 2010 (KB2553447) 32-Bit
Edition.

Error - 4/9/2013 5:04:37 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Security Update for Microsoft Office 2010 (KB2584066), 32-Bit
Edition.

Error - 4/9/2013 5:04:40 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Definition Update for Microsoft Office 2010 (KB982726) 32-Bit
Edition.

Error - 4/9/2013 5:04:43 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Security Update for Microsoft Office 2010 (KB2589320) 32-Bit
Edition.

Error - 4/9/2013 5:04:46 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Update for Office File Validation 2010 (KB2553065), 32-bit
Edition.

Error - 4/9/2013 5:04:49 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Update for Microsoft Office 2010 (KB2566458), 32-Bit Edition.

Error - 4/9/2013 5:04:53 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition.

Error - 4/9/2013 5:04:56 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition.

Error - 4/9/2013 5:05:19 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Service Pack 1 for Microsoft Office 2010 (KB2510690) 32-bit
Edition.

Error - 4/9/2013 5:05:23 PM | Computer Name = WFBD01 | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070652: Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition.


< End of report >
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 6:35 pm

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-04-09 15:21:22
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAJS-08L7A0 rev.03.03E03 298.09GB
Running: dgy1lub5.exe; Driver: C:\Users\MATTVA~1\AppData\Local\Temp\uwtdqpog.sys


---- User code sections - GMER 2.1 ----

.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000149870470
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000149870460
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000149870370
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000149870480
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001498703e0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000149870320
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000001498703b0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000149870390
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000001498702e0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000149870440
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000001498702d0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000149870310
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000001498703c0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000001498703f0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000149870230
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0xffffffffd295e890}
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000149870490
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000001498703a0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000001498702f0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000149870350
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000149870290
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000001498702b0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000001498703d0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000149870330
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0xffffffffd295e590}
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000149870410
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000149870240
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000001498701e0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000149870250
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0xffffffffd295e090}
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000001498704a0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000001498704b0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000149870300
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000149870360
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000001498702a0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000001498702c0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000149870380
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000149870340
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000149870450
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000149870260
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000149870270
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000149870400
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000001498701f0
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000149870210
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000149870200
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000149870420
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000149870430
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000149870220
.text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000149870280
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\wininit.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\wininit.exe[460] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000149870470
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000149870460
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000149870370
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000149870480
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001498703e0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000149870320
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000001498703b0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000149870390
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000001498702e0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000149870440
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000001498702d0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000149870310
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000001498703c0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000001498703f0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000149870230
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0xffffffffd295e890}
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000149870490
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000001498703a0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000001498702f0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000149870350
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000149870290
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000001498702b0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000001498703d0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000149870330
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0xffffffffd295e590}
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000149870410
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000149870240
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000001498701e0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000149870250
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0xffffffffd295e090}
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000001498704a0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000001498704b0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000149870300
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000149870360
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000001498702a0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000001498702c0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000149870380
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000149870340
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000149870450
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000149870260
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000149870270
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000149870400
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000001498701f0
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000149870210
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000149870200
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000149870420
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000149870430
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000149870220
.text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000149870280
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\winlogon.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\services.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\services.exe[576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\lsass.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\svchost.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\System32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\System32\svchost.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\System32\svchost.exe[920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\System32\svchost.exe[920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 6:36 pm

.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\svchost.exe[952] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000100070470
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000100070460
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000100070370
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000100070480
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000100070320
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000100070390
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000100070440
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000100070310
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000100070230
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0xffffffff8915e890}
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000100070490
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000100070350
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000100070290
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000100070330
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0xffffffff8915e590}
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000100070410
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000100070240
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000100070250
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0xffffffff8915e090}
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000001000704b0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000100070300
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000100070360
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000100070380
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000100070340
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000100070450
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000100070260
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000100070270
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000100070400
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000100070210
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000100070200
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000100070420
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000100070430
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000100070220
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000100070280
.text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\WLANExt.exe[1260] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\System32\spoolsv.exe[1512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\svchost.exe[1540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1680] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[1724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76]
.text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76]
.text ...
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 6:37 pm

.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\svchost.exe[1828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe[1868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\taskhost.exe[2152] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\taskeng.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\Dwm.exe[2260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\Explorer.EXE[2292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\Explorer.EXE[2292] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\system32\svchost.exe[3016] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 00000001003f075c
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001003f03a4
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 00000001003f0b14
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 00000001003f0ecc
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001003f163c
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 00000001003f1284
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001003f19f4
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\system32\SearchIndexer.exe[2112] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 00000001002f075c
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001002f03a4
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 00000001002f0b14
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 00000001002f0ecc
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001002f163c
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 00000001002f1284
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001002f19f4
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE[2900] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 6:37 pm

.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 000000010021075c
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001002103a4
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 0000000100210b14
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 0000000100210ecc
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 000000010021163c
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 0000000100211284
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001002119f4
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\System32\igfxtray.exe[1248] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 000000010043075c
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001004303a4
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 0000000100430b14
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 0000000100430ecc
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 000000010043163c
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 0000000100431284
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001004319f4
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\System32\hkcmd.exe[1912] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 000000010041075c
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001004103a4
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 0000000100410b14
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 0000000100410ecc
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 000000010041163c
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 0000000100411284
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001004119f4
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\System32\igfxpers.exe[1664] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770bfaa0 5 bytes JMP 0000000100240600
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770bfb38 5 bytes JMP 0000000100240804
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770bfc90 5 bytes JMP 0000000100240c0c
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770c0018 5 bytes JMP 0000000100240a08
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770c1900 5 bytes JMP 0000000100240e10
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770dc45a 5 bytes JMP 00000001002401f8
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770e1217 5 bytes JMP 00000001002403fc
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b5ee09 5 bytes JMP 00000001002501f8
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b63982 5 bytes JMP 00000001002503fc
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b67603 5 bytes JMP 0000000100250804
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b6835c 5 bytes JMP 0000000100250600
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b7f52b 5 bytes JMP 0000000100250a08
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e95181 5 bytes JMP 0000000100261014
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e95254 5 bytes JMP 0000000100260804
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e953d5 5 bytes JMP 0000000100260a08
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e954c2 5 bytes JMP 0000000100260c0c
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e955e2 5 bytes JMP 0000000100260e10
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e9567c 5 bytes JMP 00000001002601f8
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e9589f 5 bytes JMP 00000001002603fc
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e95a22 5 bytes JMP 0000000100260600
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76]
.text C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe[3176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76]
.text ... * 2
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770bfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770bfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770bfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770c0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770c1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770dc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770e1217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b5ee09 5 bytes JMP 00000001002401f8
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b63982 5 bytes JMP 00000001002403fc
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b67603 5 bytes JMP 0000000100240804
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b6835c 5 bytes JMP 0000000100240600
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE[3184] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b7f52b 5 bytes JMP 0000000100240a08
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3196] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 00000001002a075c
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001002a03a4
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 00000001002a0b14
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 00000001002a0ecc
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001002a163c
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 00000001002a1284
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001002a19f4
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\splwow64.exe[3960] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\splwow64.exe[3960] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 000000010041075c
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001004103a4
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 0000000100410b14
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 0000000100410ecc
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 000000010041163c
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 0000000100411284
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001004119f4
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\system32\conhost.exe[3976] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770bfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770bfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770bfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770c0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770c1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770dc45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770e1217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b5ee09 5 bytes JMP 00000001001e01f8
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b63982 5 bytes JMP 00000001001e03fc
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b67603 5 bytes JMP 00000001001e0804
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b6835c 5 bytes JMP 00000001001e0600
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b7f52b 5 bytes JMP 00000001001e0a08
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e95181 5 bytes JMP 0000000100271014
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e95254 5 bytes JMP 0000000100270804
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e953d5 5 bytes JMP 0000000100270a08
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e954c2 5 bytes JMP 0000000100270c0c
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e955e2 5 bytes JMP 0000000100270e10
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e9567c 5 bytes JMP 00000001002701f8
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e9589f 5 bytes JMP 00000001002703fc
.text C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE[988] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e95a22 5 bytes JMP 0000000100270600
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 00000001001f075c
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001001f03a4
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 00000001001f0b14
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 00000001001f0ecc
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001001f163c
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 00000001001f1284
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001001f19f4
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[2184] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 00000001002a075c
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001002a03a4
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 00000001002a0b14
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 00000001002a0ecc
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001002a163c
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 00000001002a1284
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001002a19f4
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000076ca8550 5 bytes JMP 00000001002e075c
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000076cad440 5 bytes JMP 00000001002e1284
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076caf874 5 bytes JMP 00000001002e0ecc
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076cb4d4c 5 bytes JMP 00000001002e03a4
.text C:\Windows\System32\svchost.exe[3372] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076cc8c20 5 bytes JMP 00000001002e0b14
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\system32\svchost.exe[3832] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770bfaa0 5 bytes JMP 0000000100030600
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770bfb38 5 bytes JMP 0000000100030804
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770bfc90 5 bytes JMP 0000000100030c0c
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770c0018 5 bytes JMP 0000000100030a08
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770c1900 5 bytes JMP 0000000100030e10
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770dc45a 5 bytes JMP 00000001000301f8
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770e1217 5 bytes JMP 00000001000303fc
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075b5ee09 5 bytes JMP 00000001002501f8
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000075b63982 5 bytes JMP 00000001002503fc
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075b67603 5 bytes JMP 0000000100250804
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075b6835c 5 bytes JMP 0000000100250600
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000075b7f52b 5 bytes JMP 0000000100250a08
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e95181 5 bytes JMP 0000000100261014
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e95254 5 bytes JMP 0000000100260804
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e953d5 5 bytes JMP 0000000100260a08
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e954c2 5 bytes JMP 0000000100260c0c
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e955e2 5 bytes JMP 0000000100260e10
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e9567c 5 bytes JMP 00000001002601f8
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e9589f 5 bytes JMP 00000001002603fc
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e95a22 5 bytes JMP 0000000100260600
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000767d1465 2 bytes [7D, 76]
.text C:\Users\Matt VanLoon\Downloads\OTL.exe[4328] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000767d14bb 2 bytes [7D, 76]
.text ...
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 9th, 2013, 6:38 pm

* 2
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\system32\AUDIODG.EXE[5536] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 000000010021075c
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001002103a4
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070470
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070460
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 0000000100210b14
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 0000000100210ecc
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070480
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 000000010021163c
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f11760 5 bytes JMP 0000000077070440
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 0000000100211284
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890}
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070490
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590}
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090}
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 00000000770704a0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704b0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070450
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001002119f4
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280
.text C:\Windows\notepad.exe[6072] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\notepad.exe[6072] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076ee3ae0 5 bytes JMP 000000010016075c
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076ee7a90 5 bytes JMP 00000001001603a4
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f11490 5 bytes JMP 0000000100160b14
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f114f0 5 bytes JMP 0000000100160ecc
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 000000010016163c
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f11810 5 bytes JMP 0000000100161284
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 00000001001619f4
.text C:\Windows\notepad.exe[4856] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076dfeecd 1 byte [62]
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefef26e00 5 bytes JMP 000007ff7ef41dac
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefef26f2c 5 bytes JMP 000007ff7ef40ecc
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefef27220 5 bytes JMP 000007ff7ef41284
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefef2739c 5 bytes JMP 000007ff7ef4163c
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefef27538 5 bytes JMP 000007ff7ef419f4
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefef275e8 5 bytes JMP 000007ff7ef403a4
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefef2790c 5 bytes JMP 000007ff7ef4075c
.text C:\Windows\notepad.exe[4856] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefef27ab4 5 bytes JMP 000007ff7ef40b14
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770bfaa0 5 bytes JMP 0000000100030600
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770bfb38 5 bytes JMP 0000000100030804
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770bfc90 5 bytes JMP 0000000100030c0c
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770c0018 5 bytes JMP 0000000100030a08
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770c1900 5 bytes JMP 0000000100030e10
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000770dc45a 5 bytes JMP 00000001000301f8
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000770e1217 5 bytes JMP 00000001000303fc
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762da30a 1 byte [62]
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e95181 5 bytes JMP 0000000100241014
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e95254 5 bytes JMP 0000000100240804
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e953d5 5 bytes JMP 0000000100240a08
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e954c2 5 bytes JMP 0000000100240c0c
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e955e2 5 bytes JMP 0000000100240e10
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e9567c 5 bytes JMP 00000001002401f8
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e9589f 5 bytes JMP 00000001002403fc
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e95a22 5 bytes JMP 0000000100240600
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075b5ee09 5 bytes JMP 00000001002501f8
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075b63982 5 bytes JMP 00000001002503fc
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075b67603 5 bytes JMP 0000000100250804
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075b6835c 5 bytes JMP 0000000100250600
.text C:\Users\Matt VanLoon\Downloads\dgy1lub5.exe[6220] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075b7f52b 5 bytes JMP 0000000100250a08

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 4
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 625025
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip?
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9
Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS?
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler.
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400
Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700
Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip?
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault
Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 4
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 625025
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows
Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr?
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP
Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files
Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip?
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver
Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor
Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS?
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1
Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler.

---- EOF - GMER 2.1 ----
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby deltalima » April 11th, 2013, 3:53 pm

Hi mvanloon,

Run OTL Script

  • Double-click OTL.exe (Right click and choose "Run as administrator" in Vista/Win7).
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :Commands
    [CREATERESTOREPOINT]
    
    :processes
    killallprocesses
    :otl
    IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}: "URL" = http://isearch.fantastigames.com/web?sr ... mid=465&q= {searchTerms}
    IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}: "URL" = http://isearch.fantastigames.com/web?sr ... mid=465&q= {searchTerms}
    IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}: "URL" = http://isearch.fantastigames.com/web?sr ... mid=465&q= {searchTerms}
    CHR - homepage: http://isearch.fantastigames.com/465 
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}
    IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}
    IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}: "URL" = http://isearch.fantastigames.com/web?sr ... mid=465&q= {searchTerms}
    IE - HKU\S-1-5-21-2826719538-1761031791-2706135774-1000\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}
    :services
    :reg
    :files
    schtasks /query /fo LIST /v  /c
    set /c
    :commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    [EMPTYJAVA]
    [RESETHOSTS]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Malwarebytes Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • When the program loads, Decline the Malwarebytes' Anti-Malware Trial (You can activate this when we've finished, if you wish)
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 12th, 2013, 5:16 pm

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== PROCESSES ==========
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
Registry key HKEY_USERS\S-1-5-21-2826719538-1761031791-2706135774-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
Use Chrome's Settings page to change the HomePage.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-2826719538-1761031791-2706135774-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}\ not found.
HKEY_USERS\S-1-5-21-2826719538-1761031791-2706135774-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< schtasks /query /fo LIST /v /c >
Folder: \
HostName: WFBD01
TaskName: \Adobe Flash Player Updater
Next Run Time: 4/12/2013 2:13:00 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:13:00 PM
Last Result: 0
Author: Adobe Systems Incorporated
Task To Run: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Start In: N/A
Comment: This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 4:13:00 PM
Start Date: 12/31/1999
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: 1 Hour(s), 0 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: 24 Hour(s), 0 Minute(s)
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \avast! Emergency Update
Next Run Time: 4/12/2013 11:22:29 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:03:59 PM
Last Result: 0
Author: avast! Emergency Update
Task To Run: C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 6:22:29 AM
Start Date: 4/2/2013
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: 12 Hour(s), 0 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: 24 Hour(s), 0 Minute(s)
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \avast! Emergency Update
Next Run Time: 4/12/2013 11:22:29 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:03:59 PM
Last Result: 0
Author: avast! Emergency Update
Task To Run: C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \CCleanerSkipUAC
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive only
Last Run Time: 4/5/2013 10:15:29 AM
Last Result: 0
Author: Piriform Ltd
Task To Run: "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Matt VanLoon
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \GoogleUpdateTaskMachineCore
Next Run Time: 4/13/2013 8:10:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:03 PM
Last Result: 0
Author: Matt VanLoon
Task To Run: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Start In: N/A
Comment: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when the
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \GoogleUpdateTaskMachineCore
Next Run Time: 4/13/2013 8:10:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:03 PM
Last Result: 0
Author: Matt VanLoon
Task To Run: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Start In: N/A
Comment: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when the
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 8:10:00 AM
Start Date: 4/1/2013
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \GoogleUpdateTaskMachineUA
Next Run Time: 4/12/2013 2:10:00 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:10:00 PM
Last Result: 0
Author: Matt VanLoon
Task To Run: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Start In: N/A
Comment: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when the
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 8:10:00 AM
Start Date: 4/1/2013
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: 1 Hour(s), 0 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: 24 Hour(s), 0 Minute(s)
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft_Hardware_Launch_ipoint_exe
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/1/2013 9:47:30 AM
Last Result: 1073807364
Author: N/A
Task To Run: C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
Start In: C:\Program Files\Microsoft Mouse and Keyboard Center\
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft_Hardware_Launch_itype_exe
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/1/2013 9:47:29 AM
Last Result: 1073807364
Author: N/A
Task To Run: C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
Start In: C:\Program Files\Microsoft Mouse and Keyboard Center\
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft_Hardware_Launch_mousekeyboardcenter_exe
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/1/2013 9:47:31 AM
Last Result: 0
Author: N/A
Task To Run: C:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe
Start In: C:\Program Files\Microsoft Mouse and Keyboard Center\
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft_MKC_Logon_Task_ipoint.exe
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:03 PM
Last Result: 267009
Author: N/A
Task To Run: C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
Start In: C:\Program Files\Microsoft Mouse and Keyboard Center\
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft_MKC_Logon_Task_itype.exe
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:01:59 PM
Last Result: 267009
Author: N/A
Task To Run: C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
Start In: C:\Program Files\Microsoft Mouse and Keyboard Center\
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Active Directory Rights Management Services Client
HostName: WFBD01
TaskName: \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if authentication to the template distribution web service on the server fails. In this case, it fails silently.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Everyone
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 3:00:00 AM
Start Date: 11/9/2006
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if authentication to the template distribution web service on the server fails. In this case, it fails silently.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Everyone
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Updates the AD RMS rights policy templates for the user. This job provides a credential prompt if authentication to the template distribution web service on the server fails.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Everyone
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\AppID
HostName: WFBD01
TaskName: \Microsoft\Windows\AppID\PolicyConverter
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: %windir%\system32\appidpolicyconverter.exe
Start In: N/A
Comment: Converts the software restriction policies policy from XML into binary format.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: %windir%\system32\appidcertstorecheck.exe
Start In: N/A
Comment: Inspects the AppID certificate cache for invalid or revoked certificates.
Scheduled Task State: Disabled
Idle Time: Only Start If Idle for 3 minutes, If Not Idle Retry For 1380 minutes Stop the task if Idle State end
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Application Experience
HostName: WFBD01
TaskName: \Microsoft\Windows\Application Experience\AitAgent
Next Run Time: 4/13/2013 2:30:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 12:56:10 PM
Last Result: 259
Author: Microsoft Corporation
Task To Run: aitagent
Start In: N/A
Comment: Aggregates and uploads Application Telemetry information if opted-in to the Microsoft Customer Experience Improvement Program.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 3 minutes, If Not Idle Retry For 1320 minutes Stop the task if Idle State end
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 2:30:00 AM
Start Date: 10/8/2007
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\Application Experience\ProgramDataUpdater
Next Run Time: 4/13/2013 12:30:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 12:56:03 PM
Last Result: 259
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate
Start In: N/A
Comment: Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 3 minutes, If Not Idle Retry For 1380 minutes Stop the task if Idle State end
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 12:30:00 AM
Start Date: 10/8/2007
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\Autochk
HostName: WFBD01
TaskName: \Microsoft\Windows\Autochk\Proxy
Next Run Time: N/A
Status: Unknown
Logon Mode: Interactive/Background
Last Run Time: 4/11/2013 7:12:59 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations
Start In: N/A
Comment: This task collects and uploads autochk SQM data if opted-in to the Microsoft Customer Experience Improvement Program.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 10 minutes, If Not Idle Retry For 525600 minutes
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Bluetooth
HostName: WFBD01
TaskName: \Microsoft\Windows\Bluetooth\UninstallDeviceTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft
Task To Run: BthUdTask.exe $(Arg0)
Start In: N/A
Comment: Uninstalls the PnP device associated with the specified Bluetooth service ID
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\CertificateServicesClient
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\SystemTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:07 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\SystemTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:07 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\SystemTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:07 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\UserTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:07 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\UserTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:07 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\UserTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:02:07 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\UserTask-Roam
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\CertificateServicesClient\UserTask-Roam
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Customer Experience Improvement Program
HostName: WFBD01
TaskName: \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
Next Run Time: 4/13/2013 3:00:00 AM
Status: Could not start
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 12:56:03 PM
Last Result: -2147479295
Author: Microsoft Corporation
Task To Run: %SystemRoot%\System32\wsqmcons.exe
Start In: N/A
Comment: If the user has consented to participate in the Windows Customer Experience Improvement Program, this job collects and sends usage data to Microsoft.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Hourly
Start Time: 12:00:00 AM
Start Date: 1/2/2004
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: 19 Hour(s), 0 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
Next Run Time: 4/18/2013 3:30:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/11/2013 4:00:25 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: The Kernel CEIP (Customer Experience Improvement Program) task collects additional information about the system and sends this data to Microsoft. If the user has not consented to participate in Windows CEIP, this task does nothing.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 3 minutes, If Not Idle Retry For 1020 minutes
Power Management: No Start On Batteries
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Weekly
Start Time: 3:30:00 AM
Start Date: 9/1/2008
End Date: N/A
Days: THU
Months: Every 1 week(s)
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
Next Run Time: 4/14/2013 1:30:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/11/2013 3:00:21 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: The USB CEIP (Customer Experience Improvement Program) task collects Universal Serial Bus related statistics and information about your machine and sends it to the Windows Device Connectivity engineering group at Microsoft. The information received is
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 1:30:00 AM
Start Date: 4/25/2008
End Date: N/A
Days: Every 3 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\Defrag
HostName: WFBD01
TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag
Next Run Time: 4/17/2013 2:14:38 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/10/2013 1:26:46 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\defrag.exe -c
Start In: N/A
Comment: This task defragments the computers hard disk drives.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 3 minutes, If Not Idle Retry For 10080 minutes Stop the task if Idle State end
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Weekly
Start Time: 1:00:00 AM
Start Date: 1/1/2005
End Date: N/A
Days: WED
Months: Every 1 week(s)
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\Diagnosis
HostName: WFBD01
TaskName: \Microsoft\Windows\Diagnosis\Scheduled
Next Run Time: 4/14/2013 1:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/7/2013 1:00:00 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: The Windows Scheduled Maintenance Task performs periodic maintenance of the computer system by fixing problems automatically or reporting them through the Action Center.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 10 minutes, If Not Idle Retry For 480 minutes
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Weekly
Start Time: 1:00:00 AM
Start Date: 1/1/2004
End Date: N/A
Days: SUN
Months: Every 1 week(s)
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\DiskDiagnostic
HostName: WFBD01
TaskName: \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
Next Run Time: 4/14/2013 1:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 3/31/2013 1:00:00 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART
Start In: N/A
Comment: The Windows Disk Diagnostic reports general disk and system information to Microsoft for users participating in the Customer Experience Program.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for minutes, If Not Idle Retry For minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Weekly
Start Time: 1:00:00 AM
Start Date: 1/1/2004
End Date: N/A
Days: SUN
Months: Every 2 week(s)
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: %windir%\system32\DFDWiz.exe
Start In: N/A
Comment: The Microsoft-Windows-DiskDiagnosticResolver warns users about faults reported by hard disks that support the Self Monitoring and Reporting Technology (S.M.A.R.T.) standard. This task is triggered automatically by the Diagnostic Policy Service when a S.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Location
HostName: WFBD01
TaskName: \Microsoft\Windows\Location\Notifications
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %windir%\System32\LocationNotifications.exe
Start In: N/A
Comment: Location Activity
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Authenticated Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Maintenance
HostName: WFBD01
TaskName: \Microsoft\Windows\Maintenance\WinSAT
Next Run Time: 4/14/2013 1:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/7/2013 1:00:00 AM
Last Result: 0
Author: Microsoft
Task To Run: COM handler
Start In: N/A
Comment: Measures a system's performance and capabilities
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for minutes, If Not Idle Retry For minutes Stop the task if Idle State end
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrators
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Weekly
Start Time: 1:00:00 AM
Start Date: 1/1/2008
End Date: N/A
Days: SUN
Months: Every 1 week(s)
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\Media Center
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\ActivateWindowsSearch
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch
Start In: N/A
Comment: Privileged Media Center Search Reindexing job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\ConfigureInternetTimeService
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService
Start In: N/A
Comment: Privileged Media Center Time Update Service setting job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\DispatchRecoveryTasks
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)
Start In: N/A
Comment: Privileged Media Center Recovery Task Dispatcher job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\ehDRMInit
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /DRMInit
Start In: N/A
Comment: Privileged Media Center DRM initialization job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\InstallPlayReady
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)
Start In: N/A
Comment: Privileged Media Center PlayReady install job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\mcupdate
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\mcupdate $(Arg0)
Start In: N/A
Comment: Check for Media Center updates.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\MediaCenterRecoveryTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: Multiple actions
Start In: Multiple actions
Comment: Perform Media Center Recovery activities
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: Multiple actions
Start In: Multiple actions
Comment: Perform Object Store Recovery activities
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\OCURActivate
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate
Start In: N/A
Comment: Privileged Media Center OCUR activation job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\OCURDiscovery
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)
Start In: N/A
Comment: Privileged Media Center OCUR discovery job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\PBDADiscovery
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery
Start In: N/A
Comment: Privileged Media Center OCUR discovery job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\PBDADiscoveryW1
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery
Start In: N/A
Comment: Privileged Media Center OCUR discovery job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\PBDADiscoveryW2
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery
Start In: N/A
Comment: Privileged Media Center OCUR discovery job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 01:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\PeriodicScanRetry
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %windir%\ehome\MCUpdate.exe -pscn 0
Start In: N/A
Comment: Background periodic scanner - PeriodicScanRetry
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only
Start Time: 5:33:00 PM
Start Date: 9/9/2006
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\PvrRecoveryTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: Multiple actions
Start In: Multiple actions
Comment: Perform Pvr Recovery activities
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\PvrScheduleTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: Multiple actions
Start In: Multiple actions
Comment: Perform PVR Scheduling activities
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\RecordingRestart
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehrec /RestartRecording
Start In: N/A
Comment: Restarts recordings after a power failure.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\RegisterSearch
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)
Start In: N/A
Comment: Privileged Media Center Search registration job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\ReindexSearchRoot
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot
Start In: N/A
Comment: Privileged Media Center Search Reindexing job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\SqlLiteRecoveryTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: Multiple actions
Start In: Multiple actions
Comment: Perform Data Recovery activities
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Media Center\UpdateRecordPath
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)
Start In: N/A
Comment: Privileged Media Center Recorder Permission setting job
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\MemoryDiagnostic
HostName: WFBD01
TaskName: \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Task for launching the Memory Diagnostic
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Task for launching the Memory Diagnostic
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\MobilePC
HostName: WFBD01
TaskName: \Microsoft\Windows\MobilePC\HotStart
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:01:59 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Launches applications configured for Windows HotStart
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Authenticated Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\MUI
HostName: WFBD01
TaskName: \Microsoft\Windows\MUI\LPRemove
Next Run Time: N/A
Status: Unknown
Logon Mode: Interactive/Background
Last Run Time: 4/11/2013 7:13:07 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\lpremove.exe
Start In: N/A
Comment: Launch language cleanup tool
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 10 minutes, If Not Idle Retry For 10 minutes Stop the task if Idle State end
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 09:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm

Re: isearch.fantasigames malware infected my computer

Unread postby mvanloon » April 12th, 2013, 5:16 pm

Folder: \Microsoft\Windows\Multimedia
HostName: WFBD01
TaskName: \Microsoft\Windows\Multimedia\SystemSoundsService
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:01:59 PM
Last Result: 267009
Author: N/A
Task To Run: COM handler
Start In: N/A
Comment: System Sounds User Mode Agent
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\NetTrace
HostName: WFBD01
TaskName: \Microsoft\Windows\NetTrace\GatherNetworkInfo
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft
Task To Run: %windir%\system32\gatherNetworkInfo.vbs
Start In: $(Arg1)
Comment: Network information collector
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Offline Files
HostName: WFBD01
TaskName: \Microsoft\Windows\Offline Files\Background Synchronization
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task controls periodic background synchronization of Offline Files when the user is working in an offline mode.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Authenticated Users
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 24:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Hourly
Start Time: 12:00:00 AM
Start Date: 1/1/2008
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: 6 Hour(s), 0 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\Offline Files\Logon Synchronization
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task initiates synchronization of Offline Files when a user logs onto the system.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Authenticated Users
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 24:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\PerfTrack
HostName: WFBD01
TaskName: \Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Performance Tracing Idle Task: Background configuration surveyor
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management: No Start On Batteries
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At idle time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Performance Tracing Idle Task: Background configuration surveyor
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management: No Start On Batteries
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 3:00:00 AM
Start Date: 5/30/2008
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\PLA
INFO: There are no scheduled tasks presently available at your access level.
Folder: \Microsoft\Windows\Power Efficiency Diagnostics
HostName: WFBD01
TaskName: \Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
Next Run Time: 4/16/2013 9:25:09 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/2/2013 9:31:36 AM
Last Result: 259
Author: Microsoft Corporation
Task To Run: %SystemRoot%\System32\powercfg.exe -energy -auto
Start In: N/A
Comment: This job analyzes the system looking for conditions that may cause high energy use.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 5 minutes, If Not Idle Retry For 120 minutes
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 00:05:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 6:00:00 AM
Start Date: 1/1/2008
End Date: N/A
Days: Every 14 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\RAC
HostName: WFBD01
TaskName: \Microsoft\Windows\RAC\RacTask
Next Run Time: 4/12/2013 3:14:10 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 12:59:03 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Microsoft Reliability Analysis task to process system reliability data.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\RAC\RacTask
Next Run Time: 4/12/2013 3:01:57 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 12:59:03 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Microsoft Reliability Analysis task to process system reliability data.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Hourly
Start Time: 12:00:00 AM
Start Date: 3/31/2008
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: 1 Hour(s), 0 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\Ras
HostName: WFBD01
TaskName: \Microsoft\Windows\Ras\MobilityManager
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Provides support for the switching of mobility enabled VPN connections if their underlying interface goes down.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Registry
HostName: WFBD01
TaskName: \Microsoft\Windows\Registry\RegIdleBackup
Next Run Time: 4/14/2013 12:43:33 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/4/2013 12:11:58 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Registry Idle Backup Task
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 3 minutes, If Not Idle Retry For 1380 minutes Stop the task if Idle State end
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 12:00:00 AM
Start Date: 1/1/2008
End Date: N/A
Days: Every 10 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\RemoteAssistance
HostName: WFBD01
TaskName: \Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft
Task To Run: %windir%\system32\RAServer.exe /offerraupdate
Start In: %windir%
Comment: Checks group policy for changes relevant to Remote Assistance
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft
Task To Run: %windir%\system32\RAServer.exe /offerraupdate
Start In: %windir%
Comment: Checks group policy for changes relevant to Remote Assistance
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Shell
HostName: WFBD01
TaskName: \Microsoft\Windows\Shell\WindowsParentalControls
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft
Task To Run: COM handler
Start In: N/A
Comment: Notifications for actions taken by Windows Parental Controls.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Authenticated Users
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Shell\WindowsParentalControlsMigration
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: 7/13/2009 10:09:03 PM
Last Result: 0
Author: Microsoft
Task To Run: COM handler
Start In: N/A
Comment: Migration for Windows Parental Controls.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\SideShow
HostName: WFBD01
TaskName: \Microsoft\Windows\SideShow\AutoWake
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task automatically wakes the computer and then puts it to sleep when automatic wake is turned on for a Windows SideShow-compatible device.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\SideShow\GadgetManager
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task manages and synchronizes metadata for the installed gadgets on a Windows SideShow-compatible device.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\SideShow\SessionAgent
Next Run Time: Disabled
Status: Could not start
Logon Mode: Interactive/Background
Last Run Time: 3/29/2013 12:59:12 PM
Last Result: -2147023729
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task manages the session behavior when multiple user accounts exist on a Windows SideShow-compatible device.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\SideShow\SystemDataProviders
Next Run Time: Disabled
Status: Could not start
Logon Mode: Interactive/Background
Last Run Time: 3/29/2013 12:59:27 PM
Last Result: -2147023729
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task provides system data for the clock, power source, wireless network strength, and volume on a Windows SideShow-compatible device.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\SoftwareProtectionPlatform
HostName: WFBD01
TaskName: \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: sc.exe start sppsvc
Start In: N/A
Comment: This task restarts the Software Protection Platform service at the specified time
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 12:00:00 AM
Start Date: 1/1/2004
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\SystemRestore
HostName: WFBD01
TaskName: \Microsoft\Windows\SystemRestore\SR
Next Run Time: 4/13/2013 12:00:00 AM
Status: Unknown
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 12:56:03 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
Start In: N/A
Comment: This task creates regular system protection points.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 10 minutes, If Not Idle Retry For 1380 minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 12:00:00 AM
Start Date: 6/14/2005
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\SystemRestore\SR
Next Run Time: 4/13/2013 12:00:00 AM
Status: Unknown
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 12:56:03 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
Start In: N/A
Comment: This task creates regular system protection points.
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 10 minutes, If Not Idle Retry For 1380 minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Task Manager
HostName: WFBD01
TaskName: \Microsoft\Windows\Task Manager\Interactive
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: Runs a task as the interactive user.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Tcpip
HostName: WFBD01
TaskName: \Microsoft\Windows\Tcpip\IpAddressConflict1
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem
Start In: N/A
Comment: This event is triggered when an IP address conflict is detected.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\Tcpip\IpAddressConflict2
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem
Start In: N/A
Comment: This event is triggered when an IP address conflict is detected.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\TextServicesFramework
HostName: WFBD01
TaskName: \Microsoft\Windows\TextServicesFramework\MsCtfMonitor
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:01:59 PM
Last Result: 267009
Author: N/A
Task To Run: COM handler
Start In: N/A
Comment: TextServicesFramework monitor task
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Time Synchronization
HostName: WFBD01
TaskName: \Microsoft\Windows\Time Synchronization\SynchronizeTime
Next Run Time: 4/14/2013 1:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/7/2013 1:00:00 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\sc.exe start w32time task_started
Start In: N/A
Comment: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Weekly
Start Time: 1:00:00 AM
Start Date: 1/1/2005
End Date: N/A
Days: SUN
Months: Every 1 week(s)
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\UPnP
HostName: WFBD01
TaskName: \Microsoft\Windows\UPnP\UPnPHostConfig
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft
Task To Run: sc.exe config upnphost start= auto
Start In: N/A
Comment: Set UPnPHost service to Auto-Start
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\User Profile Service
HostName: WFBD01
TaskName: \Microsoft\Windows\User Profile Service\HiveUploadTask
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task will automatically upload a roaming user profile's registry hive to its network location.
Scheduled Task State: Disabled
Idle Time: Only Start If Idle for 10 minutes, If Not Idle Retry For 120 minutes
Power Management: Stop On Battery Mode
Run As User: SYSTEM
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Hourly
Start Time: 12:00:00 AM
Start Date: 8/28/2007
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: 12 Hour(s), 0 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\WDI
HostName: WFBD01
TaskName: \Microsoft\Windows\WDI\ResolutionHost
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/9/2013 2:47:21 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: The Windows Diagnostic Infrastructure Resolution host enables interactive resolutions for system problems detected by the Diagnostic Policy Service. It is triggered when necessary by the Diagnostic Policy Service in the appropriate user session. If the
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: INTERACTIVE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: On demand only
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Windows Activation Technologies
HostName: WFBD01
TaskName: \Microsoft\Windows\Windows Activation Technologies\ValidationTask
Next Run Time: 7/1/2013 9:35:46 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/2/2013 9:31:36 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %SystemRoot%\system32\Wat\WatAdminSvc.exe /run
Start In: N/A
Comment: Microsoft Update KB971033
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 5 minutes, If Not Idle Retry For 14340 minutes
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 4:35:46 PM
Start Date: 7/1/2013
End Date: N/A
Days: Every 90 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline
Next Run Time: 7/11/2013 9:35:46 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: %SystemRoot%\system32\schtasks.exe /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask"
Start In: N/A
Comment: Microsoft Update KB971033
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 4:35:46 PM
Start Date: 7/11/2013
End Date: N/A
Days: Every 90 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \Microsoft\Windows\Windows Error Reporting
HostName: WFBD01
TaskName: \Microsoft\Windows\Windows Error Reporting\QueueReporting
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:15:00 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\wermgr.exe -queuereporting
Start In: N/A
Comment: Windows Error Reporting task to process queued reports.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Windows Filtering Platform
HostName: WFBD01
TaskName: \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange
Start In: N/A
Comment: This task adjusts the start type for firewall-triggered services when the start type of the Base Filtering Engine (BFE) is disabled.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Windows Media Sharing
HostName: WFBD01
TaskName: \Microsoft\Windows\Windows Media Sharing\UpdateLibrary
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: Microsoft Corporation
Task To Run: "%ProgramFiles%\Windows Media Player\wmpnscfg.exe"
Start In: N/A
Comment: This task updates the cached list of folders and the security permissions on any new files in a user's shared media library.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Authenticated Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\WindowsBackup
HostName: WFBD01
TaskName: \Microsoft\Windows\WindowsBackup\AutomaticBackup
Next Run Time: 4/14/2013 7:00:00 PM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/7/2013 7:00:00 PM
Last Result: 0
Author: WFBD01\Matt VanLoon
Task To Run: %systemroot%\system32\rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Start In: N/A
Comment: This scheduled task runs automatic backup on a regular basis.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Weekly
Start Time: 7:00:00 PM
Start Date: 4/2/2013
End Date: N/A
Days: SUN
Months: Every 1 week(s)
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\WindowsBackup\ConfigNotification
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: 4/3/2013 10:00:00 AM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION
Start In: N/A
Comment: This scheduled task notifies the user that Windows Backup has not been configured.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: LOCAL SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 10:00:00 AM
Start Date: 11/28/2010
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\WindowsBackup\Windows Backup Monitor
Next Run Time: 4/13/2013 10:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:07:00 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %systemroot%\system32\sdclt.exe /CHECKSKIPPED
Start In: N/A
Comment: This scheduled task displays a notification if one or more scheduled backups have been skipped.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 10:00:00 AM
Start Date: 7/12/2005
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: WFBD01
TaskName: \Microsoft\Windows\WindowsBackup\Windows Backup Monitor
Next Run Time: 4/13/2013 10:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:07:00 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %systemroot%\system32\sdclt.exe /CHECKSKIPPED
Start In: N/A
Comment: This scheduled task displays a notification if one or more scheduled backups have been skipped.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\WindowsBackup\Windows Backup Monitor
Next Run Time: 4/13/2013 10:00:00 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:07:00 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %systemroot%\system32\sdclt.exe /CHECKSKIPPED
Start In: N/A
Comment: This scheduled task displays a notification if one or more scheduled backups have been skipped.
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\WindowsColorSystem
HostName: WFBD01
TaskName: \Microsoft\Windows\WindowsColorSystem\Calibration Loader
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: 7/13/2009 10:09:01 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task applies color calibration settings.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
HostName: WFBD01
TaskName: \Microsoft\Windows\WindowsColorSystem\Calibration Loader
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: 7/13/2009 10:09:01 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: COM handler
Start In: N/A
Comment: This task applies color calibration settings.
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: When an event occurs
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows\Wininet
HostName: WFBD01
TaskName: \Microsoft\Windows\Wininet\CacheTask
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 4/12/2013 1:01:59 PM
Last Result: 267009
Author: Microsoft
Task To Run: COM handler
Start In: N/A
Comment: Wininet Cache Task
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management:
Run As User: Users
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A
Folder: \Microsoft\Windows Defender
HostName: WFBD01
TaskName: \Microsoft\Windows Defender\MP Scheduled Scan
Next Run Time: 4/13/2013 3:40:18 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan
Start In: N/A
Comment: Scheduled Scan
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 3:40:18 AM
Start Date: 1/1/2000
End Date: 1/1/2100
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \OfficeSoftwareProtectionPlatform
HostName: WFBD01
TaskName: \OfficeSoftwareProtectionPlatform\SvcRestartTask
Next Run Time: Disabled
Status:
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: $(@%systemroot%\system32\osppc.dll,-200)
Task To Run: %systemroot%\system32\sc.exe start osppsvc
Start In: N/A
Comment: $(@%systemroot%\system32\osppc.dll,-201)
Scheduled Task State: Disabled
Idle Time: Disabled
Power Management:
Run As User: NETWORK SERVICE
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 12:00:00 AM
Start Date: 1/1/2004
End Date: N/A
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Folder: \WPD
HostName: WFBD01
TaskName: \WPD\SqmUpload_S-1-5-21-2826719538-1761031791-2706135774-1000
Next Run Time: 4/13/2013 12:25:52 PM
Status: Ready
Logon Mode: Interactive only
Last Run Time: 4/12/2013 12:56:10 PM
Last Result: 0
Author: Microsoft Corporation
Task To Run: %windir%\system32\rundll32.exe portabledeviceapi.dll,#1
Start In: N/A
Comment: This task uploads Customer Experience Improvement Program (CEIP) data for Portable Devices
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 10 minutes, If Not Idle Retry For 1380 minutes
Power Management: No Start On Batteries
Run As User: WFBD01\Matt VanLoon
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 00:15:00
Schedule: Scheduling data is not available in this format.
Schedule Type: Daily
Start Time: 12:00:00 PM
Start Date: 1/1/2008
End Date: 5/2/2015
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
C:\Users\Matt VanLoon\Downloads\cmd.bat deleted successfully.
C:\Users\Matt VanLoon\Downloads\cmd.txt deleted successfully.
< set /c >
ALLUSERSPROFILE=C:\ProgramData
allusersXP=C:\ProgramData\application data
APPDATA=C:\Users\Matt VanLoon\AppData\Roaming
arch=x64
CHROME_ALLOCATOR=TCMALLOC
CHROME_BREAKPAD_PIPE_NAME=\\.\pipe\GoogleCrashServices\S-1-5-18
CHROME_METRO_DLL=0
CHROME_RESTART=Google Chrome|Whoa! Google Chrome has crashed. Relaunch now?|LEFT_TO_RIGHT
CHROME_VERSION=26.0.1410.64
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WFBD01
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Matt VanLoon
line=zipperformer
local=C:\Users\Matt VanLoon\appdata\local
LOCALAPPDATA=C:\Users\Matt VanLoon\AppData\Local
locallow=C:\Users\Matt VanLoon\appdata\locallow
localsettingsappdataXP=C:\Users\Matt VanLoon\Local Settings\Application Data
LOGONSERVER=\\WFBD01
MpConfig_ProductAppDataPath=C:\ProgramData\Microsoft\Windows Defender
MpConfig_ProductCodeName=AntiSpyware
MpConfig_ProductPath=C:\Program Files (x86)\Windows Defender
MpConfig_ProductUserAppDataPath=C:\Users\Matt VanLoon\AppData\Local\Microsoft\Windows Defender
MpConfig_ReportingGUID=76ABCA3B-4069-47F2-98E4-F384AEAFF1E1
NirCmd=0
NUMBER_OF_PROCESSORS=2
OS=Windows 7 Professional
Path=C:\Program Files (x86)\Google\Chrome\Application;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=170a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
pubdesktop=C:\Users\Public\Desktop
pubdesktopXP=C:\Documents and Settings\Public\Desktop
PUBLIC=C:\Users\Public
quicklaunch=C:\Users\Matt VanLoon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
RegPath=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
SID=S-1-5-21-2826719538-1761031791-2706135774-1000
StartDate=Fri 04/12/2013
startmenu=C:\ProgramData\Microsoft\Windows\Start Menu\Programs
startmenu2=C:\Users\Matt VanLoon\AppData\Roaming\microsoft\windows\start menu\programs
startmenu3XP=C:\ProgramData\start menu\programs
startmenu4XP=C:\Users\Matt VanLoon\start menu\programs
StartTime=13:37:26.98
sys32=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
syswow64=C:\Windows\syswow64
tasks=C:\Windows\tasks
TEMP=C:\Users\MATTVA~1\AppData\Local\Temp
TMP=C:\Users\MATTVA~1\AppData\Local\Temp
USERDOMAIN=WFBD01
USERNAME=Matt VanLoon
USERPROFILE=C:\Users\Matt VanLoon
windir=C:\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
C:\Users\Matt VanLoon\Downloads\cmd.bat deleted successfully.
C:\Users\Matt VanLoon\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Matt VanLoon
->Temp folder emptied: 380061 bytes
->Temporary Internet Files folder emptied: 102058643 bytes
->Google Chrome cache emptied: 8395637 bytes
->Flash cache emptied: 1142 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16944334 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 122.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Matt VanLoon
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Matt VanLoon

User: Public

Total Java Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 04122013_140250

Files\Folders moved on Reboot...
C:\Users\Matt VanLoon\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Matt VanLoon\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.12.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
Matt VanLoon :: WFBD01 [administrator]

4/12/2013 2:07:31 PM
mbam-log-2013-04-12 (14-07-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205252
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




Isearch.fantasigames comes up when i open google chrome but not when I open I.E
mvanloon
Regular Member
 
Posts: 16
Joined: April 5th, 2013, 1:42 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware