Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help finding MITM Trojan please!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help finding MITM Trojan please!

Unread postby triplesec » April 2nd, 2013, 5:17 pm

Hi there.
So my bank (natwest.com) told me that my main machine was infected with Zeus, Silon or one other like this, a MITM Trojan aimed especially at UK banks. I have run various programs to try to detect ad kill whatever they think I have, but no positive results. I'm not sure they were right, but "not sure" isn't good enough for machine security.

My resident AV is Avast (free) and I use the Windoze firewall (on Win7 64 Home ed). However, I did have it turned off for a while by accident. And I never do that, so I've been punching myself in the head as retribution.
I tried, in roughly this order, with no positive results:
Avast scan
Kaspersky TDSSkiller.exe
MalwareBytes. I had to use Chameleon to get it to run properly (which hasn't happened before) so I uninstalled mbam, rebooted to safe mode and ran chameleon and then updated malwarebytes.
Sophos virus removal tool .exe
rkill.exe from bleepingcomputer
eset online scanner
spybotsd
avg_rem_zbot_all_1_822

So, I have no idea if it was a false stupid bank thing or i have bee compromised by a download or passing website.

After having trouble logging onto here over the weekend, I made it in at last so I could ask you guys. I pride myself oon knowing how to fix most things, but being stumped, I need to invoke a higher power.... and I hope to be able to pass on the love if I can be helped.
lots of thanks,
Here are the logs:

Attach.txt

DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2011-11-19 9:02:07 AM
System Uptime: 2013-04-01 11:04:41 PM (22 hours ago)
.
Motherboard: Acer | | Aspire 7551
Processor: AMD Phenom(tm) II N970 Quad-Core Processor | Socket S1G4 | 792/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 453 GiB total, 254.973 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
7-Zip 9.22beta
Acer Backup Manager
Acer Crystal Eye Webcam
Acer ePower Management
Acer eRecovery Management
Acer Game Console
Acer Games
Acer Registration
Acer ScreenSaver
Acer Updater
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.1 MUI
Alcor Micro USB Card Reader
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Fuel
AMD Media Foundation Decoders
AMD USB Filter Driver
AMD VISION Engine Control Center
Application Profiles
avast! Free Antivirus
Backup Manager Basic
Bejeweled 2 Deluxe
Blackhawk Striker 2
Bob the Builder Can-Do-Zoo
Broadcom Gigabit NetLink Controller
Build-a-lot 2
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
Catan Online World
ccc-utility64
CCC Help English
Compatibility Pack for the 2007 Office system
CyberLink PowerDVD 9
Dropbox
eBay Worldwide
Escape Rosecliff Island
ESET Online Scanner v3
eSobi v2
Evernote v. 4.6.4
Expat Shield 2.25
Faerie Solitaire
FATE - The Traitor Soul
Google Chrome
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Update Helper
HyperCam 2
Identity Card
IrfanView (remove only)
ISO Workshop 3.7
Janetter 4.0.2.0
Java 7 Update 9
Java Auto Updater
Java(TM) 6 Update 32
JavaFX 2.1.1
Jewel Quest Solitaire 3
Junk Mail filter update
Launch Manager
Malwarebytes Anti-Malware version 1.70.0.1100
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
Microsoft Works
Monopoly
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird 17.0.3 (x86 en-US)
MSI Afterburner 2.1.0
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
MyFreeCodec
Mystery P.I. - Lost in Los Angeles
MyWinLocker
MyWinLocker Suite
Norton Online Backup
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
OpenOffice.org 3.3
Pandora Service
Penguins!
Plants vs. Zombies
Polar Bowler
Polar Golfer
Portal
Realtek High Definition Audio Driver
Rise of Nations Thrones and Patriots Trial Version
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Scrabble Plus
Scrivener
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Shredder
Skype™ 6.1
Sophos Virus Removal Tool
Spotify
Spybot - Search & Destroy
Synaptics Pointing Device Driver
The KMPlayer (remove only)
The Price is Right
TweetDeck
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Virtual Families
Virtual Villagers - A New Home
VLC media player 2.0.5
Welcome Center
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Yahtzee
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
2013-03-30 6:31:45 PM, Error: SNMP [1500] - The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
2013-03-30 6:31:31 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\windows\system32\athExt.dll Error Code: 126
2013-03-29 7:56:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2013-03-29 3:00:12 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
2013-03-29 3:00:11 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
2013-03-28 8:48:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2013-03-27 8:48:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2013-03-27 8:48:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2013-03-27 8:48:08 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\windows\system32\athExt.dll Error Code: 21
2013-03-27 8:47:53 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi discache mwlPSDFilter mwlPSDNServ mwlPSDVDisk spldr Wanarpv6
2013-03-27 7:45:10 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
.
==== End Of File ===========================

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16521 BrowserJavaVersion: 10.9.2
Run by richardhod at 21:54:19 on 2013-04-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7934.5520 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\windows\system32\svchost.exe -k iissvcs
C:\windows\system32\Dwm.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe
C:\Program Files (x86)\Samsung\Kies\Kies.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\windows\system32\taskmgr.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\taskhost.exe
C:\windows\regedit.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
C:\windows\system32\atibtmon.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
BHO: Expat Shield Class: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Speech Recognition] "C:\windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "C:\Users\richardhod\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [OOTag] C:\Program Files (x86)\Acer\OOBEOffer\OOTag.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\RICHAR~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\richardhod\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\RICHAR~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{7AB98B19-6ACE-42A8-A5C5-4A871AACB59B} : DHCPNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{7AB98B19-6ACE-42A8-A5C5-4A871AACB59B}\7596E646D696C6C602354727565647 : DHCPNameServer = 192.168.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Expat Shield Class: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\richardhod\AppData\Roaming\Mozilla\Firefox\Profiles\xxne83wz.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.124\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\richardhod\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
FF - plugin: C:\windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\windows\System32\drivers\aswRvrt.sys [2013-3-21 65336]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswSnx.sys [2012-8-2 1025808]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswSP.sys [2012-8-2 377920]
R1 mwlPSDFilter;mwlPSDFilter;C:\windows\System32\drivers\mwlPSDFilter.sys [2009-6-3 22576]
R1 mwlPSDNServ;mwlPSDNServ;C:\windows\System32\drivers\mwlPSDNserv.sys [2009-6-3 20016]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\windows\System32\drivers\mwlPSDVDisk.sys [2009-6-3 60464]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2011-10-26 202752]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-10-26 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
R2 aswFsBlk;aswFsBlk;C:\windows\System32\drivers\aswFsBlk.sys [2012-8-2 33400]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2012-8-2 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-3-21 45248]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-8-10 325200]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2010-8-10 865824]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-4-13 243232]
R3 amdiox64;AMD IO Driver;C:\windows\System32\drivers\amdiox64.sys [2011-11-19 46136]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\windows\System32\drivers\k57nd60a.sys [2009-10-16 321064]
R3 usbfilter;AMD USB Filter Driver;C:\windows\System32\drivers\usbfilter.sys [2010-8-10 38456]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2013-3-30 1153368]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 AmUStor;AM USB Stroage Driver;C:\windows\System32\drivers\AmUStor.sys [2009-12-2 40448]
S3 aswVmm;aswVmm;C:\windows\System32\drivers\aswVmm.sys [2013-3-21 178624]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\windows\System32\drivers\ssudbus.sys [2012-11-2 102368]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2012-11-1 19456]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\windows\System32\drivers\ssudmdm.sys [2012-11-2 203104]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2012-11-1 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-11-21 1255736]
S4 ExpatShieldService;Expat Shield Service;C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe [2012-1-17 331608]
S4 ExpatSrv;Expat Shield Routing Service;C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe [2012-1-5 363336]
S4 ExpatTrayService;Expat Shield Tray Service;C:\Program Files (x86)\Expat Shield\bin\EXPATTrayService.exe [2012-1-17 77520]
S4 ExpatWd;Expat Shield Monitoring Service;C:\Program Files (x86)\Expat Shield\bin\hsswd.exe -product Expat --> C:\Program Files (x86)\Expat Shield\bin\hsswd.exe -product Expat [?]
S4 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-2-1 305520]
S4 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-3-9 250368]
S4 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-11-6 50432]
S4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-11-6 144640]
S4 PanService;PandoraService;C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-1-24 1867480]
.
=============== Created Last 30 ================
.
2013-04-01 22:40:36 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-03-31 09:39:25 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0DC5C39C-24C1-4AE5-A23F-01144C099EE3}\offreg.dll
2013-03-30 21:11:56 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-03-30 21:11:56 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2013-03-30 04:24:11 24176 ----a-w- C:\windows\System32\drivers\mbam.sys
2013-03-30 04:24:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-30 04:20:41 9311288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0DC5C39C-24C1-4AE5-A23F-01144C099EE3}\mpengine.dll
2013-03-27 19:38:11 -------- d-----w- C:\Program Files (x86)\ESET
2013-03-27 19:01:48 -------- d-----w- C:\ProgramData\Sophos
2013-03-27 19:01:17 73728 ----a-r- C:\Users\richardhod\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-03-27 19:01:17 73728 ----a-r- C:\Users\richardhod\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-03-27 19:01:17 73728 ----a-r- C:\Users\richardhod\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-03-27 19:01:03 -------- d-----w- C:\Program Files (x86)\Sophos
2013-03-20 23:21:23 178624 ----a-w- C:\windows\System32\drivers\aswVmm.sys
2013-03-20 23:21:22 65336 ----a-w- C:\windows\System32\drivers\aswRvrt.sys
2013-03-20 19:24:52 19968 ----a-w- C:\windows\System32\drivers\usb8023.sys
2013-03-19 10:30:29 -------- d-----w- C:\Program Files (x86)\Microsoft Games
2013-03-05 06:26:27 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
.
==================== Find3M ====================
.
2013-03-30 12:28:23 73432 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-30 12:28:23 693976 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2013-03-06 23:33:21 70992 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2013-03-06 23:33:21 1025808 ----a-w- C:\windows\System32\drivers\aswSnx.sys
2013-03-06 23:33:20 80816 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2013-03-06 23:32:51 41664 ----a-w- C:\windows\avastSS.scr
2013-02-12 05:45:24 135168 ----a-w- C:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\windows\apppatch\AcGenral.dll
2013-01-17 01:28:58 273840 ------w- C:\windows\System32\MpSigStub.exe
2013-01-13 21:17:03 9728 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17:02 2560 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16:42 10752 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12:46 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11:21 4096 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11:08 5632 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11:07 5632 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:35:31 9728 ---ha-w- C:\windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 20:35:31 2560 ---ha-w- C:\windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 20:35:18 10752 ---ha-w- C:\windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 20:32:07 3584 ---ha-w- C:\windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 20:31:48 4096 ---ha-w- C:\windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 20:31:41 5632 ---ha-w- C:\windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 20:31:40 5632 ---ha-w- C:\windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 20:31:40 3072 ---ha-w- C:\windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 20:31:40 3072 ---ha-w- C:\windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31:00 1247744 ----a-w- C:\windows\SysWow64\DWrite.dll
2013-01-13 20:22:22 1988096 ----a-w- C:\windows\SysWow64\d3d10warp.dll
2013-01-13 20:20:31 293376 ----a-w- C:\windows\SysWow64\dxgi.dll
2013-01-13 20:09:00 249856 ----a-w- C:\windows\SysWow64\d3d10_1core.dll
2013-01-13 20:08:43 220160 ----a-w- C:\windows\SysWow64\d3d10core.dll
2013-01-13 20:08:35 1504768 ----a-w- C:\windows\SysWow64\d3d11.dll
2013-01-13 19:59:04 1643520 ----a-w- C:\windows\System32\DWrite.dll
2013-01-13 19:58:28 1175552 ----a-w- C:\windows\System32\FntCache.dll
2013-01-13 19:54:01 604160 ----a-w- C:\windows\SysWow64\d3d10level9.dll
2013-01-13 19:53:58 207872 ----a-w- C:\windows\SysWow64\WindowsCodecsExt.dll
2013-01-13 19:53:14 187392 ----a-w- C:\windows\SysWow64\UIAnimation.dll
2013-01-13 19:51:30 2565120 ----a-w- C:\windows\System32\d3d10warp.dll
2013-01-13 19:49:17 363008 ----a-w- C:\windows\System32\dxgi.dll
2013-01-13 19:48:47 161792 ----a-w- C:\windows\SysWow64\d3d10_1.dll
2013-01-13 19:46:25 1080832 ----a-w- C:\windows\SysWow64\d3d10.dll
2013-01-13 19:43:21 1230336 ----a-w- C:\windows\SysWow64\WindowsCodecs.dll
2013-01-13 19:38:39 333312 ----a-w- C:\windows\System32\d3d10_1core.dll
2013-01-13 19:38:32 1887232 ----a-w- C:\windows\System32\d3d11.dll
2013-01-13 19:38:21 296960 ----a-w- C:\windows\System32\d3d10core.dll
2013-01-13 19:37:57 3419136 ----a-w- C:\windows\SysWow64\d2d1.dll
2013-01-13 19:25:04 245248 ----a-w- C:\windows\System32\WindowsCodecsExt.dll
2013-01-13 19:24:33 648192 ----a-w- C:\windows\System32\d3d10level9.dll
2013-01-13 19:24:30 221184 ----a-w- C:\windows\System32\UIAnimation.dll
2013-01-13 19:20:42 194560 ----a-w- C:\windows\System32\d3d10_1.dll
2013-01-13 19:20:04 1238528 ----a-w- C:\windows\System32\d3d10.dll
2013-01-13 19:15:40 1424384 ----a-w- C:\windows\System32\WindowsCodecs.dll
2013-01-13 19:10:36 3928064 ----a-w- C:\windows\System32\d2d1.dll
2013-01-13 19:02:06 417792 ----a-w- C:\windows\SysWow64\WMPhoto.dll
2013-01-13 18:34:58 364544 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll
2013-01-13 18:32:43 465920 ----a-w- C:\windows\System32\WMPhoto.dll
2013-01-13 18:09:52 522752 ----a-w- C:\windows\System32\XpsGdiConverter.dll
2013-01-13 17:26:42 1158144 ----a-w- C:\windows\SysWow64\XpsPrint.dll
2013-01-13 17:05:09 1682432 ----a-w- C:\windows\System32\XpsPrint.dll
2013-01-05 05:53:43 5553512 ----a-w- C:\windows\System32\ntoskrnl.exe
2013-01-05 05:00:15 3967848 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00:11 3913064 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2013-01-04 06:11:21 2284544 ----a-w- C:\windows\SysWow64\msmpeg2vdec.dll
2013-01-04 06:11:13 2776576 ----a-w- C:\windows\System32\msmpeg2vdec.dll
2013-01-04 05:46:09 215040 ----a-w- C:\windows\System32\winsrv.dll
2013-01-04 04:51:16 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2013-01-04 04:43:21 44032 ----a-w- C:\windows\apppatch\acwow64.dll
2013-01-04 03:26:48 3153408 ----a-w- C:\windows\System32\win32k.sys
2013-01-04 02:47:35 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2013-01-04 02:47:34 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2013-01-04 02:47:34 2048 ----a-w- C:\windows\SysWow64\user.exe
2013-01-04 02:47:33 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00:54 1913192 ----a-w- C:\windows\System32\drivers\tcpip.sys
2013-01-03 06:00:42 288088 ----a-w- C:\windows\System32\drivers\FWPKCLNT.SYS
.
============= FINISH: 21:55:24.44 ===============
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm
Advertisement
Register to Remove

Re: Need help finding MITM Trojan please!

Unread postby Gary R » April 3rd, 2013, 11:47 am

Looking over your logs, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Need help finding MITM Trojan please!

Unread postby Gary R » April 3rd, 2013, 12:04 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Malware Removal" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi triplesec

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • As you're using Windows 7, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Nothing in your DDS logs is indicating you have a MITM infection, so we'll need to run a few more scans to see if they throw up any additional information.

First

Download OTL by OldTimer to your Desktop.

Alternative Download

If you already have a copy of OTL delete it and use this version.

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Under Custom Scans/Fixes copy/paste the contents of the code box below.
Code: Select all
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%windir%\system32\tasks\*.*
%windir%\system32\tasks\*.* /64
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents

  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Next

Download GMER to your Desktop. (It will have a randomly generated name, for example .... wjkl3ecz.exe)

  • Disconnect from the Internet, and close all running programmes.
  • There is a small chance this programme may crash your computer, so save any work you have open.
  • Double click on the randomly named GMER file (eg .... wjkl3ecz.exe) to launch GMER.
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
  • If no warning:
    • Click Rootkit tab.
    • Ensure that All the boxes to the right of the program are checked except Show All.
    • Click Scan.
  • Do not use your computer while the scan is running.
  • Once scan is finished click Copy.
    • Click Start > Run then type Notepad.exe then click OK.
    • This will open a Notepad file.
    • Hit Ctrl+V to paste log into it.
    • Save the log to your Desktop.
  • Reconnect to internet and post the log please.

Next

  • Please download [b]MBRScan[/b] and save it to your [color="#FF0000"]desktop[/color].
  • Doubleclick on MBRScan.exe and click the Dump button. (if prompted, allow the prompt)
  • Now close MBRScan.
  • You will find a file Dump_Hdd0_DR0.mbr created in the same location as MBRScan.exe
  • Please attach it to your next reply please. (if the forum software will not allow you to attach it, change the name to Dump_Hdd0_DR0.txt and it should then attach OK.)

Summary of the logs I need from you in your next post:
  • OTL.txt
  • Extras.txt
  • GMER log
  • Dump_Hdd0_DR0.mbr


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 3rd, 2013, 8:51 pm

Thank you! Here's OTL.txt (first part)

OTL logfile created on: 2013-04-04 12:19:24 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\richardhod\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16521)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

7.75 Gb Total Physical Memory | 5.65 Gb Available Physical Memory | 72.92% Memory free
15.49 Gb Paging File | 12.75 Gb Available in Paging File | 82.27% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.97 Gb Total Space | 254.75 Gb Free Space | 56.24% Space Free | Partition Type: NTFS

Computer Name: HOD17ACER | User Name: richardhod | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found --
PRC - [2013-04-04 00:12:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\richardhod\Desktop\OTL.exe
PRC - [2013-04-03 03:15:20 | 000,917,400 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2013-03-21 00:18:17 | 001,822,424 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe
PRC - [2013-03-19 16:49:40 | 001,086,816 | ---- | M] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) -- C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
PRC - [2013-03-07 00:32:44 | 004,767,304 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2013-03-07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2013-02-20 09:21:24 | 000,213,384 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe
PRC - [2012-12-20 10:44:26 | 001,476,104 | ---- | M] (Samsung) -- C:\Program Files (x86)\Samsung\Kies\Kies.exe
PRC - [2012-12-18 02:10:18 | 000,578,560 | ---- | M] (Samsung Electronics) -- C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe
PRC - [2010-03-09 00:56:38 | 000,260,608 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
PRC - [2010-03-04 06:21:16 | 001,300,560 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LManager.exe
PRC - [2010-03-04 06:21:16 | 000,325,200 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe
PRC - [2010-03-04 06:21:16 | 000,297,040 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LMworker.exe
PRC - [2010-01-29 00:27:36 | 000,243,232 | ---- | M] (Acer Group) -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe
PRC - [2010-01-08 14:21:22 | 000,023,584 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Acer\Registration\GREGsvc.exe


========== Modules (No Company Name) ==========

MOD - [2013-04-03 03:15:19 | 003,069,848 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2013-03-21 00:18:17 | 014,717,144 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
MOD - [2013-02-25 20:46:12 | 000,212,992 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\7ff638de44686eab4afaa8b3c8a9cfca\System.ServiceProcess.ni.dll
MOD - [2013-01-10 09:57:10 | 002,297,856 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\77dfcfed5fd5f67d0d3edc545935bb21\System.Core.ni.dll
MOD - [2013-01-10 06:48:29 | 000,771,584 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll
MOD - [2013-01-10 06:48:16 | 014,340,608 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\ff7c9a4f41f7cccc47e696c11b9f8469\PresentationFramework.ni.dll
MOD - [2013-01-10 06:47:49 | 012,237,824 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\19b3d17c3ce0e264c4fb62028161adf7\PresentationCore.ni.dll
MOD - [2013-01-10 06:47:38 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll
MOD - [2013-01-10 06:47:32 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MOD - [2013-01-10 06:47:28 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
MOD - [2013-01-10 06:47:27 | 007,989,760 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MOD - [2013-01-10 06:47:18 | 011,493,376 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MOD - [2012-12-20 10:41:18 | 012,976,640 | ---- | M] () -- C:\Program Files (x86)\Samsung\Kies\Theme\Kies.Theme.dll
MOD - [2012-12-20 04:31:44 | 000,572,416 | ---- | M] () -- C:\Program Files (x86)\Samsung\Kies\Common\Kies.UI.dll
MOD - [2012-12-18 02:35:44 | 000,034,816 | ---- | M] () -- C:\Program Files (x86)\Samsung\Kies\Common\Kies.Common.DeviceServiceLib.Interface.dll
MOD - [2012-12-18 02:35:06 | 000,023,040 | ---- | M] () -- C:\Program Files (x86)\Samsung\Kies\MVVM\Kies.MVVM.dll
MOD - [2012-09-26 12:57:26 | 000,057,856 | ---- | M] () -- C:\Program Files (x86)\Samsung\Kies\External\MediaModules\ASF_cSharpAPI.dll
MOD - [2012-09-08 14:16:30 | 000,433,664 | ---- | M] () -- C:\Program Files (x86)\Evernote\Evernote\libxml2.dll
MOD - [2012-09-08 14:16:20 | 000,315,392 | ---- | M] () -- C:\Program Files (x86)\Evernote\Evernote\libtidy.dll
MOD - [2010-03-09 01:18:10 | 000,465,576 | ---- | M] () -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\sqlite3.dll
MOD - [2009-05-20 23:02:04 | 000,072,200 | ---- | M] () -- C:\Program Files (x86)\Launch Manager\CdDirIo.dll


========== Services (SafeList) ==========

SRV:64bit: - [2013-03-07 00:32:44 | 000,045,248 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2011-10-26 06:14:28 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2010-11-20 14:25:18 | 000,049,664 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\snmp.exe -- (SNMP)
SRV:64bit: - [2010-03-29 17:41:36 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010-02-06 04:23:06 | 000,865,824 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2010-01-29 00:27:36 | 000,243,232 | ---- | M] (Acer Group) [Auto | Running] -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Updater Service)
SRV:64bit: - [2009-07-14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009-07-14 02:39:47 | 000,010,240 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\TCPSVCS.EXE -- (simptcp)
SRV - [2013-02-16 01:12:12 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013-01-08 16:19:46 | 000,161,536 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012-02-06 13:16:56 | 001,867,480 | ---- | M] (Pandora.TV) [Disabled | Stopped] -- C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe -- (PanService)
SRV - [2012-01-17 22:22:02 | 000,077,520 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\bin\EXPATTrayService.exe -- (ExpatTrayService)
SRV - [2012-01-17 22:15:44 | 000,331,608 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe -- (ExpatShieldService)
SRV - [2012-01-05 00:02:02 | 000,329,544 | ---- | M] () [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\bin\hsswd.exe -- (ExpatWd)
SRV - [2012-01-05 00:01:58 | 000,363,336 | ---- | M] (AnchorFree Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe -- (ExpatSrv)
SRV - [2010-11-20 13:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010-11-20 13:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010-11-20 13:18:03 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2010-11-20 13:17:42 | 000,047,616 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\snmp.exe -- (SNMP)
SRV - [2010-03-09 00:58:24 | 000,250,368 | ---- | M] (NewTech Infosystems, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc)
SRV - [2010-03-04 06:21:16 | 000,325,200 | ---- | M] (Dritek System Inc.) [Auto | Running] -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe -- (DsiWMIService)
SRV - [2010-02-01 19:04:40 | 000,305,520 | ---- | M] (Egis Technology Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe -- (MWLService)
SRV - [2010-01-08 14:21:22 | 000,023,584 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Acer\Registration\GREGsvc.exe -- (GREGService)
SRV - [2009-10-10 03:59:08 | 000,238,328 | ---- | M] (WildTangent, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009-07-14 02:14:42 | 000,009,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\TCPSVCS.EXE -- (simptcp)
SRV - [2009-06-10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2013-03-07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2013-03-07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2013-03-07 00:33:21 | 000,178,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\windows\SysNative\drivers\aswVmm.sys -- (aswVmm)
DRV:64bit: - [2013-03-07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2013-03-07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2013-03-07 00:33:21 | 000,065,336 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt)
DRV:64bit: - [2013-03-07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2013-03-07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012-09-20 05:35:36 | 000,203,104 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm)
DRV:64bit: - [2012-09-20 05:35:36 | 000,102,368 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus)
DRV:64bit: - [2012-08-23 15:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012-08-23 15:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2012-03-01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012-01-05 00:01:56 | 000,056,832 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HssDrv.sys -- (HssDrv)
DRV:64bit: - [2012-01-05 00:01:54 | 000,037,888 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss)
DRV:64bit: - [2011-06-24 14:31:02 | 000,055,424 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys -- (AODDriver4.01)
DRV:64bit: - [2011-03-11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011-03-11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010-11-20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010-06-04 11:59:00 | 004,171,328 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2010-04-07 19:04:22 | 002,216,960 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2010-03-29 17:51:38 | 006,405,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atipmdag.sys -- (amdkmdag)
DRV:64bit: - [2010-03-29 16:46:28 | 000,188,928 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010-03-09 15:21:42 | 000,123,408 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2010-02-18 18:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
DRV:64bit: - [2009-12-22 10:26:36 | 000,038,456 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2009-12-02 03:21:32 | 000,040,448 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AmUStor.sys -- (AmUStor)
DRV:64bit: - [2009-10-16 11:32:22 | 000,321,064 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a)
DRV:64bit: - [2009-08-28 18:33:48 | 000,292,400 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009-08-24 02:55:32 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie)
DRV:64bit: - [2009-07-14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009-07-14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009-07-14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009-06-20 03:09:57 | 000,054,272 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\L1E62x64.sys -- (L1E)
DRV:64bit: - [2009-06-10 21:37:05 | 006,108,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009-06-10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009-06-10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009-06-10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009-06-10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009-06-03 03:15:30 | 000,060,464 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk)
DRV:64bit: - [2009-06-03 03:15:30 | 000,022,576 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDFilter.sys -- (mwlPSDFilter)
DRV:64bit: - [2009-06-03 03:15:30 | 000,020,016 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDNserv.sys -- (mwlPSDNServ)
DRV:64bit: - [2009-05-06 01:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV:64bit: - [2009-05-06 01:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper)
DRV - [2009-07-14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 49 F1 ED 69 F8 CD 01 [binary data]
IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_enUS458GB461
IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\richardhod\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\richardhod\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-03-21 00:21:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013-04-03 03:15:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013-03-02 16:44:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2012-01-24 01:19:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\richardhod\AppData\Roaming\Mozilla\Extensions
[2013-01-05 15:44:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\richardhod\AppData\Roaming\Mozilla\Firefox\Profiles\xxne83wz.default\extensions
[2013-01-05 15:39:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012-08-17 04:02:20 | 000,000,000 | ---D | M] (Expat Shield Helper (Please allow this installation)) -- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
[2013-04-03 03:15:21 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2013-04-03 03:15:16 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2013-04-03 03:15:16 | 000,002,086 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\richardhod\AppData\Local\Google\Chrome\Application\25.0.1364.172\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\richardhod\AppData\Local\Google\Chrome\Application\25.0.1364.172\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\richardhod\AppData\Local\Google\Chrome\Application\25.0.1364.172\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 7 U4 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.40.255 (Enabled) = C:\windows\SysWOW64\npDeployJava1.dll
CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - Extension: QR Creator = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaephdgbinagkeepamlbkhkfbiaedabm\1.5_0\
CHR - Extension: Google Translate = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb\1.2.4_0\
CHR - Extension: Angry Birds = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0\
CHR - Extension: Google Drive = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: FlashBlock = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdngiadmnkhgemkimkhiilgffbjijcie\1.2.11.12_0\
CHR - Extension: Webpage & WebCam Screenshot = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckibcdccnfeookdmbahgiakhnjcddpki\7.3_0\
CHR - Extension: Gmail Offline = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk\1.19_0\
CHR - Extension: Google Calendar = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn\4.5.3_0\
CHR - Extension: AdBlock = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.61_0\
CHR - Extension: Hola Unblocker = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio\1.0.251_0\
CHR - Extension: TweetDeck = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl\2.7.2_0\
CHR - Extension: TweetDeck = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl\2.7.3_0\
CHR - Extension: ProxMate - unblock the Internet! = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgjpnmnpjmabddgmjdiaggacbololbjm\2.2.4_0\
CHR - Extension: Tweetings for Twitter = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmjgiljbchaijjckmejcedlebigkolpm\2.0.0.1_0\
CHR - Extension: ModHeader = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\idgpnmonknjnojddfkpgkljpfnnfcklj\1.2.4_0\
CHR - Extension: Clearly = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\iooicodkiihhpojmmeghjclgihfjdjhj\8.3358.555.445_0\
CHR - Extension: Google Voice (by Google) = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo\2.3.6.8_0\
CHR - Extension: Scratchpad = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjebfhglflhjjjiceimfkgicifkhjlnm\3.1.0_0\
CHR - Extension: StayFocusd = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\laankejkbhbdhmipfmgcngdelahlfoji\1.3.10_0\
CHR - Extension: Evernote Web = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbol\1.0.7_0\
CHR - Extension: Google Maps = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh\5.2.7_0\
CHR - Extension: The Independent = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdonfjaemnemdnnpebbcelibeocdmkai\1.8.0_0\
CHR - Extension: Quick Note = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\mijlebbfndhelmdpmllgcfadlkankhok\1.4.4_0\
CHR - Extension: Google Play Books = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmimngoggfoobjdlefbcabngfnmieonb\1.1.8_0\
CHR - Extension: Google Chrome to Phone Extension = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\oadboiipflhobonjjffjbfekfjcgkhco\2.3.1_0\
CHR - Extension: Picasa = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\onlgmecjpnejhfeofkgbfgnmdlipdejb\6.2.2_0\
CHR - Extension: Tumblr = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophcdpgfininbpbmjedopplgigjfibke\1.0.4_0\
CHR - Extension: Evernote Web Clipper = C:\Users\richardhod\AppData\Local\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc\5.9.12_0\

O1 HOSTS File: ([2009-06-10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL File not found
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll (AnchorFree Inc.)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE.dll (AnchorFree Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:64bit: - HKU\S-1-5-21-2107948035-1365278439-778997172-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [OOTag] C:\Program Files (x86)\Acer\OOBEOffer\OOTag.exe (Microsoft)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2107948035-1365278439-778997172-1000..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung)
O4 - HKU\S-1-5-21-2107948035-1365278439-778997172-1000..\Run: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe (Samsung Electronics)
O4 - HKU\S-1-5-21-2107948035-1365278439-778997172-1000..\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe (Samsung)
O4 - HKU\S-1-5-21-2107948035-1365278439-778997172-1000..\Run: [Speech Recognition] C:\windows\Speech\Common\sapisvr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\richardhod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\richardhod\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\richardhod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk = C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8:64bit: - Extra context menu item: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8:64bit: - Extra context menu item: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8:64bit: - Extra context menu item: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O8 - Extra context menu item: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8 - Extra context menu item: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8 - Extra context menu item: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8 - Extra context menu item: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O9 - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 10.9.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7AB98B19-6ACE-42A8-A5C5-4A871AACB59B}: DhcpNameServer = 194.168.4.100 194.168.8.100
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{176c6a80-2f7b-11e2-8358-206a8a441344}\Shell - "" = AutoRun
O33 - MountPoints2\{176c6a80-2f7b-11e2-8358-206a8a441344}\Shell\AutoRun\command - "" = H:\StartClickFreeBackup.exe
O33 - MountPoints2\{176c6a9e-2f7b-11e2-8358-206a8a441344}\Shell - "" = AutoRun
O33 - MountPoints2\{176c6a9e-2f7b-11e2-8358-206a8a441344}\Shell\AutoRun\command - "" = F:\StartClickFreeBackup.exe
O33 - MountPoints2\{176c6ab2-2f7b-11e2-8358-206a8a441344}\Shell - "" = AutoRun
O33 - MountPoints2\{176c6ab2-2f7b-11e2-8358-206a8a441344}\Shell\AutoRun\command - "" = F:\StartClickFreeBackup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


MsConfig:64bit - StartUpFolder: C:^Users^richardhod^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk - C:\Users\richardhod\AppData\Roaming\Dropbox\bin\Dropbox.exe - (Dropbox, Inc.)
MsConfig:64bit - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig:64bit - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig:64bit - StartUpReg: AmIcoSinglun64 - hkey= - key= - C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe (Alcor Micro Corp.)
MsConfig:64bit - StartUpReg: chromium - hkey= - key= - C:\Users\richardhod\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
MsConfig:64bit - StartUpReg: EgisTecPMMUpdate - hkey= - key= - C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe (Egis Technology Inc.)
MsConfig:64bit - StartUpReg: EgisUpdate - hkey= - key= - C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe (Egis Technology Inc.)
MsConfig:64bit - StartUpReg: Google Update - hkey= - key= - C:\Users\richardhod\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig:64bit - StartUpReg: googletalk - hkey= - key= - C:\Users\richardhod\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
MsConfig:64bit - StartUpReg: KiesAirMessage - hkey= - key= - C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe (Samsung Electronics)
MsConfig:64bit - StartUpReg: KiesPDLR - hkey= - key= - C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung)
MsConfig:64bit - StartUpReg: KiesPreload - hkey= - key= - C:\Program Files (x86)\Samsung\Kies\Kies.exe (Samsung)
MsConfig:64bit - StartUpReg: KiesTrayAgent - hkey= - key= - C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
MsConfig:64bit - StartUpReg: mwlDaemon - hkey= - key= - C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe (Egis Technology Inc.)
MsConfig:64bit - StartUpReg: NortonOnlineBackupReminder - hkey= - key= - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe (Symantec Corporation)
MsConfig:64bit - StartUpReg: Skype - hkey= - key= - C:\Program Files (x86)\Skype\Phone\Skype.exe (Skype Technologies S.A.)
MsConfig:64bit - StartUpReg: Spotify Web Helper - hkey= - key= - C:\Users\richardhod\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
MsConfig:64bit - StartUpReg: SuiteTray - hkey= - key= - C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe (Egis Technology Inc.)
MsConfig:64bit - StartUpReg: swg - hkey= - key= - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig:64bit - StartUpReg: Wisdom-soft ScreenHunter 5.1 Free - hkey= - key= - File not found
MsConfig:64bit - State: "bootini" - Reg Error: Key error.
MsConfig:64bit - State: "startup" - Reg Error: Key error.
MsConfig:64bit - State: "services" - Reg Error: Key error.

SafeBootMin:64bit: AppMgmt - Service
SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: MCODS - Reg Error: Value error.
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: vmms - Service
SafeBootMin:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: MCODS - Reg Error: Value error.
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet:64bit: AppMgmt - Service
SafeBootNet:64bit: Base - Driver Group
SafeBootNet:64bit: Boot Bus Extender - Driver Group
SafeBootNet:64bit: Boot file system - Driver Group
SafeBootNet:64bit: File system - Driver Group
SafeBootNet:64bit: Filter - Driver Group
SafeBootNet:64bit: HelpSvc - Service
SafeBootNet:64bit: MCODS - Reg Error: Value error.
SafeBootNet:64bit: Messenger - Service
SafeBootNet:64bit: NDIS Wrapper - Driver Group
SafeBootNet:64bit: NetBIOSGroup - Driver Group
SafeBootNet:64bit: NetDDEGroup - Driver Group
SafeBootNet:64bit: Network - Driver Group
SafeBootNet:64bit: NetworkProvider - Driver Group
SafeBootNet:64bit: PCI Configuration - Driver Group
SafeBootNet:64bit: PNP Filter - Driver Group
SafeBootNet:64bit: PNP_TDI - Driver Group
SafeBootNet:64bit: Primary disk - Driver Group
SafeBootNet:64bit: rdsessmgr - Service
SafeBootNet:64bit: sacsvr - Service
SafeBootNet:64bit: SCSI Class - Driver Group
SafeBootNet:64bit: Streams Drivers - Driver Group
SafeBootNet:64bit: System Bus Extender - Driver Group
SafeBootNet:64bit: TDI - Driver Group
SafeBootNet:64bit: vmms - Service
SafeBootNet:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet:64bit: WudfUsbccidDriver - Driver
SafeBootNet:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet:64bit: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet:64bit: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet:64bit: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet:64bit: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet:64bit: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootNet: AppMgmt - Service
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: MCODS - Reg Error: Value error.
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\windows\system32\cmd.exe /D /C start C:\windows\system32\ie4uinit.exe -ClearIconCache
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\windows\System32\ie4uinit.exe -UserConfig
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\windows\system32\cmd.exe /D /C start C:\windows\system32\ie4uinit.exe -ClearIconCache
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} -
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: VIDC.RTV1 - rtvcvfw32.dll File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013-04-04 00:14:50 | 000,000,000 | ---D | C] -- C:\RegBackup
[2013-04-04 00:14:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2013-04-04 00:14:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Tweaking.com
[2013-04-04 00:12:15 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\richardhod\Desktop\OTL.exe
[2013-04-01 23:40:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2013-03-30 22:12:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2013-03-30 22:11:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2013-03-30 22:11:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2013-03-30 05:24:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013-03-30 05:24:11 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2013-03-30 05:24:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013-03-27 20:38:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2013-03-27 20:33:30 | 000,000,000 | ---D | C] -- C:\Users\richardhod\Desktop\rkill
[2013-03-27 20:01:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos
[2013-03-27 20:01:17 | 000,000,000 | ---D | C] -- C:\Users\richardhod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
[2013-03-27 20:01:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2013-03-23 17:02:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Evernote
[2013-03-20 20:31:12 | 001,054,720 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\MsSpellCheckingFacility.exe
[2013-03-20 20:31:12 | 000,719,360 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmlmedia.dll
[2013-03-20 20:31:12 | 000,226,304 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\elshyph.dll
[2013-03-20 20:31:12 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\elshyph.dll
[2013-03-20 20:31:12 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msrating.dll
[2013-03-20 20:31:12 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\iexpress.exe
[2013-03-20 20:31:12 | 000,138,752 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wextract.exe
[2013-03-20 20:31:12 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\inseng.dll
[2013-03-20 20:31:12 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmled.dll
[2013-03-20 20:31:12 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\RegisterIEPKEYs.exe
[2013-03-20 20:31:12 | 000,057,344 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\pngfilt.dll
[2013-03-20 20:31:11 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\jscript9.dll
[2013-03-20 20:31:11 | 001,509,376 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\inetcpl.cpl
[2013-03-20 20:31:11 | 001,441,280 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\inetcpl.cpl
[2013-03-20 20:31:11 | 001,400,416 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieapfltr.dat
[2013-03-20 20:31:11 | 001,400,416 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieapfltr.dat
[2013-03-20 20:31:11 | 000,905,728 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshtmlmedia.dll
[2013-03-20 20:31:11 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\jscript.dll
[2013-03-20 20:31:11 | 000,762,368 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieapfltr.dll
[2013-03-20 20:31:11 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\jscript.dll
[2013-03-20 20:31:11 | 000,629,248 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieapfltr.dll
[2013-03-20 20:31:11 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeeds.dll
[2013-03-20 20:31:11 | 000,599,552 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\vbscript.dll
[2013-03-20 20:31:11 | 000,526,848 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieui.dll
[2013-03-20 20:31:11 | 000,452,096 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\dxtmsft.dll
[2013-03-20 20:31:11 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\html.iec
[2013-03-20 20:31:11 | 000,391,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieui.dll
[2013-03-20 20:31:11 | 000,361,984 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\html.iec
[2013-03-20 20:31:11 | 000,281,600 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\dxtrans.dll
[2013-03-20 20:31:11 | 000,235,008 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\url.dll
[2013-03-20 20:31:11 | 000,232,960 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\url.dll
[2013-03-20 20:31:11 | 000,216,064 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msls31.dll
[2013-03-20 20:31:11 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msrating.dll
[2013-03-20 20:31:11 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ieUnatt.exe
[2013-03-20 20:31:11 | 000,167,424 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\iexpress.exe
[2013-03-20 20:31:11 | 000,149,504 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\occache.dll
[2013-03-20 20:31:11 | 000,144,896 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wextract.exe
[2013-03-20 20:31:11 | 000,137,216 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ieUnatt.exe
[2013-03-20 20:31:11 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\iesysprep.dll
[2013-03-20 20:31:11 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\iepeers.dll
[2013-03-20 20:31:11 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\IEAdvpack.dll
[2013-03-20 20:31:11 | 000,125,440 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\occache.dll
[2013-03-20 20:31:11 | 000,117,248 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\iepeers.dll
[2013-03-20 20:31:11 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\IEAdvpack.dll
[2013-03-20 20:31:11 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\iesysprep.dll
[2013-03-20 20:31:11 | 000,102,912 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\inseng.dll
[2013-03-20 20:31:11 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshtmled.dll
[2013-03-20 20:31:11 | 000,092,160 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\SetIEInstalledDate.exe
[2013-03-20 20:31:11 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\RegisterIEPKEYs.exe
[2013-03-20 20:31:11 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\icardie.dll
[2013-03-20 20:31:11 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\tdc.ocx
[2013-03-20 20:31:11 | 000,073,728 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\SetIEInstalledDate.exe
[2013-03-20 20:31:11 | 000,069,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\icardie.dll
[2013-03-20 20:31:11 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\iesetup.dll
[2013-03-20 20:31:11 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\pngfilt.dll
[2013-03-20 20:31:11 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\tdc.ocx
[2013-03-20 20:31:11 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\iesetup.dll
[2013-03-20 20:31:11 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ie4uinit.exe
[2013-03-20 20:31:11 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\imgutil.dll
[2013-03-20 20:31:11 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmler.dll
[2013-03-20 20:31:11 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshtmler.dll
[2013-03-20 20:31:11 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\iernonce.dll
[2013-03-20 20:31:11 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\iernonce.dll
[2013-03-20 20:31:11 | 000,027,648 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\licmgr10.dll
[2013-03-20 20:31:11 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\licmgr10.dll
[2013-03-20 20:31:11 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\mshta.exe
[2013-03-20 20:31:11 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\msfeedssync.exe
[2013-03-20 20:31:11 | 000,011,776 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\msfeedssync.exe
[2013-03-20 20:27:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2013-03-20 20:26:00 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2013-03-20 20:26:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2013-03-20 20:24:52 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\drivers\usb8023.sys
[2013-03-19 11:31:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games
[2013-03-19 11:30:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Games
[2013-03-05 19:38:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2013-03-05 19:38:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2013-03-05 07:26:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0
[2013-03-05 05:54:52 | 000,000,000 | ---D | C] -- C:\Users\richardhod\Documents\My Games

========== Files - Modified Within 30 Days ==========

[2013-04-04 00:26:00 | 000,000,898 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2013-04-04 00:25:34 | 000,000,894 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2013-04-04 00:20:28 | 000,377,856 | ---- | M] () -- C:\Users\richardhod\Desktop\xxkkrovn.exe
[2013-04-04 00:16:13 | 000,000,207 | ---- | M] () -- C:\windows\tweaking.com-regbackup-HOD17ACER-Microsoft-Windows-7-Home-Premium-(64-bit).dat
[2013-04-04 00:14:25 | 000,002,239 | ---- | M] () -- C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
[2013-04-04 00:12:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\richardhod\Desktop\OTL.exe
[2013-04-04 00:11:14 | 000,000,876 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2107948035-1365278439-778997172-1000Core.job
[2013-04-04 00:11:11 | 000,000,928 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2107948035-1365278439-778997172-1000UA.job
[2013-04-04 00:10:27 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2013-04-02 03:09:48 | 000,002,355 | ---- | M] () -- C:\Users\richardhod\Desktop\Google Chrome.lnk
[2013-03-30 22:12:01 | 000,001,286 | ---- | M] () -- C:\Users\richardhod\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2013-03-30 22:12:01 | 000,001,262 | ---- | M] () -- C:\Users\richardhod\Desktop\Spybot - Search & Destroy.lnk
[2013-03-30 19:39:40 | 000,017,600 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013-03-30 19:39:40 | 000,017,600 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013-03-30 19:31:16 | 1944,719,359 | -HS- | M] () -- C:\hiberfil.sys
[2013-03-30 13:28:23 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerApp.exe
[2013-03-30 13:28:23 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
[2013-03-30 05:24:12 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013-03-30 05:21:36 | 000,001,020 | ---- | M] () -- C:\Users\richardhod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013-03-30 05:21:12 | 000,000,998 | ---- | M] () -- C:\Users\richardhod\Desktop\Dropbox.lnk
[2013-03-27 20:01:17 | 000,003,229 | ---- | M] () -- C:\Users\richardhod\Desktop\Sophos Virus Removal Tool.lnk
[2013-03-26 22:49:07 | 000,750,000 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2013-03-26 22:49:07 | 000,643,420 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2013-03-26 22:49:07 | 000,111,066 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2013-03-21 00:21:22 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\config.nt
[2013-03-20 20:31:12 | 001,054,720 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\MsSpellCheckingFacility.exe
[2013-03-20 20:31:12 | 000,719,360 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmlmedia.dll
[2013-03-20 20:31:12 | 000,226,304 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\elshyph.dll
[2013-03-20 20:31:12 | 000,185,344 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\elshyph.dll
[2013-03-20 20:31:12 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\msrating.dll
[2013-03-20 20:31:12 | 000,150,528 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\iexpress.exe
[2013-03-20 20:31:12 | 000,138,752 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\wextract.exe
[2013-03-20 20:31:12 | 000,082,432 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\inseng.dll
[2013-03-20 20:31:12 | 000,079,872 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmled.dll
[2013-03-20 20:31:12 | 000,071,680 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\RegisterIEPKEYs.exe
[2013-03-20 20:31:12 | 000,057,344 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\pngfilt.dll
[2013-03-20 20:31:11 | 003,958,784 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\jscript9.dll
[2013-03-20 20:31:11 | 001,509,376 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\inetcpl.cpl
[2013-03-20 20:31:11 | 001,441,280 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\inetcpl.cpl
[2013-03-20 20:31:11 | 001,400,416 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\ieapfltr.dat
[2013-03-20 20:31:11 | 001,400,416 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\ieapfltr.dat
[2013-03-20 20:31:11 | 000,905,728 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\mshtmlmedia.dll
[2013-03-20 20:31:11 | 000,855,552 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\jscript.dll
[2013-03-20 20:31:11 | 000,762,368 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\ieapfltr.dll
[2013-03-20 20:31:11 | 000,690,688 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\jscript.dll
[2013-03-20 20:31:11 | 000,629,248 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\ieapfltr.dll
[2013-03-20 20:31:11 | 000,603,136 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\msfeeds.dll
[2013-03-20 20:31:11 | 000,599,552 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\vbscript.dll
[2013-03-20 20:31:11 | 000,526,848 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\ieui.dll
[2013-03-20 20:31:11 | 000,452,096 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\dxtmsft.dll
[2013-03-20 20:31:11 | 000,441,856 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\html.iec
[2013-03-20 20:31:11 | 000,391,680 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\ieui.dll
[2013-03-20 20:31:11 | 000,361,984 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\html.iec
[2013-03-20 20:31:11 | 000,281,600 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\dxtrans.dll
[2013-03-20 20:31:11 | 000,235,008 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\url.dll
[2013-03-20 20:31:11 | 000,232,960 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\url.dll
[2013-03-20 20:31:11 | 000,216,064 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\msls31.dll
[2013-03-20 20:31:11 | 000,197,120 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\msrating.dll
[2013-03-20 20:31:11 | 000,173,568 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\ieUnatt.exe
[2013-03-20 20:31:11 | 000,167,424 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\iexpress.exe
[2013-03-20 20:31:11 | 000,149,504 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\occache.dll
[2013-03-20 20:31:11 | 000,144,896 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\wextract.exe
[2013-03-20 20:31:11 | 000,137,216 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\ieUnatt.exe
[2013-03-20 20:31:11 | 000,136,704 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\iesysprep.dll
[2013-03-20 20:31:11 | 000,136,192 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\iepeers.dll
[2013-03-20 20:31:11 | 000,135,680 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\IEAdvpack.dll
[2013-03-20 20:31:11 | 000,125,440 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\occache.dll
[2013-03-20 20:31:11 | 000,117,248 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\iepeers.dll
[2013-03-20 20:31:11 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\IEAdvpack.dll
[2013-03-20 20:31:11 | 000,109,056 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\iesysprep.dll
[2013-03-20 20:31:11 | 000,102,912 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\inseng.dll
[2013-03-20 20:31:11 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\mshtmled.dll
[2013-03-20 20:31:11 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\SetIEInstalledDate.exe
[2013-03-20 20:31:11 | 000,089,600 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\RegisterIEPKEYs.exe
[2013-03-20 20:31:11 | 000,081,408 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\icardie.dll
[2013-03-20 20:31:11 | 000,077,312 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\tdc.ocx
[2013-03-20 20:31:11 | 000,073,728 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\SetIEInstalledDate.exe
[2013-03-20 20:31:11 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\icardie.dll
[2013-03-20 20:31:11 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\iesetup.dll
[2013-03-20 20:31:11 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\pngfilt.dll
[2013-03-20 20:31:11 | 000,061,952 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\tdc.ocx
[2013-03-20 20:31:11 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\iesetup.dll
[2013-03-20 20:31:11 | 000,051,712 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\ie4uinit.exe
[2013-03-20 20:31:11 | 000,051,200 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\imgutil.dll
[2013-03-20 20:31:11 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\mshtmler.dll
[2013-03-20 20:31:11 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\mshtmler.dll
[2013-03-20 20:31:11 | 000,039,936 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\iernonce.dll
[2013-03-20 20:31:11 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\iernonce.dll
[2013-03-20 20:31:11 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\licmgr10.dll
[2013-03-20 20:31:11 | 000,025,185 | ---- | M] () -- C:\windows\SysWow64\ieuinit.inf
[2013-03-20 20:31:11 | 000,025,185 | ---- | M] () -- C:\windows\SysNative\ieuinit.inf
[2013-03-20 20:31:11 | 000,023,040 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\licmgr10.dll
[2013-03-20 20:31:11 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\mshta.exe
[2013-03-20 20:31:11 | 000,012,800 | ---- | M] (Microsoft Corporation) -- C:\windows\SysNative\msfeedssync.exe
[2013-03-20 20:31:11 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\windows\SysWow64\msfeedssync.exe
[2013-03-20 20:19:10 | 000,045,349 | ---- | M] () -- C:\Users\richardhod\Documents\liberty3.odt
[2013-03-19 11:31:41 | 000,002,483 | ---- | M] () -- C:\Users\Public\Desktop\Rise of Nations Thrones and Patriots Trial Version.lnk
[2013-03-11 13:30:25 | 000,070,012 | ---- | M] () -- C:\Users\richardhod\Documents\Zu Payment Receipt – PayPal.pdf
[2013-03-07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) -- C:\windows\SysNative\drivers\aswSnx.sys
[2013-03-07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) -- C:\windows\SysNative\drivers\aswSP.sys
[2013-03-07 00:33:21 | 000,178,624 | ---- | M] () -- C:\windows\SysNative\drivers\aswVmm.sys
[2013-03-07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) -- C:\windows\SysNative\drivers\aswRdr2.sys
[2013-03-07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) -- C:\windows\SysNative\drivers\aswTdi.sys
[2013-03-07 00:33:21 | 000,065,336 | ---- | M] () -- C:\windows\SysNative\drivers\aswRvrt.sys
[2013-03-07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) -- C:\windows\SysNative\drivers\aswMonFlt.sys
[2013-03-07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) -- C:\windows\SysNative\drivers\aswFsBlk.sys
[2013-03-07 00:32:51 | 000,041,664 | ---- | M] (AVAST Software) -- C:\windows\avastSS.scr
[2013-03-07 00:32:22 | 000,287,840 | ---- | M] (AVAST Software) -- C:\windows\SysNative\aswBoot.exe
[2013-03-05 19:38:53 | 000,002,515 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk

========== Files Created - No Company Name ==========

[2013-04-04 00:20:26 | 000,377,856 | ---- | C] () -- C:\Users\richardhod\Desktop\xxkkrovn.exe
[2013-04-04 00:16:13 | 000,000,207 | ---- | C] () -- C:\windows\tweaking.com-regbackup-HOD17ACER-Microsoft-Windows-7-Home-Premium-(64-bit).dat
[2013-04-04 00:14:25 | 000,002,239 | ---- | C] () -- C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
[2013-03-30 22:12:01 | 000,001,286 | ---- | C] () -- C:\Users\richardhod\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2013-03-30 22:12:01 | 000,001,262 | ---- | C] () -- C:\Users\richardhod\Desktop\Spybot - Search & Destroy.lnk
[2013-03-30 05:24:12 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013-03-27 20:01:17 | 000,003,229 | ---- | C] () -- C:\Users\richardhod\Desktop\Sophos Virus Removal Tool.lnk
[2013-03-21 00:21:23 | 000,178,624 | ---- | C] () -- C:\windows\SysNative\drivers\aswVmm.sys
[2013-03-21 00:21:22 | 000,065,336 | ---- | C] () -- C:\windows\SysNative\drivers\aswRvrt.sys
[2013-03-20 20:31:11 | 000,025,185 | ---- | C] () -- C:\windows\SysWow64\ieuinit.inf
[2013-03-20 20:31:11 | 000,025,185 | ---- | C] () -- C:\windows\SysNative\ieuinit.inf
[2013-03-20 20:19:06 | 000,045,349 | ---- | C] () -- C:\Users\richardhod\Documents\liberty3.odt
[2013-03-19 11:31:41 | 000,002,483 | ---- | C] () -- C:\Users\Public\Desktop\Rise of Nations Thrones and Patriots Trial Version.lnk
[2013-03-11 13:30:25 | 000,070,012 | ---- | C] () -- C:\Users\richardhod\Documents\Zu Payment Receipt – PayPal.pdf
[2012-12-24 21:50:43 | 000,000,021 | ---- | C] () -- C:\Users\richardhod\AppData\Roaming\ISOWorkshop.ini
[2012-06-26 16:02:40 | 000,030,568 | ---- | C] () -- C:\windows\MusiccityDownload.exe
[2012-06-26 16:02:38 | 000,974,848 | ---- | C] () -- C:\windows\SysWow64\cis-2.4.dll
[2012-06-26 16:02:38 | 000,081,920 | ---- | C] () -- C:\windows\SysWow64\issacapi_bs-2.3.dll
[2012-06-26 16:02:38 | 000,065,536 | ---- | C] () -- C:\windows\SysWow64\issacapi_pe-2.3.dll
[2012-06-26 16:02:38 | 000,057,344 | ---- | C] () -- C:\windows\SysWow64\issacapi_se-2.3.dll
[2011-12-03 19:47:30 | 000,007,605 | ---- | C] () -- C:\Users\richardhod\AppData\Local\resmon.resmoncfg
[2011-10-26 06:21:48 | 000,056,832 | ---- | C] () -- C:\windows\SysWow64\OpenVideo.dll
[2011-10-26 06:21:34 | 000,056,832 | ---- | C] () -- C:\windows\SysWow64\OVDecoder.dll
[2011-10-26 02:38:38 | 000,204,952 | ---- | C] () -- C:\windows\SysWow64\ativvsvl.dat
[2011-10-26 02:38:38 | 000,157,144 | ---- | C] () -- C:\windows\SysWow64\ativvsva.dat

========== ZeroAccess Check ==========

[2009-07-14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012-06-09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012-06-09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009-07-14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010-11-20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009-07-14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]


... End of Pt 1 of OTL.txt ctd in next post
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 3rd, 2013, 8:53 pm

OTL.txt ctd (second part)


========== LOP Check ==========

[2012-07-27 01:05:10 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\COW
[2013-03-30 19:34:05 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Dropbox
[2012-01-24 02:24:53 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\IrfanView
[2012-11-09 02:59:14 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Jane
[2011-12-31 04:10:49 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\OpenOffice.org
[2012-12-24 21:39:11 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Samsung
[2012-08-06 13:45:51 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Spotify
[2013-04-01 22:52:09 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\uTorrent

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009-07-14 02:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009-07-27 21:40:53 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2013-03-30 19:31:16 | 1944,719,359 | -HS- | M] () -- C:\hiberfil.sys
[2013-03-30 19:31:19 | 4024,614,911 | -HS- | M] () -- C:\pagefile.sys
[2010-04-22 02:01:01 | 000,002,219 | RHS- | M] () -- C:\Patch.rev
[2010-08-10 18:01:20 | 000,000,196 | RHS- | M] () -- C:\Preload.rev
[2010-08-10 17:24:09 | 000,002,142 | ---- | M] () -- C:\RHDSetup.log
[2013-03-27 19:09:00 | 000,133,408 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_27.03.2013_18.07.30_log.txt

< MD5 for: AGP440.SYS >
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\windows\SysNative\drivers\AGP440.sys
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\windows\SysNative\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\AGP440.sys
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_1838f2aad55063bb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\windows\SysNative\drivers\atapi.sys
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009-07-14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009-07-14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009-07-14 02:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\windows\SysNative\cngaudit.dll
[2009-07-14 02:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2010-11-20 14:33:38 | 000,410,496 | ---- | M] (Intel Corporation) MD5=3DF4395A7CF8B7A72A5F4606366B8C2D -- C:\windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\iaStorV.sys
[2010-11-20 14:33:38 | 000,410,496 | ---- | M] (Intel Corporation) MD5=3DF4395A7CF8B7A72A5F4606366B8C2D -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_0d3757e79e6784d0\iaStorV.sys
[2011-03-11 07:19:16 | 000,410,496 | ---- | M] (Intel Corporation) MD5=5B3DE7208E5000D5B451B9D290D2579C -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.21680_none_0d714416b7c182d5\iaStorV.sys
[2011-03-11 07:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\windows\SysNative\drivers\iaStorV.sys
[2011-03-11 07:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_0bcee2057afcc090\iaStorV.sys
[2011-03-11 07:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17577_none_0cf9793d9e95787b\iaStorV.sys
[2011-03-11 07:23:00 | 000,410,496 | ---- | M] (Intel Corporation) MD5=B75E45C564E944A2657167D197AB29DA -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16778_none_0b141c81a16e25e6\iaStorV.sys
[2011-03-11 07:25:49 | 000,410,496 | ---- | M] (Intel Corporation) MD5=BFDC9D75698800CFE4D1698BF2750EA2 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.20921_none_0bccc8c8ba6985c1\iaStorV.sys
[2009-07-14 02:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009-07-14 02:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2010-11-20 14:27:22 | 000,695,808 | ---- | M] (Microsoft Corporation) MD5=AA339DD8BB128EF66660DFBBB59043D3 -- C:\windows\SysNative\netlogon.dll
[2010-11-20 14:27:22 | 000,695,808 | ---- | M] (Microsoft Corporation) MD5=AA339DD8BB128EF66660DFBBB59043D3 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_5bddbcb24e997298\netlogon.dll
[2010-11-20 13:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\SysWOW64\netlogon.dll
[2010-11-20 13:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_6632670482fa3493\netlogon.dll
[2009-07-14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVRAID.SYS >
[2011-03-11 07:41:34 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=0A92CB65770442ED0DC44834632F66AD -- C:\windows\SysNative\drivers\nvraid.sys
[2011-03-11 07:41:34 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=0A92CB65770442ED0DC44834632F66AD -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_0276fc3b3ea60d41\nvraid.sys
[2011-03-11 07:41:34 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=0A92CB65770442ED0DC44834632F66AD -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_97c2e9ecd5cc2253\nvraid.sys
[2009-07-14 02:48:27 | 000,149,056 | ---- | M] (NVIDIA Corporation) MD5=3E38712941E9BB4DDBEE00AFFE3FED3D -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvraid.sys
[2010-11-20 14:33:48 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=5D9FD91F3D38DC9DA01E3CB5FA89CD48 -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvraid.sys
[2010-11-20 14:33:48 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=5D9FD91F3D38DC9DA01E3CB5FA89CD48 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_9800c896d59e2ea8\nvraid.sys
[2011-03-11 07:19:21 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=666CA16F17914C1CD3616CF16DE0A6EA -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_983ab4c5eef82cad\nvraid.sys
[2011-03-11 07:23:06 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=A4D9C9A608A97F59307C2F2600EDC6A4 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_95dd8d30d8a4cfbe\nvraid.sys
[2011-03-11 07:25:53 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=A5C82EB2F72AA004887F90B84A771F73 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_96963977f1a02f99\nvraid.sys

< MD5 for: NVSTOR.SYS >
[2009-07-14 02:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys
[2011-03-11 07:23:06 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=6C1D5F70E7A6A3FD1C90D840EDC048B9 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_95dd8d30d8a4cfbe\nvstor.sys
[2011-03-11 07:25:53 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=AE274836BA56518E279087363A781214 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_96963977f1a02f99\nvstor.sys
[2011-03-11 07:19:21 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=D23C7E8566DA2B8A7C0DBBB761D54888 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_983ab4c5eef82cad\nvstor.sys
[2011-03-11 07:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\windows\SysNative\drivers\nvstor.sys
[2011-03-11 07:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_0276fc3b3ea60d41\nvstor.sys
[2011-03-11 07:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_97c2e9ecd5cc2253\nvstor.sys
[2010-11-20 14:33:48 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=F7CD50FE7139F07E77DA8AC8033D1832 -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvstor.sys
[2010-11-20 14:33:48 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=F7CD50FE7139F07E77DA8AC8033D1832 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_9800c896d59e2ea8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009-07-14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009-07-14 02:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll
[2010-11-20 13:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\SysWOW64\scecli.dll
[2010-11-20 13:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e\scecli.dll
[2010-11-20 14:27:25 | 000,232,960 | ---- | M] (Microsoft Corporation) MD5=ED78427259134C63ED69804D2132B86C -- C:\windows\SysNative\scecli.dll
[2010-11-20 14:27:25 | 000,232,960 | ---- | M] (Microsoft Corporation) MD5=ED78427259134C63ED69804D2132B86C -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_9633e7caefbaf953\scecli.dll

< %windir%\system32\tasks\*.* >

< %windir%\system32\tasks\*.* /64 >
[2013-04-01 02:21:05 | 000,004,182 | ---- | M] () -- C:\windows\SysNative\tasks\avast! Emergency Update
[2013-02-20 09:21:32 | 000,003,642 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskMachineCore
[2013-02-20 09:21:33 | 000,003,894 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskMachineUA
[2013-02-06 06:04:19 | 000,003,512 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-2107948035-1365278439-778997172-1000Core
[2013-02-06 06:04:21 | 000,003,908 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-2107948035-1365278439-778997172-1000UA
[2012-01-05 02:44:09 | 000,003,292 | ---- | M] () -- C:\windows\SysNative\tasks\{7E5095F1-C390-4735-B5D6-DD1A64DFAD1D}

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >

< %PROGRAMFILES%\*. >
[2013-02-27 04:07:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\7-Zip
[2011-10-10 02:38:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Acer
[2010-04-13 10:37:55 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Acer Games
[2012-12-20 22:40:48 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Adobe
[2010-08-10 17:23:31 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AMD
[2011-11-19 10:35:12 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AMD APP
[2010-08-10 17:24:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AmIcoSingLun
[2011-11-19 10:35:07 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ATI Technologies
[2012-06-02 00:33:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Catan GmbH
[2013-03-05 19:38:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Common Files
[2010-08-10 17:28:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\CyberLink
[2010-04-13 10:43:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec IPS
[2010-04-13 10:42:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec MyWinLocker
[2010-04-13 10:41:48 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec MyWinLockerSuite
[2010-04-13 10:43:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec Shredder
[2013-03-27 20:38:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ESET
[2010-04-13 09:54:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\eSobi
[2012-11-09 13:27:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Evernote
[2012-08-17 04:03:39 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Expat Shield
[2013-03-02 22:27:34 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Google
[2012-01-24 02:41:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\HyperCam 2
[2012-07-22 16:34:57 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\InstallShield Installation Information
[2013-03-21 00:13:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Internet Explorer
[2012-01-24 02:24:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\IrfanView
[2012-12-24 20:09:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ISO Workshop
[2012-11-09 02:59:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Janetter2
[2012-11-02 00:05:49 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Java
[2010-08-10 17:24:42 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Launch Manager
[2013-03-30 05:24:13 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012-07-22 16:35:02 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MarkAny
[2011-12-22 04:15:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\McAfee
[2010-08-10 17:32:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft
[2013-03-19 11:30:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Games
[2010-04-13 10:01:14 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Office
[2010-04-13 10:27:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Office Suite Activation Assistant
[2013-03-20 20:26:00 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Silverlight
[2010-08-10 17:33:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2012-11-01 18:47:42 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Works
[2010-04-13 10:01:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft.NET
[2013-04-03 03:15:21 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox
[2013-03-04 01:07:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2013-03-02 16:44:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Thunderbird
[2009-07-14 06:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSBuild
[2011-12-03 21:05:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSI Afterburner
[2013-03-05 07:26:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSXML 4.0
[2012-11-02 08:04:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MyFree Codec
[2010-04-13 10:32:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\NewTech Infosystems
[2011-11-19 10:03:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\OEM
[2011-12-03 01:18:58 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\OpenOffice.org 3
[2012-06-18 01:05:58 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Oracle
[2012-01-24 02:08:21 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\PANDORA.TV
[2013-02-27 04:34:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Portal
[2010-08-10 17:23:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Realtek
[2009-07-14 06:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Reference Assemblies
[2012-07-22 16:36:24 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Samsung
[2012-11-21 17:23:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Scrivener
[2013-03-05 19:38:53 | 000,000,000 | R--D | M] -- C:\Program Files (x86)\Skype
[2013-03-27 20:01:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Sophos
[2013-03-30 22:12:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010-04-13 10:41:14 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Symantec
[2010-08-10 17:24:09 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Temp
[2012-01-24 02:12:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\The KMPlayer
[2013-04-01 23:40:36 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Trend Micro
[2013-04-04 00:14:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Tweaking.com
[2012-11-09 02:58:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Twitter
[2009-07-14 05:57:06 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Uninstall Information
[2013-04-01 22:52:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\uTorrent
[2011-12-16 05:56:43 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\VideoLAN
[2010-04-13 12:07:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Defender
[2010-08-10 17:34:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Live
[2010-08-10 17:32:09 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Live SkyDrive
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Mail
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Media Player
[2009-07-14 06:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows NT
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Photo Viewer
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Portable Devices
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Sidebar

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents >

< End of report >
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 3rd, 2013, 8:53 pm

Extras.txt from OTL


========== LOP Check ==========

[2012-07-27 01:05:10 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\COW
[2013-03-30 19:34:05 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Dropbox
[2012-01-24 02:24:53 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\IrfanView
[2012-11-09 02:59:14 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Jane
[2011-12-31 04:10:49 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\OpenOffice.org
[2012-12-24 21:39:11 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Samsung
[2012-08-06 13:45:51 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\Spotify
[2013-04-01 22:52:09 | 000,000,000 | ---D | M] -- C:\Users\richardhod\AppData\Roaming\uTorrent

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009-07-14 02:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009-07-27 21:40:53 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2013-03-30 19:31:16 | 1944,719,359 | -HS- | M] () -- C:\hiberfil.sys
[2013-03-30 19:31:19 | 4024,614,911 | -HS- | M] () -- C:\pagefile.sys
[2010-04-22 02:01:01 | 000,002,219 | RHS- | M] () -- C:\Patch.rev
[2010-08-10 18:01:20 | 000,000,196 | RHS- | M] () -- C:\Preload.rev
[2010-08-10 17:24:09 | 000,002,142 | ---- | M] () -- C:\RHDSetup.log
[2013-03-27 19:09:00 | 000,133,408 | ---- | M] () -- C:\TDSSKiller.2.8.16.0_27.03.2013_18.07.30_log.txt

< MD5 for: AGP440.SYS >
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\windows\SysNative\drivers\AGP440.sys
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\windows\SysNative\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\AGP440.sys
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys
[2009-07-14 02:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_1838f2aad55063bb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\windows\SysNative\drivers\atapi.sys
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys
[2009-07-14 02:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009-07-14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009-07-14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009-07-14 02:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\windows\SysNative\cngaudit.dll
[2009-07-14 02:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2010-11-20 14:33:38 | 000,410,496 | ---- | M] (Intel Corporation) MD5=3DF4395A7CF8B7A72A5F4606366B8C2D -- C:\windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\iaStorV.sys
[2010-11-20 14:33:38 | 000,410,496 | ---- | M] (Intel Corporation) MD5=3DF4395A7CF8B7A72A5F4606366B8C2D -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_0d3757e79e6784d0\iaStorV.sys
[2011-03-11 07:19:16 | 000,410,496 | ---- | M] (Intel Corporation) MD5=5B3DE7208E5000D5B451B9D290D2579C -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.21680_none_0d714416b7c182d5\iaStorV.sys
[2011-03-11 07:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\windows\SysNative\drivers\iaStorV.sys
[2011-03-11 07:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_0bcee2057afcc090\iaStorV.sys
[2011-03-11 07:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17577_none_0cf9793d9e95787b\iaStorV.sys
[2011-03-11 07:23:00 | 000,410,496 | ---- | M] (Intel Corporation) MD5=B75E45C564E944A2657167D197AB29DA -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16778_none_0b141c81a16e25e6\iaStorV.sys
[2011-03-11 07:25:49 | 000,410,496 | ---- | M] (Intel Corporation) MD5=BFDC9D75698800CFE4D1698BF2750EA2 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.20921_none_0bccc8c8ba6985c1\iaStorV.sys
[2009-07-14 02:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009-07-14 02:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2010-11-20 14:27:22 | 000,695,808 | ---- | M] (Microsoft Corporation) MD5=AA339DD8BB128EF66660DFBBB59043D3 -- C:\windows\SysNative\netlogon.dll
[2010-11-20 14:27:22 | 000,695,808 | ---- | M] (Microsoft Corporation) MD5=AA339DD8BB128EF66660DFBBB59043D3 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_5bddbcb24e997298\netlogon.dll
[2010-11-20 13:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\SysWOW64\netlogon.dll
[2010-11-20 13:20:28 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_6632670482fa3493\netlogon.dll
[2009-07-14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVRAID.SYS >
[2011-03-11 07:41:34 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=0A92CB65770442ED0DC44834632F66AD -- C:\windows\SysNative\drivers\nvraid.sys
[2011-03-11 07:41:34 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=0A92CB65770442ED0DC44834632F66AD -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_0276fc3b3ea60d41\nvraid.sys
[2011-03-11 07:41:34 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=0A92CB65770442ED0DC44834632F66AD -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_97c2e9ecd5cc2253\nvraid.sys
[2009-07-14 02:48:27 | 000,149,056 | ---- | M] (NVIDIA Corporation) MD5=3E38712941E9BB4DDBEE00AFFE3FED3D -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvraid.sys
[2010-11-20 14:33:48 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=5D9FD91F3D38DC9DA01E3CB5FA89CD48 -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvraid.sys
[2010-11-20 14:33:48 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=5D9FD91F3D38DC9DA01E3CB5FA89CD48 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_9800c896d59e2ea8\nvraid.sys
[2011-03-11 07:19:21 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=666CA16F17914C1CD3616CF16DE0A6EA -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_983ab4c5eef82cad\nvraid.sys
[2011-03-11 07:23:06 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=A4D9C9A608A97F59307C2F2600EDC6A4 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_95dd8d30d8a4cfbe\nvraid.sys
[2011-03-11 07:25:53 | 000,148,352 | ---- | M] (NVIDIA Corporation) MD5=A5C82EB2F72AA004887F90B84A771F73 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_96963977f1a02f99\nvraid.sys

< MD5 for: NVSTOR.SYS >
[2009-07-14 02:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys
[2011-03-11 07:23:06 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=6C1D5F70E7A6A3FD1C90D840EDC048B9 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16778_none_95dd8d30d8a4cfbe\nvstor.sys
[2011-03-11 07:25:53 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=AE274836BA56518E279087363A781214 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.20921_none_96963977f1a02f99\nvstor.sys
[2011-03-11 07:19:21 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=D23C7E8566DA2B8A7C0DBBB761D54888 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_983ab4c5eef82cad\nvstor.sys
[2011-03-11 07:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\windows\SysNative\drivers\nvstor.sys
[2011-03-11 07:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_0276fc3b3ea60d41\nvstor.sys
[2011-03-11 07:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_97c2e9ecd5cc2253\nvstor.sys
[2010-11-20 14:33:48 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=F7CD50FE7139F07E77DA8AC8033D1832 -- C:\windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvstor.sys
[2010-11-20 14:33:48 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=F7CD50FE7139F07E77DA8AC8033D1832 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_9800c896d59e2ea8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009-07-14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009-07-14 02:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll
[2010-11-20 13:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\SysWOW64\scecli.dll
[2010-11-20 13:21:04 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e\scecli.dll
[2010-11-20 14:27:25 | 000,232,960 | ---- | M] (Microsoft Corporation) MD5=ED78427259134C63ED69804D2132B86C -- C:\windows\SysNative\scecli.dll
[2010-11-20 14:27:25 | 000,232,960 | ---- | M] (Microsoft Corporation) MD5=ED78427259134C63ED69804D2132B86C -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_9633e7caefbaf953\scecli.dll

< %windir%\system32\tasks\*.* >

< %windir%\system32\tasks\*.* /64 >
[2013-04-01 02:21:05 | 000,004,182 | ---- | M] () -- C:\windows\SysNative\tasks\avast! Emergency Update
[2013-02-20 09:21:32 | 000,003,642 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskMachineCore
[2013-02-20 09:21:33 | 000,003,894 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskMachineUA
[2013-02-06 06:04:19 | 000,003,512 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-2107948035-1365278439-778997172-1000Core
[2013-02-06 06:04:21 | 000,003,908 | ---- | M] () -- C:\windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-2107948035-1365278439-778997172-1000UA
[2012-01-05 02:44:09 | 000,003,292 | ---- | M] () -- C:\windows\SysNative\tasks\{7E5095F1-C390-4735-B5D6-DD1A64DFAD1D}

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >

< %PROGRAMFILES%\*. >
[2013-02-27 04:07:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\7-Zip
[2011-10-10 02:38:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Acer
[2010-04-13 10:37:55 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Acer Games
[2012-12-20 22:40:48 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Adobe
[2010-08-10 17:23:31 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AMD
[2011-11-19 10:35:12 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AMD APP
[2010-08-10 17:24:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AmIcoSingLun
[2011-11-19 10:35:07 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ATI Technologies
[2012-06-02 00:33:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Catan GmbH
[2013-03-05 19:38:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Common Files
[2010-08-10 17:28:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\CyberLink
[2010-04-13 10:43:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec IPS
[2010-04-13 10:42:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec MyWinLocker
[2010-04-13 10:41:48 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec MyWinLockerSuite
[2010-04-13 10:43:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\EgisTec Shredder
[2013-03-27 20:38:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ESET
[2010-04-13 09:54:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\eSobi
[2012-11-09 13:27:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Evernote
[2012-08-17 04:03:39 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Expat Shield
[2013-03-02 22:27:34 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Google
[2012-01-24 02:41:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\HyperCam 2
[2012-07-22 16:34:57 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\InstallShield Installation Information
[2013-03-21 00:13:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Internet Explorer
[2012-01-24 02:24:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\IrfanView
[2012-12-24 20:09:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ISO Workshop
[2012-11-09 02:59:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Janetter2
[2012-11-02 00:05:49 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Java
[2010-08-10 17:24:42 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Launch Manager
[2013-03-30 05:24:13 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012-07-22 16:35:02 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MarkAny
[2011-12-22 04:15:18 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\McAfee
[2010-08-10 17:32:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft
[2013-03-19 11:30:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Games
[2010-04-13 10:01:14 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Office
[2010-04-13 10:27:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Office Suite Activation Assistant
[2013-03-20 20:26:00 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Silverlight
[2010-08-10 17:33:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
[2012-11-01 18:47:42 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Works
[2010-04-13 10:01:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft.NET
[2013-04-03 03:15:21 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox
[2013-03-04 01:07:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2013-03-02 16:44:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Thunderbird
[2009-07-14 06:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSBuild
[2011-12-03 21:05:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSI Afterburner
[2013-03-05 07:26:27 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSXML 4.0
[2012-11-02 08:04:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MyFree Codec
[2010-04-13 10:32:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\NewTech Infosystems
[2011-11-19 10:03:35 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\OEM
[2011-12-03 01:18:58 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\OpenOffice.org 3
[2012-06-18 01:05:58 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Oracle
[2012-01-24 02:08:21 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\PANDORA.TV
[2013-02-27 04:34:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Portal
[2010-08-10 17:23:44 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Realtek
[2009-07-14 06:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Reference Assemblies
[2012-07-22 16:36:24 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Samsung
[2012-11-21 17:23:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Scrivener
[2013-03-05 19:38:53 | 000,000,000 | R--D | M] -- C:\Program Files (x86)\Skype
[2013-03-27 20:01:03 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Sophos
[2013-03-30 22:12:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010-04-13 10:41:14 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Symantec
[2010-08-10 17:24:09 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Temp
[2012-01-24 02:12:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\The KMPlayer
[2013-04-01 23:40:36 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Trend Micro
[2013-04-04 00:14:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Tweaking.com
[2012-11-09 02:58:08 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Twitter
[2009-07-14 05:57:06 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Uninstall Information
[2013-04-01 22:52:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\uTorrent
[2011-12-16 05:56:43 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\VideoLAN
[2010-04-13 12:07:11 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Defender
[2010-08-10 17:34:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Live
[2010-08-10 17:32:09 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Live SkyDrive
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Mail
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Media Player
[2009-07-14 06:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows NT
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Photo Viewer
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Portable Devices
[2011-11-28 18:56:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Sidebar

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents >

< End of report >
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 3rd, 2013, 9:00 pm

Hi Gary again and thank you for this. One clarification question: (while I'm doing the GMER and MBRScan): do you want the MBRScan log attached as you asked in your post, or posted as the forum rules state?

EDIT: ok I went with the renamed txt attachment (see below)
Last edited by triplesec on April 4th, 2013, 10:21 am, edited 1 time in total.
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 4th, 2013, 9:56 am

GMER part 1

GMER 2.1.19155 - http://www.gmer.net
3rd party scan 2013-04-04 05:01:58
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEVT-22A0RT0 rev.01.01A01 465.76GB
Running: xxkkrovn.exe; Driver: C:\Users\RICHAR~1\AppData\Local\Temp\fwlyrpog.sys


---- User code sections - GMER 2.1 ----

.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000100120470
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000100120460
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000100120370
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000100120480
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 00000001001203e0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000100120320
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 00000001001203b0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000100120390
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 00000001001202e0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000100120440
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 00000001001202d0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000100120310
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 00000001001203c0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 00000001001203f0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000100120230
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0xffffffff887fe890}
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000100120490
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 00000001001203a0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 00000001001202f0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000100120350
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000100120290
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 00000001001202b0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 00000001001203d0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000100120330
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0xffffffff887fe590}
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000100120410
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000100120240
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 00000001001201e0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000100120250
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0xffffffff887fe090}
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 00000001001204a0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 00000001001204b0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000100120300
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000100120360
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 00000001001202a0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 00000001001202c0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000100120380
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000100120340
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000100120450
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000100120260
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000100120270
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000100120400
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 00000001001201f0
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000100120210
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000100120200
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000100120420
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000100120430
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000100120220
.text C:\windows\system32\csrss.exe[440] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000100120280
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 000000014a340470
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 000000014a340460
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 000000014a340370
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 000000014a340480
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 000000014a3403e0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 000000014a340320
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 000000014a3403b0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 000000014a340390
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 000000014a3402e0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 000000014a340440
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 000000014a3402d0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 000000014a340310
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 000000014a3403c0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 000000014a3403f0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 000000014a340230
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0xffffffffd2a1e890}
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 000000014a340490
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 000000014a3403a0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 000000014a3402f0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 000000014a340350
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 000000014a340290
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 000000014a3402b0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 000000014a3403d0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 000000014a340330
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0xffffffffd2a1e590}
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 000000014a340410
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 000000014a340240
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 000000014a3401e0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 000000014a340250
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0xffffffffd2a1e090}
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 000000014a3404a0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 000000014a3404b0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 000000014a340300
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 000000014a340360
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 000000014a3402a0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 000000014a3402c0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 000000014a340380
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 000000014a340340
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 000000014a340450
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 000000014a340260
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 000000014a340270
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 000000014a340400
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 000000014a3401f0
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 000000014a340210
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 000000014a340200
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 000000014a340420
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 000000014a340430
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 000000014a340220
.text C:\windows\system32\csrss.exe[540] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 000000014a340280
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\services.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\services.exe[580] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\lsass.exe[588] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000100070470
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000100070460
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000100070370
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000100070480
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 00000001000703e0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000100070320
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 00000001000703b0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000100070390
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 00000001000702e0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000100070440
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 00000001000702d0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000100070310
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 00000001000703c0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 00000001000703f0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000100070230
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0xffffffff8874e890}
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000100070490
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 00000001000703a0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 00000001000702f0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000100070350
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000100070290
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 00000001000702b0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 00000001000703d0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000100070330
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0xffffffff8874e590}
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000100070410
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000100070240
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 00000001000701e0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000100070250
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0xffffffff8874e090}
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 00000001000704a0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 00000001000704b0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000100070300
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000100070360
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 00000001000702a0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 00000001000702c0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000100070380
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000100070340
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000100070450
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000100070260
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000100070270
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000100070400
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 00000001000701f0
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000100070210
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000100070200
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000100070420
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000100070430
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000100070220
.text C:\windows\system32\svchost.exe[740] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000100070280
.text C:\windows\system32\svchost.exe[740] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000100070470
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000100070460
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000100070370
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000100070480
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 00000001000703e0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000100070320
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 00000001000703b0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000100070390
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 00000001000702e0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000100070440
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 00000001000702d0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000100070310
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 00000001000703c0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 00000001000703f0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000100070230
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0xffffffff8874e890}
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000100070490
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 00000001000703a0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 00000001000702f0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000100070350
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000100070290
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 00000001000702b0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 00000001000703d0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000100070330
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0xffffffff8874e590}
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000100070410
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000100070240
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 00000001000701e0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000100070250
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0xffffffff8874e090}
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 00000001000704a0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 00000001000704b0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000100070300
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000100070360
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 00000001000702a0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 00000001000702c0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000100070380
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000100070340
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000100070450
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000100070260
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000100070270
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000100070400
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 00000001000701f0
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000100070210
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000100070200
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000100070420
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000100070430
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000100070220
.text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000100070280
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\System32\svchost.exe[976] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\System32\svchost.exe[976] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000100070470
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000100070460
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000100070370
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000100070480
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 00000001000703e0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000100070320
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 00000001000703b0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000100070390
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 00000001000702e0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000100070440
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 00000001000702d0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000100070310
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 00000001000703c0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 00000001000703f0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000100070230
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0xffffffff8874e890}
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000100070490
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 00000001000703a0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 00000001000702f0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000100070350
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000100070290
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 00000001000702b0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 00000001000703d0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000100070330
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0xffffffff8874e590}
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000100070410
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000100070240
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 00000001000701e0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000100070250
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0xffffffff8874e090}
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 00000001000704a0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 00000001000704b0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000100070300
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000100070360
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 00000001000702a0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 00000001000702c0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000100070380
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000100070340
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000100070450
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000100070260
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000100070270
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000100070400
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 00000001000701f0
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000100070210
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000100070200
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000100070420
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000100070430
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000100070220
.text C:\windows\System32\svchost.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000100070280
.text C:\windows\System32\svchost.exe[1012] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\svchost.exe[124] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0

End of GMER Part 1
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 4th, 2013, 9:59 am

GMER Part 2

.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\svchost.exe[328] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\svchost.exe[328] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\svchost.exe[1140] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\svchost.exe[1140] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\atieclxx.exe[1288] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\System32\spoolsv.exe[1660] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 0000000077a803e0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 0000000077a80400
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\svchost.exe[1696] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\svchost.exe[1696] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffb16e00 5 bytes JMP 000007ff7fb31dac
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffb16f2c 5 bytes JMP 000007ff7fb30ecc
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffb17220 5 bytes JMP 000007ff7fb31284
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffb1739c 5 bytes JMP 000007ff7fb3163c
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffb17538 5 bytes JMP 000007ff7fb319f4
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb175e8 5 bytes JMP 000007ff7fb303a4
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb1790c 5 bytes JMP 000007ff7fb3075c
.text C:\windows\system32\svchost.exe[1960] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feffb17ab4 5 bytes JMP 000007ff7fb30b14
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077acfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077acfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077acfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ad1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aec45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077af1217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1996] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000771da30a 1 byte [62]
.text C:\windows\system32\svchost.exe[1464] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 5 bytes JMP 00000001002a075c
.text C:\windows\system32\svchost.exe[1464] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 00000001002a03a4
.text C:\windows\system32\svchost.exe[1464] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 00000001002a0b14
.text C:\windows\system32\svchost.exe[1464] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 00000001002a0ecc
.text C:\windows\system32\svchost.exe[1464] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 00000001002a163c
.text C:\windows\system32\svchost.exe[1464] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 00000001002a1284
.text C:\windows\system32\svchost.exe[1464] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 00000001002a19f4
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077acfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077acfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077acfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ad1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aec45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077af1217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Acer\Registration\GREGsvc.exe[2052] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000771da30a 1 byte [62]
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 5 bytes JMP 000000010015075c
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 00000001001503a4
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 0000000100150b14
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 0000000100150ecc
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 000000010015163c
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 0000000100151284
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 00000001001519f4
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\svchost.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2336] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077acfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2336] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077acfb38 5 bytes JMP 0000000100030804
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2336] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077acfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2336] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0018 5 bytes JMP 0000000100030a08
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2336] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ad1900 5 bytes JMP 0000000100030e10
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2336] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aec45a 5 bytes JMP 00000001000301f8
.text C:\Program Files\Acer\Acer Updater\UpdaterService.exe[2336] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077af1217 5 bytes JMP 00000001000303fc
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 4 bytes JMP 000000007fff075c
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 000000007fff03a4
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 000000007fff0b14
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 000000007fff0ecc
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 000000007fff163c
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 000000007fff1284
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 000000007fff19f4
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\Dwm.exe[2840] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 5 bytes JMP 00000001001f075c
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 00000001001f03a4
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 00000001001f0b14
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 00000001001f0ecc
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 00000001001f163c
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 00000001001f1284
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330

End of GMER Part 2
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 4th, 2013, 10:00 am

GMER Part 3

.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 00000001001f19f4
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\taskhost.exe[2868] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\taskhost.exe[2868] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 5 bytes JMP 000000010049075c
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 00000001004903a4
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000100070470
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000100070460
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 0000000100490b14
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 0000000100490ecc
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000100070370
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000100070480
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 000000010049163c
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000100070320
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 00000001000703b0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000100070390
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 00000001000702e0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000100070440
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 00000001000702d0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000100070310
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 00000001000703c0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 0000000100491284
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 00000001000703f0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000100070230
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0xffffffff8874e890}
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000100070490
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 00000001000703a0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 00000001000702f0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000100070350
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000100070290
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 00000001000702b0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 00000001000703d0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000100070330
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0xffffffff8874e590}
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000100070410
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000100070240
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 00000001000701e0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000100070250
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0xffffffff8874e090}
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 00000001000704a0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 00000001000704b0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000100070300
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000100070360
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 00000001000702a0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 00000001000702c0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000100070380
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000100070340
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000100070450
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000100070260
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000100070270
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 00000001004919f4
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 00000001000701f0
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000100070210
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000100070200
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000100070420
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000100070430
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000100070220
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000100070280
.text C:\windows\Explorer.EXE[2672] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffb16e00 5 bytes JMP 000007ff7fb31dac
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffb16f2c 5 bytes JMP 000007ff7fb30ecc
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffb17220 5 bytes JMP 000007ff7fb31284
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffb1739c 5 bytes JMP 000007ff7fb3163c
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffb17538 5 bytes JMP 000007ff7fb319f4
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb175e8 5 bytes JMP 000007ff7fb303a4
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb1790c 5 bytes JMP 000007ff7fb3075c
.text C:\windows\Explorer.EXE[2672] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feffb17ab4 5 bytes JMP 000007ff7fb30b14
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 5 bytes JMP 000000010026075c
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 00000001002603a4
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 0000000100260b14
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 0000000100260ecc
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 000000010026163c
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 0000000100261284
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 00000001002619f4
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe[3256] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3320] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 5 bytes JMP 00000001001a075c
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 00000001001a03a4
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 00000001001a0b14
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 00000001001a0ecc
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 00000001001a163c
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 00000001001a1284
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 00000001001a19f4
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007780eecd 1 byte [62]
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffb16e00 5 bytes JMP 000007ff7fb31dac
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffb16f2c 5 bytes JMP 000007ff7fb30ecc
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffb17220 5 bytes JMP 000007ff7fb31284
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffb1739c 5 bytes JMP 000007ff7fb3163c
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffb17538 5 bytes JMP 000007ff7fb319f4
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffb175e8 5 bytes JMP 000007ff7fb303a4
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffb1790c 5 bytes JMP 000007ff7fb3075c
.text C:\windows\system32\SearchIndexer.exe[3832] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007feffb17ab4 5 bytes JMP 000007ff7fb30b14
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077acfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077acfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077acfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ad1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aec45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077af1217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Samsung\Kies\Kies.exe[208] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000771da30a 1 byte [62]
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077acfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077acfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077acfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ad1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aec45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077af1217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000771da30a 1 byte [62]
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 00000001000b1014
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 00000001000b0804
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 00000001000b0a08
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 00000001000b0c0c
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 00000001000b0e10
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001000b01f8
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001000b03fc
.text C:\Program Files (x86)\Launch Manager\LManager.exe[3872] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 00000001000b0600
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3416] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000771da30a 1 byte [62]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077acfaa0 5 bytes JMP 0000000100030600
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077acfb38 5 bytes JMP 0000000100030804
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077acfc90 5 bytes JMP 0000000100030c0c
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0018 5 bytes JMP 0000000100030a08
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ad1900 5 bytes JMP 0000000100030e10
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aec45a 5 bytes JMP 00000001000301f8
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077af1217 5 bytes JMP 00000001000303fc
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000771da30a 1 byte [62]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076feee09 5 bytes JMP 00000001002601f8
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076ff3982 5 bytes JMP 00000001002603fc
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ff7603 5 bytes JMP 0000000100260804
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ff835c 5 bytes JMP 0000000100260600
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3600] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007700f52b 5 bytes JMP 0000000100260a08
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778f3ae0 5 bytes JMP 000000010040075c
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778f7a90 5 bytes JMP 00000001004003a4
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779213c0 5 bytes JMP 0000000077a80470
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077921410 5 bytes JMP 0000000077a80460
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077921490 5 bytes JMP 0000000100400b14
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779214f0 5 bytes JMP 0000000100400ecc
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077921570 5 bytes JMP 0000000077a80370
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779215c0 5 bytes JMP 0000000077a80480
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779215d0 5 bytes JMP 000000010040163c
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077921680 5 bytes JMP 0000000077a80320
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779216b0 5 bytes JMP 0000000077a803b0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779216d0 5 bytes JMP 0000000077a80390
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077921710 5 bytes JMP 0000000077a802e0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077921760 5 bytes JMP 0000000077a80440
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077921790 5 bytes JMP 0000000077a802d0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779217b0 5 bytes JMP 0000000077a80310
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779217f0 5 bytes JMP 0000000077a803c0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077921810 5 bytes JMP 0000000100401284
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077921840 5 bytes JMP 0000000077a803f0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779219a0 1 byte JMP 0000000077a80230
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779219a2 3 bytes {JMP 0x15e890}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077921b60 5 bytes JMP 0000000077a80490
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077921b90 5 bytes JMP 0000000077a803a0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077921c70 5 bytes JMP 0000000077a802f0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077921c80 5 bytes JMP 0000000077a80350
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077921ce0 5 bytes JMP 0000000077a80290
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077921d70 5 bytes JMP 0000000077a802b0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077921d90 5 bytes JMP 0000000077a803d0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077921da0 1 byte JMP 0000000077a80330
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077921da2 3 bytes {JMP 0x15e590}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077921e10 5 bytes JMP 0000000077a80410
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077921e40 5 bytes JMP 0000000077a80240
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077922100 5 bytes JMP 0000000077a801e0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779221c0 1 byte JMP 0000000077a80250
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779221c2 3 bytes {JMP 0x15e090}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779221f0 5 bytes JMP 0000000077a804a0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077922200 5 bytes JMP 0000000077a804b0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077922230 5 bytes JMP 0000000077a80300
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077922240 5 bytes JMP 0000000077a80360
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779222a0 5 bytes JMP 0000000077a802a0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779222f0 5 bytes JMP 0000000077a802c0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077922320 5 bytes JMP 0000000077a80380
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077922330 5 bytes JMP 0000000077a80340
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077922620 5 bytes JMP 0000000077a80450
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077922820 5 bytes JMP 0000000077a80260
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077922830 5 bytes JMP 0000000077a80270
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077922840 5 bytes JMP 00000001004019f4
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077922a00 5 bytes JMP 0000000077a801f0
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077922a10 5 bytes JMP 0000000077a80210
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077922a80 5 bytes JMP 0000000077a80200
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077922ae0 5 bytes JMP 0000000077a80420
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077922af0 5 bytes JMP 0000000077a80430
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077922b00 5 bytes JMP 0000000077a80220
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077922be0 5 bytes JMP 0000000077a80280
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077acfaa0 5 bytes JMP 0000000100030600
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077acfb38 5 bytes JMP 0000000100030804
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077acfc90 5 bytes JMP 0000000100030c0c
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ad0018 5 bytes JMP 0000000100030a08
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ad1900 5 bytes JMP 0000000100030e10
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077aec45a 5 bytes JMP 00000001000301f8
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077af1217 5 bytes JMP 00000001000303fc
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000771da30a 1 byte [62]
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 0000000100241014
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 0000000100240804
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 0000000100240a08
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 0000000100240c0c
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 0000000100240e10
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001002401f8
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001002403fc
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 0000000100240600
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\syswow64\USER32.dll!SetWinEventHook 0000000076feee09 5 bytes JMP 00000001002501f8
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076ff3982 5 bytes JMP 00000001002503fc
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076ff7603 5 bytes JMP 0000000100250804
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076ff835c 5 bytes JMP 0000000100250600
.text C:\Users\richardhod\Desktop\xxkkrovn.exe[6288] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007700f52b 5 bytes JMP 0000000100250a08

---- User IAT/EAT - GMER 2.1 ----

IAT C:\windows\Explorer.EXE[2672] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002350] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll
IAT C:\windows\Explorer.EXE[2672] @ C:\windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [10003450] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll
IAT C:\windows\Explorer.EXE[2672] @ C:\windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll

End of GMER Part 3
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 4th, 2013, 10:01 am

GMER Part 4


---- Threads - GMER 2.1 ----

Thread C:\windows\system32\svchost.exe [116:1284] 000007fefb578274
Thread C:\windows\system32\svchost.exe [116:1576] 000007fefb578274
Thread C:\windows\System32\spoolsv.exe [1660:2760] 000007fef7fb10c8
Thread C:\windows\System32\spoolsv.exe [1660:2780] 000007fef7f76144
Thread C:\windows\System32\spoolsv.exe [1660:2788] 000007fef9865fd0
Thread C:\windows\System32\spoolsv.exe [1660:2792] 000007fef7f53438
Thread C:\windows\System32\spoolsv.exe [1660:2800] 000007fef98663ec
Thread C:\windows\System32\spoolsv.exe [1660:2808] 000007fef8035e5c
Thread C:\windows\System32\spoolsv.exe [1660:2812] 000007fef8065074
Thread C:\windows\system32\svchost.exe [1464:1432] 000007fef9865fd0
Thread C:\windows\system32\svchost.exe [1464:1916] 000007fef98663ec
Thread C:\windows\system32\svchost.exe [1464:2848] 000007fef8168470
Thread C:\windows\system32\svchost.exe [1464:2852] 000007fef8172418
Thread C:\windows\System32\snmp.exe [2180:2684] 000007fef84c248c
Thread C:\windows\system32\svchost.exe [2232:4004] 000007fef92a44e0
Thread C:\windows\System32\svchost.exe [4796:5004] 000007feeb359688
Thread C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2276:4868] 000007fef27ccc10
Thread C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2276:4512] 000007fef268b564
Thread C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2276:128] 000007fef268b564
Thread C:\windows\system32\taskhost.exe [5844:4388] 000007fef899ef24

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations C:\Program Files (x86)\uTorrent\uTorrent.exe.30739.tmp (µTorrent/BitTorrent, Inc. SIGNED)(2011-12-01 21:18:37)
Reg HKLM\SYSTEM\CurrentControlSet\services\AMD FUEL Service@ImagePath C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (AMD Fuel Service/Advanced Micro Devices, Inc.)(2011-10-26 05:14:28)
Reg HKLM\SYSTEM\CurrentControlSet\services\AODDriver4.01@ImagePath C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys (AMD OverDrive Service Driver/Advanced Micro Devices SIGNED)(2011-06-24 13:31:02)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath C:\windows\system32\drivers\aswMonFlt.sys (avast! File System Minifilter for Windows 2003/Vista/AVAST Software SIGNED)(2012-08-02 10:30:12)
Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath C:\windows\System32\Drivers\aswrdr2.sys (avast! WFP Redirect Driver/AVAST Software SIGNED)(2012-08-02 10:30:18)
Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath C:\Program Files\AVAST Software\Avast\AvastSvc.exe (avast! Service/AVAST Software SIGNED)(2013-03-20 23:21:18)
Reg HKLM\SYSTEM\CurrentControlSet\services\DsiWMIService@ImagePath C:\Program Files (x86)\Launch Manager\dsiwmis.exe (Dritek WMI Service/Dritek System Inc. SIGNED)(2010-08-10 16:59:56)
Reg HKLM\SYSTEM\CurrentControlSet\services\ePowerSvc@ImagePath C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe (ePowerSvc/Acer Incorporated SIGNED)(2010-08-10 16:26:33)
Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\ExpatSrv@EventMessageFile C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe (AnchorFree Inc. SIGNED)(2012-01-04 23:01:58)
Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\ExpatWd@EventMessageFile C:\Program Files (x86)\Expat Shield\bin\hsswd.exe(2012-01-04 23:02:02)
Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\SkypeUpdate@EventMessageFile C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Updater Service/Skype Technologies SIGNED)(2013-01-08 15:19:46)
Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\System\Microsoft-Windows-Service Pack Installer@EventMessageFile C:\windows\system32\EventProviders\spcmsg.dll (SP Installer Msg Dll/Microsoft Corporation)(2011-11-27 12:42:57)
Reg HKLM\SYSTEM\CurrentControlSet\services\ExpatShieldService@ImagePath C:\Program Files (x86)\Expat Shield\bin\openvpnas.exe(2012-01-17 21:15:44)
Reg HKLM\SYSTEM\CurrentControlSet\services\ExpatSrv@ImagePath C:\Program Files (x86)\Expat Shield\HssWPR\hsssrv.exe (AnchorFree Inc. SIGNED)(2012-01-04 23:01:58)
Reg HKLM\SYSTEM\CurrentControlSet\services\ExpatTrayService@ImagePath C:\Program Files (x86)\Expat Shield\bin\ExpatTrayService.EXE(2012-01-17 21:22:02)
Reg HKLM\SYSTEM\CurrentControlSet\services\ExpatWd@ImagePath C:\Program Files (x86)\Expat Shield\bin\hsswd.exe(2012-01-04 23:02:02)
Reg HKLM\SYSTEM\CurrentControlSet\services\GameConsoleService@ImagePath C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe (GameConsoleService/WildTangent, Inc. SIGNED)(2009-10-10 02:59:08)
Reg HKLM\SYSTEM\CurrentControlSet\services\GREGService@ImagePath C:\Program Files (x86)\Acer\Registration\GREGsvc.exe (Global Registration Service/Acer Incorporated SIGNED)(2010-01-08 13:21:22)
Reg HKLM\SYSTEM\CurrentControlSet\services\gupdate@ImagePath C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc. SIGNED)(2011-11-19 09:23:48)
Reg HKLM\SYSTEM\CurrentControlSet\services\gusvc@ImagePath C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (gusvc/Google SIGNED)(2010-04-13 08:57:09)
Reg HKLM\SYSTEM\CurrentControlSet\services\HssDrv@ImagePath C:\windows\system32\DRIVERS\HssDrv.sys (Expat Shield Routing Driver/AnchorFree Inc. SIGNED)(2012-01-04 23:01:56)
Reg HKLM\SYSTEM\CurrentControlSet\services\MozillaMaintenance@ImagePath C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation SIGNED)(2013-01-05 14:39:08)
Reg HKLM\SYSTEM\CurrentControlSet\services\MWLService@ImagePath C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe (MyWinLocker Service/Egis Technology Inc. SIGNED)(2010-02-01 18:04:40)
Reg HKLM\SYSTEM\CurrentControlSet\services\NTI IScheduleSvc@ImagePath C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe (Backup Manager Module/NewTech Infosystems, Inc.)(2010-03-08 23:58:24)
Reg HKLM\SYSTEM\CurrentControlSet\services\NTIBackupSvc@ImagePath C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe (NTI Backup Now 5 BackupSvc Application/NewTech InfoSystems, Inc. SIGNED)(2009-11-06 00:50:50)
Reg HKLM\SYSTEM\CurrentControlSet\services\NTIDrvr@ImagePath C:\Windows\system32\drivers\NTIDrvr.sys (NTI CD-ROM Filter Driver/NewTech Infosystems, Inc. SIGNED)(2010-04-13 09:30:06)
Reg HKLM\SYSTEM\CurrentControlSet\services\NTISchedulerSvc@ImagePath C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe (NTI Backup Now 5 SchedulerSvc NT Service/NewTech Infosystems, Inc. SIGNED)(2009-11-06 00:51:20)
Reg HKLM\SYSTEM\CurrentControlSet\services\PanService@ImagePath C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe (Pandora.TV service file/Pandora.TV SIGNED)(2012-01-24 01:08:21)
Reg HKLM\SYSTEM\CurrentControlSet\services\SBSDWSCService@ImagePath C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Spybot-S&D Security Center integration/Safer Networking Ltd. SIGNED)(2013-03-30 21:11:59)
Reg HKLM\SYSTEM\CurrentControlSet\services\SkypeUpdate@ImagePath C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Updater Service/Skype Technologies SIGNED)(2013-01-08 15:19:46)
Reg HKLM\SYSTEM\CurrentControlSet\services\taphss@ImagePath C:\windows\system32\DRIVERS\taphss.sys (TAP-Win32 Virtual Network Driver/AnchorFree Inc SIGNED)(2012-01-04 23:01:54)
Reg HKLM\SYSTEM\CurrentControlSet\services\UBHelper@ImagePath C:\Windows\system32\drivers\UBHelper.sys (NTI CDROM Filter Driver/NewTech Infosystems Corporation SIGNED)(2010-04-13 09:30:04)
Reg HKLM\SYSTEM\CurrentControlSet\services\Updater Service@ImagePath C:\Program Files\Acer\Acer Updater\UpdaterService.exe (Updater Service/Acer Group SIGNED)(2010-04-13 08:57:24)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^richardhod^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk@command C:\Users\richardhod\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox/Dropbox, Inc. SIGNED)(2013-03-12 07:05:50)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg@command C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (KiesPDLR/Samsung SIGNED)(2012-07-16 12:24:06)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM@command C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Reader and Acrobat Manager/Adobe Systems Incorporated SIGNED)(2011-03-30 04:59:06)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Reader Speed Launcher@command C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Acrobat SpeedLauncher/Adobe Systems Incorporated SIGNED)(2012-03-27 12:41:07)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AmIcoSinglun64@command C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe (Single LUN Icon Utility for VID 058F PID 6366/Alcor Micro Corp.)(2009-09-22 23:34:08)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\chromium@command C:\Users\richardhod\AppData\Local\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2011-11-19 09:19:06)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EgisTecPMMUpdate@command C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe (PMM Update Application/Egis Technology Inc. SIGNED)(2009-12-25 01:45:16)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EgisUpdate@command C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe (EgisUpdate Release Application/Egis Technology Inc. SIGNED)(2009-12-25 01:44:48)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Update@command C:\Users\richardhod\AppData\Local\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc. SIGNED)(2011-11-19 09:18:23)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\googletalk@command C:\Users\richardhod\AppData\Roaming\Google\Google Talk\googletalk.exe (Google Talk/Google)(2007-01-01 21:22:02)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KiesAirMessage@command C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe (Samsung Electronics)(2012-11-02 05:31:26)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KiesPDLR@command C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (KiesPDLR/Samsung SIGNED)(2012-07-16 12:24:06)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KiesPreload@command C:\Program Files (x86)\Samsung\Kies\Kies.exe (Kies/Samsung SIGNED)(2012-07-16 12:23:56)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KiesTrayAgent@command C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Kies TrayAgent Application/Samsung Electronics Co., Ltd. SIGNED)(2012-07-16 12:23:56)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mwlDaemon@command C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe (MyWinLocker/Egis Technology Inc. SIGNED)(2010-02-01 18:05:02)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NortonOnlineBackupReminder@command C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe (Norton Online Backup Service/Symantec Corporation SIGNED)(2009-07-24 23:31:08)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype@command C:\Program Files (x86)\Skype\Phone\Skype.exe (Skype /Skype Technologies S.A. SIGNED)(2013-01-08 15:23:58)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Spotify Web Helper@command C:\Users\richardhod\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe(2012-05-24 21:54:50)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SuiteTray@command C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe (SuiteTray/Egis Technology Inc. SIGNED)(2010-02-01 19:08:34)
Reg HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg@command C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc. SIGNED)(2010-04-13 08:57:11)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\7zFM.exe@ C:\Program Files (x86)\7-Zip\7zFM.exe (7-Zip File Manager/Igor Pavlov)(2011-04-18 18:35:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AcroRd32.exe@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-27 12:40:49)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AudioEditor.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Audio Editor\AudioEditor.exe (NTI AudioEditor/NewTech Infosystems, Inc. SIGNED)(2009-10-26 16:44:02)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AvastUI.exe@ C:\Program Files\AVAST Software\Avast\AvastUI.exe (avast! Antivirus/AVAST Software SIGNED)(2013-03-20 23:21:18)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Bkupnow.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Bkupnow.exe (NTI Backup Now 5/NewTech InfoSystems, Inc. SIGNED)(2009-11-06 00:50:52)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Cdmkr32u.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Media Maker\Cdmkr32u.exe (NTI Media Maker/NewTech Infosystems, Inc. SIGNED)(2009-11-06 23:09:22)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe@ C:\Users\richardhod\AppData\Local\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2011-11-19 09:19:06)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\DigitalJack.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\NTI Ripper Suite\DigitalJack.exe (Play your audio files, enjoying music./NewTech Infosystems SIGNED)(2009-10-28 23:14:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\DiscLaunchPad.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\DiscLaunchPad.exe (NTI Media Maker 8/NewTech Infosystems, Inc. SIGNED)(2009-06-08 22:44:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ENScript.exe@ C:\Program Files (x86)\Evernote\Evernote\ENScript.exe (ENScript Application/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:43:04)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Evernote.exe@ C:\Program Files (x86)\Evernote\Evernote\Evernote.exe (Evernote/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:39:06)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\EvernoteClipper.exe@ C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Clipper/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:49:40)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe@ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation SIGNED)(2013-01-05 14:38:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HyCam2.exe@ C:\Program Files (x86)\HyperCam 2\HyCam2.exe (HyperCam/Hyperionics SIGNED)(2012-01-24 01:41:18)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\javaws.exe@ C:\Program Files (x86)\Java\jre7\bin\javaws.exe (Java(TM) Web Start Launcher/Oracle Corporation SIGNED)(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\JCMKR32.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\NTI JewelCase Maker\JCMKR32.exe (NTI JewelCase Maker/NewTech Infosystems, Inc. SIGNED)(2009-11-05 16:32:34)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\liveupdate.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\LiveUpdate\liveupdate.exe (Liveupdate/NewTech Infosystems, Inc. SIGNED)(2009-10-28 22:44:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\LManager.exe@ C:\Program Files (x86)\Launch Manager\LManager.exe (Launch Manager Keyboard Application/Dritek System Inc. SIGNED)(2010-08-10 16:59:56)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mbam.exe@ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Anti-Malware/Malwarebytes Corporation SIGNED)(2013-03-30 04:24:11)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\NDVD9To5.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Media Maker\NDVD9To5.exe(2009-10-28 21:20:26)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\None@ C:\Program Files (x86)\Acer\Acer Crystal Eye Webcam\webcam.exe (WebCam/CyberLink Corp. SIGNED)(2011-10-10 01:38:36)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PhotoMakerSkinU.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Photo Maker\PhotoMakerSkinU.exe (NTI PhotoMaker for Windows/NewTech Infosystems, Inc. SIGNED)(2009-10-28 23:13:18)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PowerDVD9@ c:\Program Files (x86)\CyberLink\PowerDVD9\PowerDVD9.exe (PowerDVD 9.0/CyberLink Corp. SIGNED)(2010-03-19 18:04:56)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ripper.exe@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\NTI Ripper Suite\Ripper.exe (Rip CD to Mp3, Wma, Ogg, Wav files or convert file among Mp3, Wma, Ogg, Wav file types/NTI SIGNED)(2009-11-06 01:42:54)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sbase.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\sbase.exe (OpenOffice.org Base/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\scalc.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\scalc.exe (OpenOffice.org Calc/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sdraw.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\sdraw.exe (OpenOffice.org Draw/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\simpress.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\simpress.exe (OpenOffice.org Impress/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\smath.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\smath.exe (OpenOffice.org Math/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\soffice.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\swriter.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\thunderbird.exe@ C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (Thunderbird/Mozilla Corporation SIGNED)(2013-03-02 15:44:43)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\unopkg.exe@ C:\Program Files (x86)\OpenOffice.org 3\program\unopkg.exe(2010-12-13 14:23:20)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\YouCam@ C:\Program Files (x86)\Acer\Acer Crystal Eye Webcam\webcam.exe (WebCam/CyberLink Corp. SIGNED)(2011-10-10 01:38:36)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\NTIBurner@DefaultIcon C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\DiscLaunchPad.exe (NTI Media Maker 8/NewTech Infosystems, Inc. SIGNED)(2009-06-08 22:44:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlayCDAudioOnArrival@Action c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlayCDAudioOnArrival@DefaultIcon c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlayDVDMovieOnArrival@Action c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlayDVDMovieOnArrival@DefaultIcon c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlaySVCDOnArrival@Action c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlaySVCDOnArrival@DefaultIcon c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlayVCDMovieOnArrival@Action c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\PDVD9PlayVCDMovieOnArrival@DefaultIcon c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\VLCPlayCDAudioOnArrival@DefaultIcon C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (VLC media player 2.0.5/VideoLAN)(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0B0F49ED-14EE-4B18-BD20-79DA71943C57}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Faerie Solitaire\GDF.dll(2009-09-17 04:30:14)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{0C011E0B-9C00-44A1-9319-9EDB3FA00FBA}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Yahtzee\GDF.dll(2009-09-17 16:32:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{1E81EC69-920A-47E4-A325-EDDE29460BEC}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\The Price is Right\GDF.dll(2009-09-17 14:48:26)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{1ED9E8A3-3C9D-4A22-BFC4-EAE620AD8101}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Mystery P.I. - Lost in Los Angeles\GDF.dll(2009-09-17 11:57:06)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{238E9CFB-9E16-4491-9CEE-E38E739339A0}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Monopoly\GDF.dll(2009-09-17 11:45:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{403884E4-4654-4A4B-9EA8-2BCC8F991DAA}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Jewel Quest Solitaire 3\GDF.dll(2009-09-17 10:03:30)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{5AEE1A77-2284-4511-B1C5-5B490F00CEC0}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Build-a-lot 2\GDF.dll(2009-09-17 17:43:38)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{5FD90CFC-9F52-4E04-AFEF-5B1823F9D9FC}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Virtual Villagers - A New Home\GDF.dll(2009-09-17 16:19:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{6580B8A2-59D1-4534-B479-2A8BA4B8FC44}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Polar Bowler\GDF.dll(2009-09-17 12:43:20)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{660F1552-0E37-4AF5-AE29-1C414A171C65}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Web Link - Club Penguin\660f1552-0e37-4af5-ae29-1c414a171c65.dll(2009-10-12 16:39:16)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{8EAE758F-53B9-4235-A6E2-97C6E1AA6399}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Plants vs. Zombies\GDF.dll(2009-09-17 12:31:08)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{8FAE3E78-C48C-4CA7-AA22-B2F3474C0EAD}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Scrabble Plus\GDF.dll(2009-09-17 14:33:14)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{96B2EB2C-BDAB-441F-B99C-E26DB28DEB32}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Polar Golfer\GDF.dll(2009-09-17 12:57:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{977B5905-4D14-47F1-BBBF-7B92F596695D}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Game Explorer Categories - main\977b5905-4d14-47f1-bbbf-7b92f596695d.dll(2009-10-12 16:34:34)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{9F815556-39C5-40F4-B340-C928ED539982}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Virtual Families\GDF.dll(2009-09-19 02:50:46)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{A8CDFD54-74A5-47EC-AF28-29663228F7B3}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Penguins!\GDF.dll(2009-09-17 12:10:56)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{C25867B7-AA41-4FE8-AD6B-9AA64CF95473}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Blackhawk Striker 2\GDF.dll(2009-09-17 00:53:44)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{C81DA0B9-ABE6-4C6F-8CFF-9634BF3CEB24}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Bob the Builder Can-Do-Zoo\GDF.dll(2009-09-17 01:27:26)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{D144765A-14E7-4D2D-9A86-CC2494D23D5C}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\FATE - The Traitor Soul\GDF.dll(2009-09-17 05:16:10)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{DF38941C-4BE9-418F-A8B7-CA85AEC04BE1}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Escape Rosecliff Island\GDF.dll(2009-09-17 18:13:12)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{E9CB753F-8D7D-4016-AF71-3A9211E6A2AE}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Bejeweled 2 Deluxe\GDF.dll(2009-09-15 18:07:06)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games\{F97AD77B-BE78-4A94-A4FA-646F8895A750}@ConfigGDFBinaryPath C:\Program Files (x86)\Acer Games\Zuma Deluxe\GDF.dll(2009-09-15 20:30:50)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@Acer ePower Management C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (ePowerTray/Acer Incorporated SIGNED)(2010-08-10 16:26:33)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}@UninstallString C:\Program Files (x86)\Samsung\USB Drivers\Uninstall.exe (SAMSUNG USB Drivers for Mobile Phones(x64)/Devguru Co., Ltd SIGNED)(2012-07-22 15:38:12)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{62ef8b9f-ee45-4aba-a9b9-b70e878bf30a}@ResourceFileName C:\windows\system32\EventProviders\spcmsg.dll (SP Installer Msg Dll/Microsoft Corporation)(2011-11-27 12:42:57)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Oracle_JavaAccessBridge@StartExe C:\Program Files (x86)\Java\jre7\bin\jabswitch.exe (Oracle Corporation SIGNED)(2012-11-01 23:05:51)
Reg HKLM\SOFTWARE\Classes\acrobat\shell\open\command@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-27 12:40:49)
Reg HKLM\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\command@ c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (Adobe AIR Application Installer/Adobe Systems Inc. SIGNED)(2013-03-20 23:35:17)
Reg HKLM\SOFTWARE\Classes\Applications\AcroRD32.exe\shell\Read\command@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-27 12:40:49)
Reg HKLM\SOFTWARE\Classes\Applications\eSobi.exe\shell\open\command@ C:\Program Files (x86)\eSobi\eSobi2\eSobi.exe (eSobi (esobi_SAB020)/esobi Inc. SIGNED)(2009-07-08 16:37:30)
Reg HKLM\SOFTWARE\Classes\Applications\hl2.exe\shell\open\command@ c:\program files (x86)\portal\hl2.exe(2007-10-11 11:41:50)
Reg HKLM\SOFTWARE\Classes\Applications\i_view32.exe\shell\open\command@ C:\Program Files (x86)\IrfanView\i_view32.exe (IrfanView/Irfan Skiljan)(2012-01-24 01:24:52)
Reg HKLM\SOFTWARE\Classes\Applications\vlc.exe\shell\Open\command@ C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (VLC media player 2.0.5/VideoLAN)(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD9@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD9\Command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithVLC\command@ C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (VLC media player 2.0.5/VideoLAN)(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\avastconfigfile\shell\open\command@ C:\Program Files\AVAST Software\Avast\aswChLic.exe (aswChLic component/AVAST Software SIGNED)(2013-03-20 23:21:18)
Reg HKLM\SOFTWARE\Classes\bmpenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\cdmfile\shell\open\command@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Media Maker\Cdmkr32u.exe (NTI Media Maker/NewTech Infosystems, Inc. SIGNED)(2009-11-06 23:09:22)
Reg HKLM\SOFTWARE\Classes\ChromeHTML\shell\open\command@ C:\Users\richardhod\AppData\Local\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2011-11-19 09:19:06)
Reg HKLM\SOFTWARE\Classes\CLSID\{087B3AE3-E237-4467-B8DB-5A38AB959AC9}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll (OpenOffice.org)(2010-12-13 16:23:02)
Reg HKLM\SOFTWARE\Classes\CLSID\{092BA4B2-F98D-4DD7-A9CD-FA0BEFCE2339}\InprocServer32@ C:\Program Files\AVAST Software\Avast\asOutExt64.dll (AsOutExt Module/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\CLSID\{0E799A91-CDDC-471B-A803-2DB82FAFB726}\InprocServer32@ C:\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll(2011-10-26 05:08:02)
Reg HKLM\SOFTWARE\Classes\CLSID\{17796aeb-0f66-4663-b8fb-99cbee0224ce}\InProcServer32@ C:\Program Files\Common Files\ATI Technologies\Multimedia\AMDhwDecoder_64.dll (TODO: <File description>/Advanced Micro Devices)(2011-10-26 05:08:46)
Reg HKLM\SOFTWARE\Classes\CLSID\{1CAAC16B-7D8A-4360-8881-835F76A8F6C7}\InProcServer32@ C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc. SIGNED)(2010-02-01 18:06:06)
Reg HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32@ C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Toolbar/Google Inc. SIGNED)(2010-04-13 08:56:50)
Reg HKLM\SOFTWARE\Classes\CLSID\{29FF7AB0-BE34-4992-A30B-53A9D86EE239}\InprocServer32@ C:\Program Files (x86)\EgisTec MyWinLocker\x64\mwlshellext.dll (Shell Extention/Egis Technology Inc. SIGNED)(2010-02-01 18:06:00)
Reg HKLM\SOFTWARE\Classes\CLSID\{2C91CC7C-BF29-4987-9B66-567196489959}\InprocServer32@ c:\Program Files (x86)\Common Files\CyberLink\PowerDVD9\deskband64.dll (A DLL for deskband/CyberLink Corp. SIGNED)(2010-08-10 16:28:17)
Reg HKLM\SOFTWARE\Classes\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}\InprocServer32@ C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc. SIGNED)(2010-02-01 18:06:06)
Reg HKLM\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}\InprocServer32@ C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (avast! WebRep Plugin/AVAST Software SIGNED)(2013-03-20 23:21:20)
Reg HKLM\SOFTWARE\Classes\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}\InprocServer32@ C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll (AnchorFree Inc. SIGNED)(2012-08-17 03:02:23)
Reg HKLM\SOFTWARE\Classes\CLSID\{3B092F0C-7696-40E3-A80F-68D74DA84210}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll (OpenOffice.org)(2010-12-13 16:23:02)
Reg HKLM\SOFTWARE\Classes\CLSID\{429E8C83-CFF1-46CF-A211-446EF84559B7}\InprocServer32@ C:\Program Files\AVAST Software\Avast\AvastGUIProxy64.dll (avast! sidebar gadget ActiveX/AVAST Software SIGNED)(2012-08-02 10:29:48)
Reg HKLM\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32@ C:\Program Files\AVAST Software\Avast\ashShA64.dll (avast! Shell Extension/AVAST Software SIGNED)(2013-03-20 23:21:20)
Reg HKLM\SOFTWARE\Classes\CLSID\{521065F1-DE6C-4E46-BBCB-89B0D0BE860D}\InprocServer32@ C:\Program Files (x86)\EgisTec Shredder\x64\ShredderContextMenu.dll (ShredderContextMenu/Egis Technology Inc. SIGNED)(2010-01-21 04:20:04)
Reg HKLM\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32@ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Anti-Malware/Malwarebytes Corporation SIGNED)(2013-03-30 04:24:11)
Reg HKLM\SOFTWARE\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32@ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll (AMD Desktop Control Panel/Advanced Micro Devices, Inc.)(2011-10-26 05:24:38)
Reg HKLM\SOFTWARE\Classes\CLSID\{63542C48-9552-494A-84F7-73AA6A7C99C1}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll (OpenOffice.org)(2010-12-13 16:23:02)
Reg HKLM\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}@LocalizedString C:\windows\system32\Macromed\Flash\FlashUtil64_11_6_602_180_ActiveX.exe (Adobe® Flash® Player Installer/Uninstaller 11.6 r602/Adobe Systems Incorporated SIGNED)(2013-03-30 12:28:20)
Reg HKLM\SOFTWARE\Classes\CLSID\{7BC0E710-5703-45BE-A29D-5D46D8B39262}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\ooofilt_x64.dll (OpenOffice.org)(2010-12-13 16:22:50)
Reg HKLM\SOFTWARE\Classes\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32@ C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll (GoogleToolbarNotifier/Google Inc. SIGNED)(2013-01-09 07:22:35)
Reg HKLM\SOFTWARE\Classes\CLSID\{872A9397-E0D6-4e28-B64D-52B8D0A7EA35}\InprocServer32@ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiama64.dll (AMD Desktop Control Panel/Advanced Micro Devices, Inc.)(2011-10-26 05:24:20)
Reg HKLM\SOFTWARE\Classes\CLSID\{8E90925C-69DB-4260-B69B-55EE0D1BB743}\InprocServer32@ C:\Program Files\AVAST Software\Avast\AvastGUIProxy64.dll (avast! sidebar gadget ActiveX/AVAST Software SIGNED)(2012-08-02 10:29:48)
Reg HKLM\SOFTWARE\Classes\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32@ C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Toolbar/Google Inc. SIGNED)(2010-04-13 08:56:50)
Reg HKLM\SOFTWARE\Classes\CLSID\{AE424E85-F6DF-4910-A6A9-438797986431}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\propertyhdl_x64.dll (OpenOffice.org)(2010-12-13 16:22:52)
Reg HKLM\SOFTWARE\Classes\CLSID\{B02F6A03-1E58-4903-BBD9-BE1AF443635D}\InprocServer32@ C:\PROGRA~2\EGISTE~2\x64\MWLGAD~1.OCX (ActiveX OCX for Gadget/Egis Technology Inc. SIGNED)(2010-02-01 18:07:22)
Reg HKLM\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32@ C:\Program Files\AVAST Software\Avast\asOutExt64.dll (AsOutExt Module/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\CLSID\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl_x64.dll (OpenOffice.org)(2010-12-13 16:23:02)
Reg HKLM\SOFTWARE\Classes\CLSID\{CD2CE11F-5C26-4217-A773-914FADDA6FD9}\InProcServer32@ C:\Program Files\AVAST Software\Avast\asOutExt64.dll (AsOutExt Module/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32@ C:\windows\system32\Macromed\Flash\Flash64_11_6_602_180.ocx (Adobe Flash Player 11.6 r602/Adobe Systems, Inc. SIGNED)(2013-03-30 12:28:20)
Reg HKLM\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}@Depend C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\gtn.dll (GoogleToolbarNotifier/Google Inc. SIGNED)(2013-01-09 07:22:35)
Reg HKLM\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32@ C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc. SIGNED)(2010-04-13 08:57:11)
Reg HKLM\SOFTWARE\Classes\csvenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\Directory\shell\AddToPlaylistVLC\command@ C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (VLC media player 2.0.5/VideoLAN)(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\Directory\shell\Browse with &IrfanView\command@ C:\Program Files (x86)\IrfanView\i_view32.exe (IrfanView/Irfan Skiljan)(2012-01-24 01:24:52)
Reg HKLM\SOFTWARE\Classes\Directory\shell\PlayWithVLC\command@ C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (VLC media player 2.0.5/VideoLAN)(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\docenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\Drive\shell\Browse with &IrfanView\command@ C:\Program Files (x86)\IrfanView\i_view32.exe (IrfanView/Irfan Skiljan)(2012-01-24 01:24:52)
Reg HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD9@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD9\Command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\DVD\shell\PlayWithVLC\command@ C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (VLC media player 2.0.5/VideoLAN)(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\egisencfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\eSobi\shell\open\command@ C:\Program Files (x86)\eSobi\eSobi2\eSobi.exe (eSobi (esobi_SAB020)/esobi Inc. SIGNED)(2009-07-08 16:37:30)
Reg HKLM\SOFTWARE\Classes\evernote\shell\open\command@ C:\Program Files (x86)\Evernote\Evernote\Evernote.exe (Evernote/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:39:06)
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\command@ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation SIGNED)(2013-01-05 14:38:58)
Reg HKLM\SOFTWARE\Classes\gifenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\Open\command@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\htmenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\Installer\Products\0C22D86408082E118BE68BCAF689CC3E@ProductIcon C:\windows\Installer\{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}\ARPPRODUCTICON.exe (InstallShield/Flexera Software, Inc.)(2013-03-02 21:27:38)
Reg HKLM\SOFTWARE\Classes\Installer\Products\1038C85769625584FA5435B4210089A0@ProductIcon C:\windows\Installer\{758C8301-2696-4855-AF45-534B1200980A}\ARPPRODUCTICON.exe (InstallShield/Acresso Software Inc.)(2012-07-22 15:34:56)
Reg HKLM\SOFTWARE\Classes\Installer\Products\38E5962CD1FC1D3448EF3BEB5C1610A2@ProductIcon C:\Windows\Installer\{C2695E83-CF1D-43D1-84FE-B3BEC561012A}\ARPPRODUCTICON.exe (InstallShield/Acresso Software Inc.)(2010-04-13 09:43:45)
Reg HKLM\SOFTWARE\Classes\Installer\Products\3C5FB837B7FA0BB47BFE5E50FE7C65EB@ProductIcon C:\Windows\Installer\{738BF5C3-AF7B-4BB0-B7EF-E505EFC756BE}\ARPPRODUCTICON.exe (InstallShield/Acresso Software Inc.)(2010-04-13 09:41:50)
Reg HKLM\SOFTWARE\Classes\Installer\Products\4A1AFE21B3CAC344183432E7ED674030@ProductIcon C:\Windows\Installer\{12EFA1A4-AC3B-443C-8143-237EDE760403}\ARPPRODUCTICON.exe (InstallShield/Macrovision Corporation)(2010-04-13 09:30:39)
Reg HKLM\SOFTWARE\Classes\Installer\Products\4C40B789CA5B6DA47A9ED88601588B05@ProductIcon C:\Windows\Installer\{987B04C4-B5AC-4AD6-A7E9-8D681085B850}\ARPPRODUCTICON.exe (InstallShield/Acresso Software Inc. SIGNED)(2010-08-10 16:23:31)
Reg HKLM\SOFTWARE\Classes\Installer\Products\613755F10CFCDB14FA7FB84CC94E447D@ProductIcon C:\Windows\Installer\{1F557316-CFC0-41BD-AFF7-8BC49CE444D7}\ARPPRODUCTICON.exe (InstallShield/Acresso Software Inc.)(2010-04-13 09:43:52)
Reg HKLM\SOFTWARE\Classes\Installer\Products\8994BF104C33134458DE70E9E3FE7ED5@ProductIcon C:\windows\Installer\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\ARPPRODUCTICON.exe (WebCam/CyberLink Corp. SIGNED)(2011-10-10 01:38:35)
Reg HKLM\SOFTWARE\Classes\Installer\Products\9D0DC7D088A436A4F819F3E4F8737186@ProductIcon C:\Windows\Installer\{0D7CD0D9-4A88-4A63-8F91-3F4E8F371768}\ARPPRODUCTICON.exe (InstallShield/Acresso Software Inc.)(2010-04-13 09:42:41)
Reg HKLM\SOFTWARE\Classes\Installer\Products\B0F57C6D1CB39CF48B5CF3E7E80D95AC@ProductIcon C:\Windows\Installer\{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}\WLXPhotoGalleryIcon.exe (Windows Live Photo Gallery/Microsoft Corporation)(2010-08-10 16:34:13)
Reg HKLM\SOFTWARE\Classes\Installer\Products\B20BD48AB2C92724D9D28AE0005A5631@ProductIcon c:\Windows\Installer\{A84DB02B-9C2B-4272-9D2D-A80E00A56513}\ARPPRODUCTICON.exe (InstallShield/Acresso Software Inc.)(2010-04-13 08:52:09)
Reg HKLM\SOFTWARE\Classes\Installer\Products\C039314290386A74CB16E52FA72422CB@ProductIcon C:\Windows\Installer\{2413930C-8309-47A6-BC61-5EF27A4222BC}\ARPPRODUCTICON.exe (InstallShield/Macrovision Corporation)(2010-04-13 09:29:42)
Reg HKLM\SOFTWARE\Classes\Installer\Products\E7FF67E4ABEA78C47B88DC745E24B5D9@ProductIcon C:\windows\Installer\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\SkypeIcon.exe(2013-03-05 18:38:53)


End of GMER Part 4
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 4th, 2013, 10:06 am

GMER Part 5

Reg HKLM\SOFTWARE\Classes\IrfanView\shell\open\command@ C:\Program Files (x86)\IrfanView\i_view32.exe (IrfanView/Irfan Skiljan)(2012-01-24 01:24:52)
Reg HKLM\SOFTWARE\Classes\isofile\shell\open\command@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Media Maker\Cdmkr32u.exe (NTI Media Maker/NewTech Infosystems, Inc. SIGNED)(2009-11-06 23:09:22)
Reg HKLM\SOFTWARE\Classes\jarfile\shell\open\command@ C:\Program Files (x86)\Java\jre7\bin\javaw.exe (Java(TM) Platform SE binary/Oracle Corporation SIGNED)(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open\Command@ C:\Program Files (x86)\Java\jre7\bin\javaws.exe (Java(TM) Web Start Launcher/Oracle Corporation SIGNED)(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\jpegenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\jwcfile\shell\open\command@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\NTI JewelCase Maker\JCMKR32.exe (NTI JewelCase Maker/NewTech Infosystems, Inc. SIGNED)(2009-11-05 16:32:34)
Reg HKLM\SOFTWARE\Classes\KMPlayer.kpl\shell\Enqueue\command@ C:\Program Files (x86)\The KMPlayer\KMPlayer.exe (The KMPlayer/KMP Meida co.,Ltd SIGNED)(2011-12-19 10:04:22)
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command@ C:\Users\richardhod\AppData\Local\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2011-11-19 09:19:06)
Reg HKLM\SOFTWARE\Classes\mhtenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\ncdfile\shell\open\command@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Media Maker\Cdmkr32u.exe (NTI Media Maker/NewTech Infosystems, Inc. SIGNED)(2009-11-06 23:09:22)
Reg HKLM\SOFTWARE\Classes\ndffile\shell\open\command@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Media Maker\NDVD9To5.exe(2009-10-28 21:20:26)
Reg HKLM\SOFTWARE\Classes\NTIBurnerOpen\shell\open\command@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\DiscLaunchPad.exe (NTI Media Maker 8/NewTech Infosystems, Inc. SIGNED)(2009-06-08 22:44:44)
Reg HKLM\SOFTWARE\Classes\office.Extension.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.CalcDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\scalc.exe (OpenOffice.org Calc/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.CalcDocument.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.CalcTemplate.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\scalc.exe (OpenOffice.org Calc/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.CalcTemplate.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.DatabaseDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\sbase.exe (OpenOffice.org Base/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.DrawDocument.1\protocol\StdFileEditing\server@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.DrawDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\sdraw.exe (OpenOffice.org Draw/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.DrawDocument.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.DrawTemplate.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\sdraw.exe (OpenOffice.org Draw/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.DrawTemplate.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.ImpressDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\simpress.exe (OpenOffice.org Impress/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.ImpressDocument.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.ImpressTemplate.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\simpress.exe (OpenOffice.org Impress/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.ImpressTemplate.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.MathDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\smath.exe (OpenOffice.org Math/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.MathDocument.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterDocument.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterGlobalDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterGlobalDocument.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterTemplate.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterTemplate.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterWebDocument.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\sweb.exe (OpenOffice.org Writer(Web)/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterWebTemplate.1\shell\new\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterWebTemplate.1\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\opendocument.WriterWebTemplate.1\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\OpenOffice.org.Doc\shell\new\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\OpenOffice.org.Pot\shell\new\command@ C:\Program Files (x86)\OpenOffice.org 3\program\simpress.exe (OpenOffice.org Impress/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\OpenOffice.org.Rtf\shell\new\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\OpenOffice.org.Xls\shell\new\command@ C:\Program Files (x86)\OpenOffice.org 3\program\scalc.exe (OpenOffice.org Calc/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\pdfenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\PDVD9file\Shell\Open\Command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\PDVD9IFOfile\shell\Open@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\PDVD9IFOfile\shell\Open\command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\PDVD9RMXfile\shell\Open@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\PDVD9RMXfile\shell\Open\command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\PDVD9VOBfile\shell\Open@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\PDVD9VOBfile\shell\Open\command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\PDVD9XDLfile\shell\Open@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\PDVD9XDLfile\shell\Open\command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\PDXFileType\shell\Read\command@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-27 12:40:49)
Reg HKLM\SOFTWARE\Classes\ppsenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\scrivener.package\shell\open\command@ C:\Program Files (x86)\Scrivener\Scrivener.exe (Scrivener/Scrivener HQ Pty Ltd.)(2012-11-21 16:23:02)
Reg HKLM\SOFTWARE\Classes\skype\shell\open\command@ C:\Program Files (x86)\Skype\Phone\Skype.exe (Skype /Skype Technologies S.A. SIGNED)(2013-01-08 15:23:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarCalcDocument.6\protocol\StdFileEditing\server@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarCalcDocument.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\scalc.exe (OpenOffice.org Calc/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarCalcDocument.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarCalcTemplate.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\scalc.exe (OpenOffice.org Calc/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarCalcTemplate.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarDrawDocument.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\sdraw.exe (OpenOffice.org Draw/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarDrawDocument.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarDrawTemplate.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\sdraw.exe (OpenOffice.org Draw/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarDrawTemplate.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarImpressDocument.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\simpress.exe (OpenOffice.org Impress/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarImpressDocument.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarImpressTemplate.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\simpress.exe (OpenOffice.org Impress/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarImpressTemplate.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarMathDocument.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\smath.exe (OpenOffice.org Math/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarMathDocument.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarWriterDocument.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\soffice.StarWriterDocument.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarWriterGlobalDocument.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\soffice.StarWriterGlobalDocument.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\soffice.StarWriterTemplate.6\shell\open\command@ C:\Program Files (x86)\OpenOffice.org 3\program\swriter.exe (OpenOffice.org Writer/OpenOffice.org)(2011-01-17 19:09:00)
Reg HKLM\SOFTWARE\Classes\soffice.StarWriterTemplate.6\shell\print\command@ C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe (OpenOffice.org 3.3/OpenOffice.org)(2011-01-17 19:08:58)
Reg HKLM\SOFTWARE\Classes\SOFTWARE\Adobe\Acrobat\Exe@ c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-27 12:40:49)
Reg HKLM\SOFTWARE\Classes\SVCD\Shell\PlayWithPowerDVD9@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\SVCD\Shell\PlayWithPowerDVD9\Command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\Thunderbird.Url.mailto\shell\open\command@ C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (Thunderbird/Mozilla Corporation SIGNED)(2013-03-02 15:44:43)
Reg HKLM\SOFTWARE\Classes\tifenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKLM\SOFTWARE\Classes\Valve.Source\shell\open\command@ c:\program files (x86)\portal\hl2.exe(2007-10-11 11:41:50)
Reg HKLM\SOFTWARE\Classes\VCD\Shell\PlayWithPowerDVD9@ c:\Program Files (x86)\CyberLink\PowerDVD9\Language\CLMUI\PDVDEnvRes.dll(2009-12-01 00:42:36)
Reg HKLM\SOFTWARE\Classes\VCD\Shell\PlayWithPowerDVD9\Command@ c:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe (PDVDLaunchPolicy Application/CyberLink Corp. SIGNED)(2009-12-01 23:40:48)
Reg HKLM\SOFTWARE\Classes\VLC.3g2\shell\AddToPlaylistVLC\command@ C:\Program Files (x86)\VideoLAN\VLC\vlc.exe (VLC media player 2.0.5/VideoLAN)(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32@ C:\Program Files (x86)\MyFree Codec\1.0b beta\XVID-CORE\xvid.ax(2009-10-06 07:16:00)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{00AB1EF0-C172-11DD-AD8B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{02AAB237-8E24-46ce-BD71-AB4F4DF52E3C}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0381D689-42FB-468E-ACD8-F1ACB68F20B3}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{03A81800-0CD8-11DD-BD0B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{03C4C5F4-1893-444C-B8D8-002F0034DA92}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{040563EE-5702-4F21-BC8D-83FC75CD3EC1}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLAudFx.ax (CyberLink Audio Effect Filter/CyberLink Corporation SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{048313F0-A816-11DC-8EBB-C0CA56D89593}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{051CAC4C-67FC-4c03-A16C-518E7D00C491}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DevFileService.dll (DevFileService.dll/Samsung Electronics Co., Ltd.)(2012-07-16 12:21:16)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{05741520-C4EB-440A-AC3F-9643BBC9F847}\InprocServer32@ C:\Program Files (x86)\Microsoft Office\Office12\ADDINS\OTKLOADR.DLL (Assembly loader/Microsoft Corporation)(2006-10-26 20:45:04)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe PDF Helper for Internet Explorer/Adobe Systems Incorporated SIGNED)(2012-03-26 15:39:05)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{071CCC92-7576-40c9-BE17-99440B10FA04}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCAKOREAMITSOBEX.dll (DCAMITSOBEX.dll/Mobileleader Co., Ltd.)(2012-06-28 10:27:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{07E8E5BA-2347-47BD-9113-44D275F36205}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{086874CB-416C-440C-B3E9-1012993540BF}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{087B3AE3-E237-4467-B8DB-5A38AB959AC9}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (OpenOffice.org)(2011-01-17 16:19:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{092BA4B2-F98D-4DD7-A9CD-FA0BEFCE2339}\InprocServer32@ C:\Program Files\AVAST Software\Avast\asOutExt.dll (AsOutExt Module/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0A9BD4EB-DED5-4DF0-BAF6-2CEA23F57261}\InprocServer32@ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Graphics-Previews-Common\MMACEFilters.dll(2011-10-26 05:23:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0AAA0A10-0989-4E22-834E-41C6CB3F5A9D}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0D37433C-8C73-458E-A7D6-15DE1CEC0F91}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\InProcServer32@ C:\Program Files (x86)\Mozilla Thunderbird\AccessibleMarshal.dll (Mozilla Foundation SIGNED)(2013-03-02 15:44:42)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0E6369BC-99F3-43D6-9689-C7682FA16A6F}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLAudFx.ax (CyberLink Audio Effect Filter/CyberLink Corporation SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0E799A91-CDDC-471B-A803-2DB82FAFB726}\InprocServer32@ C:\Program Files (x86)\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_32.dll(2011-10-26 05:07:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{0EC1BE85-1A90-427B-B165-38AFEE750615}\InProcServer32@ C:\PROGRA~2\NEWTEC~1\NTIMED~1\MEDIAM~1\plug-in\AVI2MP~1.DLL (Avi2Mpeg DLL/NewTech Infosystems. Inc. SIGNED)(2009-09-28 17:33:46)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{102C6E30-5702-48C1-A492-A3F3EFB1958C}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{10AD8B9D-222E-44D1-881B-0EA79E1B2D6E}\InprocServer32@ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Graphics-Previews-Common\Ticker.ax(2011-10-26 05:22:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{10DD084E-A5AE-456F-A3BE-DA67EBE6B090}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{11491E12-B9C1-4560-9E7F-468191FE3919}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.1.dll (Evernote Clipper for Microsoft Internet Explorer/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:50:28)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{11921BE2-A0A6-4532-B708-76537C9BB86D}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{11E2BC0C-5D4F-4E0C-B438-501FFE05A382}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}\InProcServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\viewerps.dll(2012-03-26 19:47:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1397D36A-D960-4a1a-A02B-D7496833C953}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{15AD65A9-C2AD-4F64-9CD7-2C9FDDFD0159}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\DigestFilter.dll(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{15B6FEE5-5FB3-4071-AC1F-7AEDC0E2A6BB}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{15BEB520-8337-4CB3-97F4-39A8710BC739}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{16548718-84CB-41FE-9B5E-B793BBF8E6E5}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\DigestFilter.dll(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{16741A21-280D-481A-BC57-F05E82C2A0F9}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{16BE3716-F570-422B-ADE5-00F759387300}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\Filters.dll (Filters Dynamic Link Library/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:21:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1720988D-B66C-4A94-9E63-7A377E44F7C9}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\clauts.ax (CLAuTS.ax/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{176FF4B4-BACF-49C6-896E-68390D429FA1}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{17796aeb-0f66-4663-b8fb-99cbee0224ce}\InProcServer32@ C:\Program Files (x86)\Common Files\ATI Technologies\Multimedia\AMDhwDecoder_32.dll (TODO: <File description>/Advanced Micro Devices)(2011-10-26 05:08:24)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1796A329-04C1-4C07-B28E-E4A807935C06}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pdfprevhndlr.dll (Adobe PDF Preview Handler/Adobe Systems, Inc. SIGNED)(2012-03-26 19:03:47)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe PDF Helper for Internet Explorer/Adobe Systems Incorporated SIGNED)(2012-03-26 15:38:59)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1962C876-C8F7-4474-9C46-BCFB23BDB516}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\cladr.ax (CyberLink Audio Renderer/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1A0F81B0-ABCD-460F-A464-9301FC78CD99}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\VideoFilter\CLVsd.ax (CyberLink Video/SP Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1A239250-B650-4B63-B4CF-7FCC4DC07DC6}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0BFB98-84FB-4C76-8A5F-86BB9AF01D67}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1B9D5A00-F252-11DD-BA2F-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1BCA4635-F1FC-44C8-B829-48229AEB32E3}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1CAAC16B-7D8A-4360-8881-835F76A8F6C7}\InProcServer32@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc. SIGNED)(2010-02-01 18:03:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1CC87FE2-1ADE-451b-8F37-B2101238051B}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\THNRProghelp.dll(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1CCCB35C-7924-4244-ADC3-0CCD16034A71}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E3435-8F73-417E-A57D-293A0A3AFC94}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1EF89626-358F-11D5-8071-0060082AE372}\InprocServer32@ C:\Windows\SysWOW64\XceedSco.dll (Xceed Streaming Compression Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com http://www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2040DDEF-7DD9-4903-A552-DC82C74A3C0F}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4B21-A1CE-E1BB11F3F3C2}\InprocServer32@ C:\Program Files (x86)\Common Files\Microsoft Shared\TRANSLAT\MSB1STAR.DLL (Arabic Stemmer for Microsoft Corporation, by Coltec M.E. Cairo, Egypt/Coltec M.E. Cairo, Egypt)(2003-05-02 19:18:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2055A7EE-51B2-4208-A41B-6A1569C0A1CA}\LocalServer32@ C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe (GameConsoleService/WildTangent, Inc. SIGNED)(2009-10-10 02:59:08)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{21BDEF47-9BFA-480a-A60F-85BC338F1B22}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{222C0F35-3D78-4570-9F6D-BAEE289D0304}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{23144A1F-AF18-4815-82E0-3D198EF782AB}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32@ C:\Program Files (x86)\7-Zip\7-zip.dll (7-Zip Shell Extension/Igor Pavlov)(2011-04-18 18:34:56)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32@ C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Toolbar/Google Inc. SIGNED)(2010-04-13 08:56:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{231D1CF6-C578-411D-9B9B-48264355805D}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com http://www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{24BF165B-74C3-4300-905D-0CA8B3841A99}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceServiceModelDB.dll (DeviceServiceModelDB.dll/Mobileleader Co., Ltd.)(2012-06-26 15:03:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{24E404E4-4088-4FFB-A228-F3511E6A4CAC}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\Filters.dll (Filters Dynamic Link Library/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:21:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{26EA376A-51E6-11DC-8314-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{279FC349-BE61-4B45-A78A-A31662912AED}\LocalServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\ConnectionManager.exe (DeviceServiceConnectionManager.exe/Mobileleader Co., Ltd.)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{288E09A2-927A-49A7-BB24-2988ABDD83EF}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{28DF9B49-991B-431C-ACA5-0FF4FADFF15F}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2938ABF2-9123-4112-BA24-38771ABBC34C}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{29AAD3F2-F7A6-4F7E-A6C0-96F674F47142}\InProcServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\psmachine.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{29AB7A12-B531-450E-8F7A-EA94C2F3C05F}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{29DCD339-D184-469B-8BFB-199A2CCF014E}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{29F458BE-8866-11D5-A3DD-00B0D0F3BAA7}\LocalServer32@ C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (Thunderbird/Mozilla Corporation SIGNED)(2013-03-02 15:44:43)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{29FF7AB0-BE34-4992-A30B-53A9D86EE239}\InprocServer32@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlshellext.dll (Shell Extention/Egis Technology Inc. SIGNED)(2010-02-01 18:03:46)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2A64FF56-A24C-49A6-8B96-8C2BDFB52300}\InprocServer32@ C:\PROGRA~2\NEWTEC~1\NTIMED~1\MEDIAM~1\VOBPLA~1.OCX (VobPlayer ActiveX Control Module/NewTech Infosystem SIGNED)(2009-09-28 17:47:12)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2A9990A5-E235-4AE6-972C-EDC30B6192E5}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2ADA6289-B516-410D-A748-A498B850C5BA}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\VideoFilter\CLTzan.ax (Cyberlink Tzan Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2B9B4D10-C5B2-48CB-B34E-4ACF65BAD21F}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\MediaModules\MACSReaderAVI.ax(2012-06-26 15:03:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2C64651A-7B7F-4CED-A051-16AD65AF57F5}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2D594C78-EC80-11D4-8016-0060082AE372}\InprocServer32@ C:\Windows\SysWOW64\XceedSco.dll (Xceed Streaming Compression Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com http://www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2DBCDA9F-1248-400B-A382-A56D71BF7B15}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2ED34069-E3CF-4044-A012-BA8C6586BE58}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2EEAB6D0-491E-4962-BBA1-FF1CCA6D4DD0}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{2F4E1272-91A5-489F-A964-073A16A2D3CD}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLNavX.ax (CyberLink DVD Navigation Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}\InprocServer32@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\psdprotect.dll (PSD DragDrop Protection/Egis Technology Inc. SIGNED)(2010-02-01 18:03:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{30A2652A-DDF7-45e7-ACA6-3EAB26FC8A4E}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{31935372-7052-404a-AA4D-59496A1AF9B3}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{32CE2952-2585-49a6-AEFF-1732076C2945}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceoledb30.dll (OLEDB Provider/Microsoft Corporation)(2006-12-22 05:10:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{33393037-2A45-4449-A0AB-4E5F2BEFF220}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{33EC8F55-0AED-4932-ABB0-18FCEF9AE631}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3506CDB7-8BC6-40C0-B108-CEA0B9480130}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{35498F93-35E7-4B8D-AEB0-548CDC2E43EF}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLHBMixer.ax (CLHBMixer/ SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{35E2000E-81EA-45DC-BC98-7BA59579AE45}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3600B058-A384-4F74-A14F-F752EAF66755}\InprocServer32@ C:\windows\MAMCIT~1.OCX (KTMusic Download ActiveX Module/((2012-06-26 15:02:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{369EC458-45CF-444D-B33D-61E7FABE1C7E}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.1.dll (Evernote Clipper for Microsoft Internet Explorer/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:50:28)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}\InprocServer32@ C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE.dll (AnchorFree Inc. SIGNED)(2012-08-17 03:02:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{37587889-FC28-4507-B6D3-8557305F7511}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{37F08BCE-C7B2-48E8-88B0-666BC1C58C36}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{38C744AB-B64A-4DF1-8871-D3479155FADF}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3A2734A8-35C9-47C8-B22E-C2717A3F4E31}\InprocServer32@ C:\Program Files (x86)\NewTech Infosystems\NTI Media Maker 8\Photo Maker\SlideShow.ax(2009-06-27 09:28:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3A508B42-FFFE-4B78-ACFD-EF66A94CD156}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3AC8EA8C-990A-424A-BD7B-D5B57A9DEB83}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\VideoFilter\CLVsd.ax (CyberLink Video/SP Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3B092F0C-7696-40E3-A80F-68D74DA84210}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (OpenOffice.org)(2011-01-17 16:19:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3B621B62-9EF3-46C0-A856-B620F0A36056}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3C3E7657-4F0C-3FC4-8A89-A5B0F7EB480A}\InprocServer32@ C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\IACom.dll (Microsoft Tablet PC Component/Microsoft Corporation)(2006-10-26 20:43:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3D017FE4-12E1-4CFE-8E68-AF90B70E9ED0}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLAudioCD.ax (CyberLink AudioCD Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{3D3E7C1B-79A7-4CC7-8925-41FA813E9913}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4019D36C-8251-4C2E-A287-CFAF19C2B548}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4060EDFE-CC12-489C-9D95-62F7FD9A1A8C}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{40E14EFD-B20A-4695-AC90-9DDF56B9C468}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLNavX.ax (CyberLink DVD Navigation Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{41662FC2-0D57-4aff-AB27-AD2E12E7C273}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}@InfoTip C:\Program Files (x86)\Java\jre7\bin\javacpl.exe (Java(TM) Control Panel/Oracle Corporation SIGNED)(2012-11-01 23:05:51)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{42DF0D46-7D49-4AE5-8EF6-9CA6E41EFEC1}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{42FE718B-A148-41D6-885B-01A0AFAE8723}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{43B7B8DB-82F9-40F1-99F8-7E21916A7885}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{43FD1592-3A84-11D5-8077-0060082AE372}\InprocServer32@ C:\Windows\SysWOW64\XceedSco.dll (Xceed Streaming Compression Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com http://www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{448BB771-CFE2-47C4-BCDF-1FBF378E202C}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{44AFAC41-D98B-4A3F-BB75-5AA4CC4D9763}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{452CCB69-6A95-4370-9E5A-B3EFB06A7651}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{455c3e04-bfe9-4089-8622-f2464ec3fddb}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{45DB68D9-EFA8-45E3-BAC2-83133741933B}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLDemuxer2.ax (CLDemuxer2/Cyberlink SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32@ C:\Program Files\AVAST Software\Avast\ashShell.dll (avast! Shell Extension/AVAST Software SIGNED)(2013-03-20 23:21:18)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{475005D6-C8DB-43A8-83B7-8F2F2CFF1192}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{476BD53C-B716-40E4-A4AE-E4B90A176047}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\TransModules\TG_Dump0708.DLL (SelfMusicVideo Dump Filter (DShow)/ENJsoft Corporation)(2012-06-26 15:03:04)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{47B667D4-B622-452F-B7C4-ADF16CC529A3}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{47B797F2-E873-4F47-A999-693A9FDF9E54}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{47D7ED16-3901-11D5-8074-0060082AE372}\InprocServer32@ C:\Windows\SysWOW64\XceedSco.dll (Xceed Streaming Compression Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com http://www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{48669B4F-B6AA-449F-B253-BF17103453DB}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\VideoFilter\CLSubTitle.ax (CLSubTitle.ax/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{49274E02-AC7E-431B-8C24-3005C2F00CB0}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{497954AD-41D0-47be-9736-23ECB872E3ED}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\THNRProghelp.dll(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4A5E947E-C407-4DCC-A0B5-5658E457153B}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4A6E162C-6F51-4956-86D0-A72729178B9B}\InprocServer32@ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Graphics-Previews-Common\MMACEFilters.dll(2011-10-26 05:23:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4B42750B-57A1-47E7-B340-8EAE0E3126A4}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4B9FAB2D-BFD6-41AB-AC98-C9A3F0960277}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4BB83CE8-10FB-48E7-9F8B-1B2185AA6304}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\cladr.ax (CyberLink Audio Renderer/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFB5280-800B-4367-848F-5A13EBF27F1D}\InprocServer32@ C:\Program Files (x86)\Common Files\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL (Microsoft Office Translation Dictionaries/Microsoft Corporation)(2000-10-10 11:23:20)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4DCCAFA1-5FA1-4543-BA05-726A1A33754B}\InprocServer32@ C:\windows\MAMCIT~1.OCX (KTMusic Download ActiveX Module/((2012-06-26 15:02:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4EE12AA6-A781-490F-96DA-783969C58A1A}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4FD5C4D3-6C15-4EA0-9EB9-EEE8FC74A91B}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{517EE672-AA19-4190-8A25-35A1C5DA9852}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{51F4EC6B-68D6-4D56-90F9-B8D72421F5DE}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{52071016-E648-4D3B-B57E-2B46CC993CE0}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{521065F1-DE6C-4E46-BBCB-89B0D0BE860D}\InprocServer32@ C:\Program Files (x86)\EgisTec Shredder\x86\ShredderContextMenu.dll (ShredderContextMenu/Egis Technology Inc. SIGNED)(2010-01-21 04:19:44)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{53720BB2-623D-457B-81EC-29F211DF30CA}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\VideoFilter\CLLine21.ax (CyberLink Line21 Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{546864F0-1BF8-11DD-BD0B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{572CD78D-9C1E-4B15-B160-5198145E53A3}\InProcServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\Dispatch.dll (Dispatch commands/CyberLink Corp. SIGNED)(2009-04-28 03:39:30)


End of GMER Part 5
Last edited by triplesec on April 4th, 2013, 10:08 am, edited 2 times in total.
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 4th, 2013, 10:07 am

GMER Part 6 (last part)


Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5792FC7D-5E1D-4F1A-BD4F-A7A50F92BC6E}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32@ C:\Program Files (x86)\Java\jre7\bin\wsdetect.dll (Java(TM) Web Start ActiveX Control/Oracle Corporation SIGNED)(2012-11-01 23:05:54)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{589C3930-F194-11DD-BA2F-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.21.135\goopdate.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5B2F6A77-8A7E-4AA7-B6D7-FAC7657F58BD}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5B46078B-A2AD-4B31-889A-96038DBF03E1}\LocalServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\ConnectionManager.exe (DeviceServiceConnectionManager.exe/Mobileleader Co., Ltd.)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB2200E-5672-4A32-902A-5A98DB1C58DC}\InprocServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll (PDF Browser Control/Adobe Systems, Inc. SIGNED)(2012-03-26 15:39:47)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5C3B5DAA-0AFF-4808-90FB-0F2F2D760E36}\InprocServer32@ C:\Program Files (x86)\MyFree Codec\1.0b beta\AC-3\ac3dx.ax (TODO: <(2009-10-06 07:16:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5C7AED05-A231-4ef8-92B9-1172BE5BE54A}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5DEC30F0-8361-4403-8D65-496A0F1E43CC}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5E395EC3-30F4-4A0E-A7F6-8878C60E8EB1}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5E541E71-A474-4EAD-8FCB-24D400D023B7}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5E628A96-1BE5-42FE-9117-EDAD9A9C479C}\InProcServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll (PDF Shell Extension/Adobe Systems, Inc. SIGNED)(2012-03-26 15:52:17)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5FEEC1AD-C45E-4B02-B20A-E6294CF808D7}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{60286710-BEA7-11DE-8A39-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6126A5F4-A096-4F8A-A272-C54FD7F63C17}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32@ C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (GoogleToolbarNotifier/Google Inc. SIGNED)(2013-01-09 07:22:35)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{61F8FAF0-82D0-407C-AE97-31441483AE40}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{620D55B0-F2FB-464E-A278-B4308DB1DB2B}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{62BF65A0-F193-11DD-BA2F-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{633D6DA1-70AB-49A5-9539-54E90F132763}\LocalServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe (Adobe 3D Utility 9.5/Adobe Systems Incorporated SIGNED)(2012-03-26 16:56:51)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{63542C48-9552-494A-84F7-73AA6A7C99C1}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (OpenOffice.org)(2011-01-17 16:19:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{63E6BE14-A742-4EEA-8AF3-0EC39F10F850}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32@ C:\Program Files (x86)\MyFree Codec\1.0b beta\XVID-CORE\xvid.ax(2009-10-06 07:16:00)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{665DD69A-A75D-47EC-A64F-DDD7B0CD0C9D}@LocalizedString C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\CDBurnCOM.dll (TODO: <(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32@ C:\Program Files (x86)\Samsung\Kies\External\SyncModules\secman.dll (Security Manager Component for Microsoft Outlook allows to turn off and on Outlook Object Model Security Guard/MAPILab Ltd. & Add-in Express Ltd. SIGNED)(2012-06-26 15:03:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{66F666FD-2D15-47F6-A991-D449F23EC837}\LocalServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\ConnectionManager.exe (DeviceServiceConnectionManager.exe/Mobileleader Co., Ltd.)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{68E2A88C-EB6B-42BE-8979-9789B573CD1C}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{69BD3561-799D-4d60-AB1A-E072918DA0E9}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCAKOREAMITSOBEX.dll (DCAMITSOBEX.dll/Mobileleader Co., Ltd.)(2012-06-28 10:27:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{69F34BA8-7ED4-4911-97F4-4B88ADF25441}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6A2C81B3-F15C-48B3-A6D2-E54AAAA75C1E}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\RASWraper.dll (TODO: <(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6AC51E9C-7947-4B46-A978-0AD601C4EFC9}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6D40004E-62AC-4032-B213-2D699A0A2FB3}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\VideoFilter\CLLine21.ax (CyberLink Line21 Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6E7B1428-73A7-420E-9601-BC0FD12F7881}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6E7D4AE2-770B-4F0D-9365-FEAD8DED17CD}\LocalServer32@ C:\Program Files (x86)\The KMPlayer\KMPlayer.exe (The KMPlayer/KMP Meida co.,Ltd SIGNED)(2011-12-19 10:04:22)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6EDCD38E-8861-11D5-A3DD-00B0D0F3BAA7}\InProcServer32@ C:\Program Files (x86)\Mozilla Thunderbird\MapiProxy_InUse.dll (Mozilla.org SIGNED)(2013-03-02 15:44:44)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.21.135\goopdate.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateBroker.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA10A39-4760-4C94-A210-2398848618EC}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7169A231-64EC-4702-98AB-05ABB6D882A9}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32@ C:\Program Files (x86)\Malwarebytes' Anti-Malware\ssubtmr6.dll (Subclassing and Timer Assistant, modified for configurable message response, multi control support and bug fixed for timer errors./vbAccelerator SIGNED)(2013-03-30 04:24:12)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{72DA66EA-B351-4909-B608-1B2348677F84}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLFLVSplitter.ax (CyberLink FLV Splitter/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{733F6140-BF61-11DE-8A39-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}@LocalizedString C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe (Adobe® Flash® Player Installer/Uninstaller 11.6 r602/Adobe Systems Incorporated SIGNED)(2013-03-30 12:28:22)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{741BEEFD-AEC0-4AFF-84AF-4F61D15F5526}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\InprocServer32@ C:\PROGRA~2\ESET\ESETON~1\ONLINE~1.OCX (Eset OnlineScanner ActiveX Control/ESET SIGNED)(2013-03-27 19:38:19)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{75C11604-5C51-48B2-B786-DF5E51D10EC9}\InprocServer32@ C:\Program Files (x86)\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL (Microsoft Office Translation Dictionaries/Microsoft Corporation)(2000-10-10 04:16:24)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32@ C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Java(TM) Platform SE binary/Oracle Corporation SIGNED)(2012-11-01 23:05:53)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7650BC47-036D-4d5b-95B4-9D622C8D00A4}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCAPARAGONGM.dll (TODO: <(2012-06-27 16:09:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{765EA019-3E9F-4122-90B5-65B68362B814}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{77C4C807-E257-43AD-BB3F-7CA88760BD29}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7A1A13F5-B96B-492A-B591-D7526E0B3013}\LocalServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceManager.exe (DeviceManager.exe/Mobileleader Co., Ltd.)(2012-07-16 12:19:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7A41359E-0407-470F-B3F7-7C6A0F7C449A}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7AA18156-1945-45AF-9AC6-F1A9787ACE06}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACDC5B4-76A1-4BDF-918D-6962FCABBAD3}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7B342DC4-139A-4a46-8A93-DB0827CCEE9C}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7BC0E710-5703-45BE-A29D-5D46D8B39262}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\ooofilt.dll (OpenOffice.org)(2011-01-17 16:19:08)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7BFC2BD7-0937-41EA-8872-CE3B27E08F84}\InprocServer32@ C:\Program Files\AVAST Software\Avast\AhAScr.dll (avast! Script Blocking library for Windows Scripting Interface/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7C4A630A-DE98-4E3E-8093-E8F5E159BB72}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7C730856-A82B-11DC-91EB-7AC855D89593}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateBroker.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7EC04D5B-19A8-45EE-BCB0-6FE0067F9468}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7ED1E9B1-CB57-4FA0-84E8-FAE653FE8E6B}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7F1F20AB-E445-4B3C-BB42-DBFF3FB140C0}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLAudSpa.ax (CLAudSpa.ax/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7F738B9D-EC8D-481D-BBCE-6B74AE1E3250}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\Filters.dll (Filters Dynamic Link Library/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:21:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{7FA8AE11-B3E3-4D88-AABF-255526CD1CE8}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8097D7E9-DB9E-4AEF-9B28-61D82A1DF784}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{80E026F0-CE90-4F15-986A-45317268AB5A}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8215BA54-B69F-4275-AE11-31CB63593B09}\InProcServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll (PDF IFilter/Adobe Systems, Inc. SIGNED)(2012-03-26 16:19:15)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\SyncModules\secman.dll (Security Manager Component for Microsoft Outlook allows to turn off and on Outlook Object Model Security Guard/MAPILab Ltd. & Add-in Express Ltd. SIGNED)(2012-06-26 15:03:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{82838835-EA51-4CCA-B47F-1A374C09DC71}\LocalServer32@ C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe (GameConsoleService/WildTangent, Inc. SIGNED)(2009-10-10 02:59:08)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{82EAFAE0-1BF8-11DD-BD0B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{830690FC-BF2F-47A6-AC2D-330BCB402664}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{839C9033-5C49-47C2-B3A5-17913AEB1DB6}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLAudWizard.ax (CyberLink Audio Wizard Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{841643D5-D102-4B24-917C-0CAF6D9DFBF1}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32@ C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (GoogleToolbarNotifier/Google Inc. SIGNED)(2013-01-09 07:22:35)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8540DDC1-0F1A-475A-8620-C686D92164A7}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCADU.dll (DCADU.dll/Mobileleader Co., Ltd.)(2012-06-26 15:03:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{854F4628-CE51-42C4-80E9-80DAE27FAAAE}\InprocServer32@ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Graphics-Previews-Common\MMACEFilters.dll(2011-10-26 05:23:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{855DBC4D-C8D7-4816-B1EA-A5EBA403907E}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{86132628-1DA5-489c-9EB9-49B39B9A5583}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{86768E57-3BA7-4E97-856C-8189BF3BD05E}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{876AE1D5-ADED-4BF5-B2F1-618F04878FC5}\InprocServer32@ C:\PROGRA~2\MICROS~3\WkProof.dll (Microsoft® Works Core Proofing Service/Microsoft® Corporation)(2010-11-24 18:50:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{88A9100B-231A-421A-8AAB-918BFFE22C14}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{89070F16-AA76-4D4C-9C13-05DF179F3213}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceServiceModelDB.dll (DeviceServiceModelDB.dll/Mobileleader Co., Ltd.)(2012-06-26 15:03:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8913C82B-385B-48c1-8AE0-5D837DB4ADC5}\InprocServer32@ C:\Windows\SysWOW64\XceedSco.dll (Xceed Streaming Compression Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32@ C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (gusvc/Google SIGNED)(2010-04-13 08:57:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{89DD2F9D-C325-48BF-A615-96BD039BBC83}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8A025928-7AFB-4BD8-9279-0764607D18F1}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLAudSpa.ax (CLAudSpa.ax/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.21.135\goopdate.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateBroker.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8A2CF8A4-B7EA-484B-BF26-5172089C88A0}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32@ C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8B1141F4-A17B-4FE4-B366-2477158B46D4}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLAudioCD.ax (CyberLink AudioCD Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8DE80270-0CD6-11DD-BD0B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3486D8-20E5-4121-B855-BDAD58FB8336}\LocalServer32@ C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe (GameConsoleService/WildTangent, Inc. SIGNED)(2009-10-10 02:59:08)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\InprocServer32@ C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (avast! WebRep Plugin/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8FC178E0-CE18-40BC-8249-3E2D81FEDC3A}\InProcServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\RASWraper.dll (TODO: <(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9017071A-2E34-4C3A-9BBB-688CBB5A9FF2}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9059C329-4661-49B2-9984-8753C45DB7B9}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9083E830-8AC2-4167-B990-BB90B587C22D}\InprocServer32@ C:\windows\SysWOW64\3DAudio.ax(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{90FDB7BD-EB76-4AC9-8385-D1EE80BBCDCD}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Clipper for Microsoft Internet Explorer/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:50:28)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{94311571-1915-4DFA-AC78-9BC40B5F061F}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLNavX.ax (CyberLink DVD Navigation Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{94B91AB6-AC08-4C5B-9B80-F195024B6923}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{95028000-A6DE-493B-B253-9E18B19610A2}@LocalizedString C:\Program Files (x86)\Skype\Updater\Updater.dll (Skype Updater Library/Skype Technologies SIGNED)(2013-01-08 15:19:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{95028000-A6DE-493B-B253-9E18B19610A2}\Elevation@IconReference C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Updater Service/Skype Technologies SIGNED)(2013-01-08 15:19:46)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{95028000-A6DE-493B-B253-9E18B19610A2}\InprocServer32@ C:\Program Files (x86)\Skype\Updater\Updater.dll (Skype Updater Library/Skype Technologies SIGNED)(2013-01-08 15:19:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{953480DB-B2B8-4784-95E0-5545B9725176}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCAPARAGONOBEX.dll (DCAPARAGONOBEX.dll/Mobileleader Co., Ltd.)(2012-06-28 10:27:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{95F75C18-18BD-4B42-8C6C-CEC4B0EFB160}\InprocHandler32@ C:\Program Files (x86)\Google\Update\1.3.21.135\psmachine.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{960C8D55-B073-4561-8F39-5A2BDFCAB66D}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\BackupRestoreLib.dll (TODO: <File description>/TODO: <Company name>)(2012-06-26 15:03:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9611F958-258D-4787-B637-1C3EE207F557}\LocalServer32@ C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe (GameConsoleService/WildTangent, Inc. SIGNED)(2009-10-10 02:59:08)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{97D48B32-AFD8-4923-BA97-F4F3B99BF293}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\clm4splt.ax (CyberLink MPEG-4 Splitter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{987D25F8-2B82-4BC3-873F-CB330FAF07C4}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLRMSplitter.ax (CyberLink RealMedia Splitter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-26 15:57:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{996C8DFD-8CE6-43B2-9414-CB6132485363}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{99806ADD-C5EF-4632-A3D0-3E778B051F94}@LocalizedString C:\Windows\MASetupCaller.dll (((2012-06-26 15:02:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{99806ADD-C5EF-4632-A3D0-3E778B051F94}\InprocServer32@ C:\windows\MASETU~1.DLL (((2012-06-26 15:02:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{998FA181-D5BB-4548-9CB6-7FC105A0A327}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\client\wavdest.ax(2013-02-27 01:25:24)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9A1F038F-6A91-46CE-8BE6-B5F65F9F8FB4}\InprocServer32@ C:\PROGRA~2\NEWTEC~1\NTIMED~1\MEDIAM~1\VOBPLA~1.OCX (VobPlayer ActiveX Control Module/NewTech Infosystem SIGNED)(2009-09-28 17:47:12)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.21.135\goopdate.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\InprocServer32@ C:\Program Files (x86)\VideoLAN\VLC\axvlc.dll(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9C23E22F-BEBE-4E75-86C1-68C08607574B}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9D073235-D787-497D-8D1F-929559F1C621}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\psmachine.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9E1DFDCF-6AEF-4166-A5D7-82D6F47BD7A8}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\SyncModules\nktwab.dll(2012-06-26 15:03:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9E3533FC-22F7-4C78-B491-8807B2355872}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9E665ED7-958C-410C-9C56-05DA783E7933}\InprocServer32@ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Graphics-Previews-Common\MMACEFilters.dll(2011-10-26 05:23:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9EB4C4CB-74C2-4BE9-AA5D-8249F16020AD}\LocalServer32@ C:\Program Files (x86)\The KMPlayer\KMPlayer.exe (The KMPlayer/KMP Meida co.,Ltd SIGNED)(2011-12-19 10:04:22)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9F138B79-513C-41F5-A17C-F827FC1A3AAD}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCAPARAGONOBEX.dll (DCAPARAGONOBEX.dll/Mobileleader Co., Ltd.)(2012-06-28 10:27:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9FF62CEC-3A69-11D5-8077-0060082AE372}\InprocServer32@ C:\Windows\SysWOW64\XceedSco.dll (Xceed Streaming Compression Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A02A65C1-50E4-4E5D-B9D0-625D5DEBC671}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A07CCD0C-8148-11D0-87BB-00C04FC33942}\InprocServer32@ C:\PROGRA~2\COMMON~1\SYSTEM\OLEDB~1\MSOLAP80.DLL (Microsoft OLE DB Provider for Analysis Services 8.0/Microsoft Corporation)(2006-09-27 04:01:30)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A08A033D-1A75-4AB6-A166-EAD02F547959}\InprocServer32@ C:\Program Files (x86)\Microsoft Office\Office12\ADDINS\OTKLOADR.DLL (Assembly loader/Microsoft Corporation)(2006-10-26 20:45:04)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A0A61B00-96A6-457F-AA5E-AFA5167852E5}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A2D4475B-C9AA-48E2-A029-1DB829DACF7B}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A4155C74-D67F-11DC-91F3-896C55D89593}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A4988A6F-EC43-452A-8839-80494FB2CBD2}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\MediaModules\NEDFilter4Samsung.ax (MACSReaderMP3 Filter/L544™ Technology)(2012-06-26 15:03:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A4F65992-5738-475B-9C16-CF102BCDE153}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A52BFCF1-6B91-4ACC-9566-8F018C044E61}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A6931B16-90FA-4D69-A49F-3ABFA2C04060}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A720B3BF-E42F-4b38-8EF8-8E6A1B13B7E5}@LocalizedString c:\Program Files (x86)\CyberLink\PowerDVD9\Dispatch.dll (Dispatch commands/CyberLink Corp. SIGNED)(2009-04-28 03:39:30)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A7DF2611-D752-4C9F-A90A-B56F18485EE9}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A8469360-C168-11DD-AD8B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A8FD1954-9FED-47AF-AFB5-BCDF10BAA724}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLDemuxer2.ax (CLDemuxer2/Cyberlink SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{A983C9EC-D73E-4364-B89B-ACD1E405674F}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32@ C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Toolbar/Google Inc. SIGNED)(2010-04-13 08:56:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateBroker.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AE424E85-F6DF-4910-A6A9-438797986431}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\propertyhdl.dll (OpenOffice.org)(2010-12-13 16:22:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AE860CE7-C15E-4B9C-BA5B-2EB38369E4AF}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AFD07A5E-3E20-4D77-825C-2F6D1A50BE5B}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B02F6A03-1E58-4903-BBD9-BE1AF443635D}\InprocServer32@ C:\PROGRA~2\EGISTE~2\x86\MWLGAD~1.OCX (ActiveX OCX for Gadget/Egis Technology Inc. SIGNED)(2010-02-01 18:05:32)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B03FBCEC-6E47-45B8-BA2D-9AA24F2E42AD}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLRMAud.ax (CyberLink RealMedia Audio Decoder/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B09AC3FF-0D5D-41C6-A34E-7C3F58A3127C}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B1068D20-A431-4DBA-B1F8-990621E8A762}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B153D707-447A-4538-913E-6146B3FDEE02}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B18F879A-A925-4F25-9520-46B1CC6FAA69}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B1E81530-2120-11DD-BD0B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B1F3F3CB-EF49-4EBB-96E2-082FCDF14F1B}\InprocServer32@ C:\PROGRA~2\EGISTE~2\x86\MWLGAD~1.OCX (ActiveX OCX for Gadget/Egis Technology Inc. SIGNED)(2010-02-01 18:05:32)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B22D0C7B-1E65-4533-97FA-A7335B8BCD94}\LocalServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe (Adobe 3D Utility 9.5/Adobe Systems Incorporated SIGNED)(2012-03-26 16:56:51)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B29922E4-4279-4319-8153-6064BA4609AF}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32@ C:\Program Files\AVAST Software\Avast\asOutExt.dll (AsOutExt Module/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B359B6EA-E892-4018-8CD2-4ECC9BD477A2}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.21.135\goopdate.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:26)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B3E0E785-BD78-4366-9560-B7DABE2723BE}\InprocServer32@ C:\Program Files (x86)\Common Files\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL (Microsoft Office Translation Dictionaries/Microsoft Corporation)(2000-10-10 04:16:24)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B4820720-74D0-4a16-AA9D-AA4971A9B4D6}\LocalServer32@ C:\windows\SysWOW64\muzapp.exe (MUZAoDApp Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B4AAACDA-FF95-4279-92C2-370A018BAB7E}\InProcServer32@ C:\PROGRA~2\NEWTEC~1\NTIMED~1\MEDIAM~1\plug-in\HOMEGO~1.DLL(2008-08-01 16:30:24)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B4BAB526-5BA1-3C4D-AF21-CFDCD9AAF2D2}\InprocServer32@ C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\IACom.dll (Microsoft Tablet PC Component/Microsoft Corporation)(2006-10-26 20:43:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B50F4299-76E8-475E-B4B6-34B30BD89619}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32@ C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (gusvc/Google SIGNED)(2010-04-13 08:57:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B58F31CA-DF43-4BEF-B800-E0B0F99CFF84}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\enapi.dll (Evernote API/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:47:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B692B1C4-8973-4DB8-9FCE-9813A057ED09}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B72E48BC-DF8D-4B48-81A3-CE6DB04F3970}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B756C224-A1EA-44F8-95C1-9F726040C800}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B792A203-FB64-4909-AEFE-A9EFB2697E55}\InprocServer32@ C:\windows\SysWOW64\muzaf1.dll (AOD Sourcer Filter/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B797DA02-13CA-4b94-BC71-04938CD275CE}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCAPARAGONATOBEX.dll (TODO: <(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B7A43D07-BAEF-49d0-946F-58CF6CB22714}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceServiceCore.dll (DeviceServiceCore.dll/Mobileleader Co., Ltd.)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B7A51621-758F-42B7-9365-7F8CBCBBED08}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-27 12:40:49)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B918AB28-1266-2931-E9A2-837488ABC211}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA63CAC-9913-4A13-9212-E97BB70C05C9}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BBB2BC26-1202-4174-B8D2-CBFED6D68C21}\LocalServer32@ C:\windows\SysWOW64\muzapp.exe (MUZAoDApp Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BBBFD220-F193-11DD-BA2F-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BCABBE72-C1CF-4785-B16F-F858E4726364}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\CLHBMixer.ax (CLHBMixer/ SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BCAD19F2-3F27-4820-B6AA-70507C1D5442}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\Filters.dll (Filters Dynamic Link Library/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:21:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\LocalServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe (Adobe PDF Broker Process for Internet Explorer/Adobe Systems Incorporated SIGNED)(2012-03-26 16:35:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BD6BEEE8-64CE-4814-B319-990645883E89}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\EvernoteOL.dll (Evernote Clipper for Microsoft Outlook/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:50:28)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BD7184DC-0403-4d47-8489-688223790DC6}\LocalServer32@ C:\windows\SysWOW64\muzapp.exe (MUZAoDApp Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BDE41C5F-EB7D-4c3d-8C9C-12D8F68B24D9}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{BF356210-DC0B-11DC-95FF-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C1843338-0C08-4dd5-AD13-B6871EC80AA9}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C300AD88-85D7-4716-9FE2-A76E83D1BB05}\LocalServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceManager.exe (DeviceManager.exe/Mobileleader Co., Ltd.)(2012-07-16 12:19:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C3271080-C57A-4520-8066-337AD212D7E0}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C3CBD658-4406-43D0-ACE3-EFC01AEDF63F}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD36E4-95FE-45FE-98CF-89925EE287B1}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceSearch.dll (TODO: <(2012-06-26 15:03:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32@ C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Update/Google Inc. SIGNED)(2013-02-20 08:21:31)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api (Adobe Acrobat Accessibility Plug-in/Adobe Systems Incorporated)(2012-03-27 11:37:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\InprocServer32@ C:\Program Files (x86)\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (OpenOffice.org)(2011-01-17 16:19:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C5AA36A1-8BD1-47E0-90F8-47E7239C6EA1}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32@ C:\Program Files (x86)\Malwarebytes' Anti-Malware\vbalsgrid6.ocx (vbAccelerator VB6 SGrid Control 2.0/vbAccelerator SIGNED)(2013-03-30 04:24:12)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C699D523-20FF-4ED3-91D3-96076FA24649}\InProcServer32@ C:\PROGRA~2\NEWTEC~1\NTIMED~1\MEDIAM~1\plug-in\AUDIOC~1.DLL(2009-09-28 17:40:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C71486B6-CF8E-4C2F-A308-0A09C748AED0}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C773CF25-3487-484A-A839-29606137F191}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CA5A19C0-C269-11DD-AD8B-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\InprocServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll (PDF Browser Control/Adobe Systems, Inc. SIGNED)(2012-03-26 15:39:47)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\InprocServer32@ C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}\InprocServer32@ C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll(2012-05-25 03:41:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32@ C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\InprocServer32@ C:\windows\SysWOW64\deployJava1.dll (Java(TM) Platform SE binary/Oracle Corporation SIGNED)(2011-12-03 00:18:37)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32@ C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CBABF241-9875-46C8-BB0B-6F90CC8D12FE}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CBD4FB70-F00B-4963-B249-4B056E6A981A}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CBF8BAF7-A9F4-46CD-B8A4-C49810A8DE5D}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\Filters.dll (Filters Dynamic Link Library/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:21:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CC1B9A74-16E2-4DAC-9FC8-430785F0A452}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CC461FC3-C9BE-41FB-8E47-E0115CBC01CC}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CC957078-B838-47C4-A7CF-626E7A82FC58}\LocalServer32@ C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Updater Service/Skype Technologies SIGNED)(2013-01-08 15:19:46)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CD2CE11F-5C26-4217-A773-914FADDA6FD9}\InProcServer32@ C:\Program Files\AVAST Software\Avast\asOutExt.dll (AsOutExt Module/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CD2D4F73-EF66-412F-B876-B3B1F012A857}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\VideoFilter\CLRMVD.ax (CyberLink RealMedia Video Decoder/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{CD6CB947-0EFA-4321-BD45-A53B29BC1D32}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D0484DE6-AAEE-468a-991F-8D4B0737B57A}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D1C8C854-223A-4716-B670-C21918E8207E}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32@ C:\windows\SysWOW64\Macromed\Flash\Flash32_11_6_602_180.ocx (Adobe Flash Player 11.6 r602/Adobe Systems, Inc. SIGNED)(2013-03-30 12:28:22)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D2D59CD1-0A6A-4D36-AE20-47817077D57C}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe (Adobe Reader 9.5/Adobe Systems Incorporated SIGNED)(2012-03-26 15:57:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D3E95E1D-D003-42A0-91FD-465DC624BC7A}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D407C0B4-BDC9-4c00-81DE-81EEAC649850}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D46BA7B2-899F-4F60-85C7-4DF5713F6F18}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D49CACC9-D3F0-46E6-AC91-66C5534EA367}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\CLRCEngine3.dll (PowerDVD Remote Control Module/CyberLink Corp. SIGNED)(2009-04-28 03:39:24)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D6CB4B7A-10CF-4E51-B237-41D59B17CEE6}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D865F1E7-BAC6-4ECA-B37B-0A5DDFF2D031}\InprocServer32@ C:\Windows\SysWOW64\XceedCry.dll (Xceed Encryption Library/Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com SIGNED)(2008-06-05 17:57:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D9007E8B-A33A-4429-B0FC-7FC211DB8110}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceoledb30.dll (OLEDB Provider/Microsoft Corporation)(2006-12-22 05:10:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D93BF052-FC68-4DB6-A4F8-A4DC9BEEB1C0}\LocalServer32@ C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe (Google Earth/Google)(2013-02-27 01:42:13)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D98A47E4-436F-41fc-8F1E-DA48F42BEEA7}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\PRPlayerCore.dll(2012-06-26 15:03:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DA3A5798-556A-4353-91D7-009B58355CBF}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\CLFQEngine.dll (CLFQEngine/CyberLink Corp. SIGNED)(2009-06-30 04:59:56)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DAAA9C6F-5FD5-4204-B1E9-BE0C95CA217C}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\UPNPDevice_Kies.dll (UPnP SDK Device Host Kies Device/Windows (R) Codename Longhorn DDK provider)(2012-07-16 12:21:28)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DBAED8A2-F1C7-42DC-8145-938F4FB85F02}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Clipper for Microsoft Internet Explorer/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063 SIGNED)(2013-03-19 15:50:28)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32@ C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Java(TM) Platform SE binary/Oracle Corporation SIGNED)(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}@DisplayName C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pdfprevhndlr.dll (Adobe PDF Preview Handler/Adobe Systems, Inc. SIGNED)(2012-03-26 19:03:47)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DD0E8ED5-1494-4B87-A35C-39F6ED4B1153}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DE556AEC-1266-2931-2441-0BFC47A92DD2}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9B465F-0405-41B9-8C20-B6F0CACCC713}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E0241B79-AB3A-49D8-9691-2CF3D6D863B0}\LocalServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceDataService.exe (DeviceDataService.exe/Mobileleader Co., Ltd.)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E0CCEE92-6573-4549-9721-5CFD87360A01}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E0EEE430-80D8-42D7-8D83-F046AECD7536}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F7FDF8-31BA-4AA8-8C0C-979CE8CC84D5}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\MediaModules\MP3FileInfoCOM.dll (TODO: <File description>/TODO: <Company name>)(2012-06-26 15:03:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E0FA077E-B6A4-41D2-9983-BEB4DD6D85AA}\InprocServer32@ C:\Program Files (x86)\EgisTec IPS\IPS.dll (IPS COM module/Egis Technology Inc. SIGNED)(2009-12-25 01:44:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32@ C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll(2012-11-01 23:05:52)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E1BC9147-C3E3-4E8A-8304-5E6B5C1C0774}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E23FE9C6-778E-49D4-B537-38FCDE4887D8}\InprocServer32@ C:\Program Files (x86)\VideoLAN\VLC\axvlc.dll(2012-12-13 00:12:58)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A0B632-DFBA-4549-9346-E414DA06E6F8}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E61F38E3-A981-4EA6-848B-C67D9BBA7526}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\Filters.dll (Filters Dynamic Link Library/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:21:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}\InprocServer32@ C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll (PDF IFilter/Adobe Systems, Inc. SIGNED)(2012-03-26 16:19:15)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E8CD244F-1836-4FFE-AF58-1776580D1622}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{E90F7907-7671-4539-8903-5708560D10C4}\LocalServer32@ C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe (GameConsoleService/WildTangent, Inc. SIGNED)(2009-10-10 02:59:08)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EA2152EB-244F-414F-88AD-7B26655E862A}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\clauts.ax (CLAuTS.ax/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EAC52218-76CA-414E-9087-D3BCDC8A57B8}\InProcServer32@ C:\PROGRA~2\NEWTEC~1\NTIMED~1\MEDIAM~1\plug-in\RESCDM~3.DLL (resCdmkrEn DLL/NewTech Infosystems, Inc.)(2009-10-26 18:30:56)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EBE69A72-7483-410C-B50C-2B40885E6F5B}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{ED323630-B4FD-4628-BC6A-D4CC44AE3F00}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{ED443AF0-62B2-43D6-AAB6-1477DE0D4E86}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\Filters.dll (Filters Dynamic Link Library/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:21:02)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EDA751A6-3A6C-4659-957D-F1840C61ABD7}\LocalServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceManager.exe (DeviceManager.exe/Mobileleader Co., Ltd.)(2012-07-16 12:19:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EE11F93E-0291-4FEB-9099-00E9DB469C79}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceSearch.dll (TODO: <(2012-06-26 15:03:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\InProcServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll (PDF Browser Control/Adobe Systems, Inc. SIGNED)(2012-03-26 15:39:47)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EE5D1EA4-D445-4289-B2FC-55FC93693917}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EEFEC232-DD4E-4DA8-9777-C3AFB8520D73}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{EF97DB54-237A-46C3-8E3C-CEA6011E7741}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\smdecryption.dll (TODO: <File description>/TODO: <Company name>)(2012-06-26 15:03:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F0840240-136B-4B81-BC44-2C1BB0CFDC15}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\AudioFilter\Claud.ax (CyberLink Audio Decoder Filter/CyberLink Corp. SIGNED)(2010-03-19 22:15:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F1AA2CAD-0E89-4239-85E5-A91B69C5862D}\InprocServer32@ C:\windows\SysWOW64\muzeffect.ax (P3AudioEffect Filter/(c) MUSICCITY)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F251BED0-0544-42C7-ABBC-93556E513238}\InprocServer32@ C:\windows\SysWOW64\muzdecode.ax (PCube Audio Decoder Filter/(c) MusicCity)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F278D870-7AF7-4957-96EE-E6AC72D0B109}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F2AA8FF0-0201-11DD-95FF-0800200C9A66}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F3188CF3-EF22-4C5B-92CB-605964761C3B}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F39659CF-699B-47EF-BB19-C15A84BBB143}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F3B378CC-345E-4435-A1B3-788455599C7B}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32@ C:\Program Files\AVAST Software\Avast\AhAScr.dll (avast! Script Blocking library for Windows Scripting Interface/AVAST Software SIGNED)(2013-03-20 23:21:19)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F46D3404-B87E-4C54-8049-8D9A1616D02C}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\MediaModules\AStoreMarshal.dll (TODO: <(2012-06-26 15:03:08)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32@ C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\objectps.dll (InstallShield (R) ObjectPS DLL/Macrovision Corporation)(2010-08-10 16:23:42)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F493E9A8-971B-4CC0-AAAB-61BE2B885E7A}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\MediaModules\OGGFileInfoCOM.dll (TODO: <File description>/TODO: <Company name>)(2012-06-26 15:03:10)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F4A40134-ED3B-4069-BC86-ED9733BD3217}\InprocServer32@ C:\windows\SysWOW64\muzmp4sp.ax (P3MP4Splitter Filter/(c) MusicCity)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F7B301-7C59-4851-BA97-C51F110B590F}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\client\earthps.dll(2013-02-27 01:25:00)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F616B81F-7BB8-4F22-B8A5-47428D59F8AD}\InprocHandler32@ C:\Program Files (x86)\OpenOffice.org 3\program\inprocserv.dll(2011-01-17 16:19:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F665CEA8-17A0-4b10-9511-FBE13DA11631}\InprocServer32@ C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.1\sqlceca30.dll (Client Agent/Microsoft Corporation)(2006-12-22 05:05:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F750BC9F-72CE-45C6-9D1F-BFEFB0765918}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\StarburnX12.dll (StarBurnX CD/DVD/Blu-Ray/HD-DVD Burning, Grabbing and Mastering Toolkit for Windows 95/98/Me/NT/2000/XP/2003/Vista/Longhorn/Rocket Division Software)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F817F096-9E9D-45FC-BE44-11CEF283FAEA}\InprocServer32@ C:\windows\SysWOW64\muzwmts.dll (P3WMTSplitter Filter/ (c) MusicCity)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F912DCEC-3462-4632-8087-FEEFB45AE521}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F92ACE0C-4692-4793-BC37-EABC55DA988A}\InprocServer32@ C:\windows\SysWOW64\muzeffect.ax (P3AudioEffect Filter/(c) MUSICCITY)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F99A79E0-13E1-478A-8836-56ADD3610C90}\InprocServer32@ C:\Program Files (x86)\Google\Google Earth\plugin\ie\7.0.3.8542\plugin_ax.dll (GEPlugin/Google)(2013-02-27 01:26:23)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F9A9F058-A535-45D3-8414-E80CAFD6D31F}\InprocServer32@ C:\windows\SysWOW64\muzmpgsp.ax (PCube MPEG Splitter Filter/(c) MusicCity)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F9D1D49D-D6A6-4C0F-ADF1-70CE4AB94DDB}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DCAWM.dll (DCAWM.dll/Mobileleader Co., Ltd.)(2012-06-26 15:03:36)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{F9DB5320-233E-11D1-9F84-707F02C10627}\InprocServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (PDF Shell Extension/Adobe Systems, Inc. SIGNED)(2012-03-26 15:52:17)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FA150B05-7510-471D-9AFB-467B94462FDE}\InprocServer32@ C:\windows\SysWOW64\muzapp.dll (MUZAoDAppCtrl Module/Musiccity Co.Ltd.)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FA2CBAFB-F7B1-4F41-9B7A-73329A6C1CB7}\InprocServer32@ C:\Windows\SysWOW64\Redemption.dll (Outlook Redemption COM library/Dmitry Streblechenko)(2012-07-22 15:35:33)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}@Depend C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\gtn.dll (GoogleToolbarNotifier/Google Inc. SIGNED)(2013-01-09 07:22:35)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32@ C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc. SIGNED)(2010-04-13 08:57:11)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FBD3694F-4F7A-4707-8CA4-2C9F7D6CFAE6}\InprocServer32@ c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\CLMKVSplter.ax (CyberLink Matroska Splitter/CyberLink Corp. SIGNED)(2010-03-19 22:15:48)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FD174017-EB5C-4F6F-A7B4-DE782F662966}\InprocServer32@ C:\Program Files (x86)\Evernote\Evernote\enapi.dll (Evernote API/Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)(2013-03-19 15:47:06)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FD501041-8EBE-11CE-8183-00AA00577DA2}\InprocServer32@ C:\Program Files (x86)\MyFree Codec\1.0b beta\MyFree.ax(2012-10-20 00:30:50)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FDA6EEC2-325B-4E8A-A8C7-1C75DFBE72D5}\InProcServer32@ C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe PDF Helper for Internet Explorer/Adobe Systems Incorporated SIGNED)(2012-03-26 15:38:59)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FF7BCF7C-1D4B-4717-A39A-0DB1A107B62B}\InprocServer32@ C:\windows\SysWOW64\muzoggsp.ax (OGG Splitter/(c) PeeringPortal)(2012-06-26 15:02:38)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FF910147-AB29-4D05-BF8E-1A4F36C7DBD6}\InprocServer32@ C:\Program Files (x86)\Samsung\Kies\External\DeviceModules\DeviceCommunication.dll (DeviceCommunication.dll/Mobileleader Co., Ltd.)(2012-06-26 15:03:34)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}\InprocServer32@ C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype for COM API/Skype Technologies SIGNED)(2011-11-03 13:48:40)
Reg HKLM\SOFTWARE\Classes\xlsbenxfile\shell\open\command@ C:\Program Files (x86)\EgisTec MyWinLocker\x86\Decryption.exe (Decryption/Egis Technology Inc. SIGNED)(2010-02-01 18:04:48)
Reg HKCU\Software\Microsoft\Installer\Products\0843B3356BAEDD442B4E17E55928010E@ProductIcon C:\Users\richardhod\AppData\Roaming\Microsoft\Installer\{533B3480-EAB6-44DD-B2E4-715E958210E0}\TweetDeck.exe(2012-11-09 01:58:11)
Reg HKCU\Software\Microsoft\Installer\Products\711E928B270DAE14696089623AD8431C@ProductIcon C:\Users\richardhod\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe (InstallShield/Macrovision Corporation)(2013-03-27 19:01:17)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe@ C:\Users\richardhod\AppData\Local\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2011-11-19 09:19:06)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\DropboxAutoplay@DefaultIcon C:\Users\richardhod\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox/Dropbox, Inc. SIGNED)(2013-03-12 07:05:50)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (KiesPDLR/Samsung SIGNED)(2012-07-16 12:24:06)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@KiesAirMessage C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe (Samsung Electronics)(2012-11-02 05:31:26)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@KiesPreload C:\Program Files (x86)\Samsung\Kies\Kies.exe (Kies/Samsung SIGNED)(2012-07-16 12:23:56)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@swg C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (GoogleToolbarNotifier/Google Inc. SIGNED)(2010-04-13 08:57:11)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Google Update C:\Users\richardhod\AppData\Local\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc. SIGNED)(2011-11-19 09:18:23)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Skype C:\Program Files (x86)\Skype\Phone\Skype.exe (Skype /Skype Technologies S.A. SIGNED)(2013-01-08 15:23:58)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox@UninstallString C:\Users\richardhod\AppData\Roaming\Dropbox\bin\DropboxUninstaller.exe (Dropbox 1.6.18 Installer/Dropbox, Inc. SIGNED)(2013-03-12 07:06:32)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox@DisplayIcon C:\Users\richardhod\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox/Dropbox, Inc. SIGNED)(2013-03-12 07:05:50)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome@UninstallString C:\Users\richardhod\AppData\Local\Google\Chrome\Application\26.0.1410.43\Installer\setup.exe (Google Chrome/Google Inc. SIGNED)(2013-04-02 02:09:48)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome@DisplayIcon C:\Users\richardhod\AppData\Local\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2011-11-19 09:19:06)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec@UninstallString C:\Program Files (x86)\MyFree Codec\1.0b beta\uninstall.exe (MyFreeCodec/Freeware)(2012-11-02 07:04:13)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spotify@DisplayIcon C:\Users\richardhod\AppData\Roaming\Spotify\Spotify.exe (Spotify/Spotify Ltd SIGNED)(2012-05-24 21:54:51)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk@UninstallString C:\Users\richardhod\AppData\Roaming\Google\Google Talk\uninstall.exe(2012-07-25 22:54:53)

---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

---- EOF - GMER 2.1 ----
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby triplesec » April 4th, 2013, 10:19 am

GMER was large, in 6sections. I'm attaching the mbr as you ask. If you want it in another way, lmk!
Thanks for this, hugely. If there are any good resources explaining what these are looking for and how to parse them, I'd be interested in reading and learning.

here's the Dump_Hdd0_DR0.mbr renamed Dump_Hdd0_DR0.txt
You do not have the required permissions to view the files attached to this post.
triplesec
Regular Member
 
Posts: 17
Joined: April 1st, 2013, 9:01 pm

Re: Need help finding MITM Trojan please!

Unread postby Gary R » April 4th, 2013, 5:30 pm

Nothing out of the ordinary in any of your scan results.

There's a few minor security issues to deal with, but nothing that would indicate any kind of MITM trojan on your machine. We'll deal with them once I've determined there's nothing else to attend to.

You didn't post me your Extra.txt log, you posted the 2nd part of your OTL.txt instead by mistake, can you please post me the Extra.txt so I can look it over.

Also if you have the results from the E-Set scan that you ran earlier, can you post them for me please, if you don't have them then ....

Please run a new scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Run ESET Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed click on Start to start the scan.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: M2Judy and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware