Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

External WD HD infected with Win32:Kryptik.LQL

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 12:15 pm

Hey guys,

Hopefully you guys can help me out with this. I have a 1Tb WD Hdd which I use to backup my photos and videos while I'm in the field working. I make my backup everyday in the field basically just making a folder day1, day 2 and follows. When I got back home I plugged it in my computer and as soon as I opened the drive half the folders were being shown as shortcuts. When i tired to open it avast kicked in gave me a Trojan alert and blocked the file. Avast's Shield log lists its as follows :

FILE NAME: H:\.Trashes\b3fdadef.com - SEVERITY: High - STATUS: Threat: Win32:Kryptik-LQL[Tfj] - ACTION: Move to Chest - RESULT: Action Successful

Now when I try to open a folder it gives the following error: Windows cannot find H:\.Trashes\b3fdadef.com. Make you you typed the name correctly are try again. I can tell that the data is still there by the overall file size on the passport.

The other folders which haven't been infected are working absolutely fine.

I'm on a brand new PC, I just installed Win7 myself everything is working fine my computer isn't or doesn't seem to be infected it self in anyway. Its as far as I can tell restricted to only the portable HDD. My antivirus is up to date, before writing this I scanned everything with Malewarebytes no positives any where.

I would appreciate any help that you can give me, this is very important data for a shoot which cannot be conducted again.

Thanx alot in guys


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483
Run by SS at 17:52:34 on 2013-05-25
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16275.13348 [GMT 5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\TeraCopy\TeraCopy.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\SS\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [AdobeBridge] <no file>
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WIRELE~1.LNK - C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{7754D541-F12F-4EEE-91EA-80F37D1DB23E} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\
FF - prefs.js: browser.startup.homepage - Yahoo.com
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Users\SS\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-05-24 19:56; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: 2013-05-24 20:07; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-05-24 20:30; {dc572301-7619-498c-a57d-39143191b318}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
FF - ExtSQL: 2013-05-24 20:30; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-05-24 20:30; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
FF - ExtSQL: 2013-05-24 20:30; {AE93811A-5C9A-4d34-8462-F7B864FC4696}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi
FF - ExtSQL: 2013-05-24 20:31; {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi
FF - ExtSQL: 2013-05-24 20:31; {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - ExtSQL: 2013-05-24 20:31; {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - ExtSQL: 2013-05-24 20:31; tineye@ideeinc.com; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\tineye@ideeinc.com.xpi
FF - ExtSQL: 2013-05-24 20:31; isreaditlater@ideashower.com; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\isreaditlater@ideashower.com.xpi
FF - ExtSQL: 2013-05-24 20:31; add-to-searchbox@maltekraus.de; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\add-to-searchbox@maltekraus.de.xpi
FF - ExtSQL: 2013-05-24 20:31; adblockpopups@jessehakanen.net; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\adblockpopups@jessehakanen.net.xpi
FF - ExtSQL: 2013-05-24 20:43; {1280606b-2510-4fe0-97ef-9b5a22eafe30}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-5-24 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-5-24 189936]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-5-24 19264]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2013-5-24 22680]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-5-24 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-5-24 378432]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-5-24 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-5-24 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-5-24 46808]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2013-5-24 166720]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-5-25 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-5-25 701512]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-5-24 365376]
R2 WlanWpsSvc;WlanWpsSvc;C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [2013-5-24 167936]
R3 ICCS;Intel(R) Integrated Clock Controller Service - Intel(R) ICCS;C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [2013-5-24 160256]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-5-24 342528]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-5-24 357184]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-5-24 789824]
R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2013-5-24 110744]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-25 25928]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\Windows\System32\drivers\RTL8192su.sys [2013-5-24 589312]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-4-19 161384]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2013-5-24 16776]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2013-5-24 9096]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2013-5-24 30528]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-10 19456]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-1-10 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-10 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-1-10 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-5-24 1255736]
.
=============== Created Last 30 ================
.
2013-05-25 11:29:03 -------- d-----w- C:\Users\SS\AppData\Roaming\Malwarebytes
2013-05-25 11:28:57 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-05-25 11:28:57 -------- d-----w- C:\ProgramData\Malwarebytes
2013-05-25 11:28:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-25 11:28:44 -------- d-----w- C:\Users\SS\AppData\Local\Programs
2013-05-25 08:06:56 -------- d-----w- C:\Users\SS\AppData\Local\Diagnostics
2013-05-25 07:54:37 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2013-05-25 07:44:05 -------- d-----w- C:\Users\SS\AppData\Local\Adobe
2013-05-25 07:16:02 -------- d-----w- C:\Program Files (x86)\Auslogics
2013-05-25 02:30:08 -------- d-----w- C:\Windows\Panther
2013-05-25 02:29:54 -------- d-sh--w- C:\Boot
2013-05-24 19:08:49 -------- d-----w- C:\Users\SS\AppData\Local\Macromedia
2013-05-24 18:53:14 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-24 18:53:13 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-24 17:42:36 -------- d-----w- C:\Users\SS\AppData\Local\Microsoft Games
2013-05-24 17:28:38 -------- d-----w- C:\Program Files\WDCSAM
2013-05-24 17:18:11 -------- d-----w- C:\Users\SS\AppData\Local\MediaMonkey
2013-05-24 17:18:10 -------- d-----w- C:\Program Files (x86)\MediaMonkey
2013-05-24 17:17:34 -------- d-----w- C:\Program Files (x86)\Media Monkey
2013-05-24 16:55:33 -------- d-----w- C:\Users\SS\AppData\Roaming\TeraCopy
2013-05-24 16:31:13 9096 ----a-w- C:\Windows\System32\EuGdiDrv.sys
2013-05-24 16:31:13 86408 ----a-w- C:\Windows\SysWow64\setupempdrv03.exe
2013-05-24 16:31:13 8456 ----a-w- C:\Windows\SysWow64\EuGdiDrv.sys
2013-05-24 16:31:13 2209920 ----a-w- C:\Windows\System32\BootMan.exe
2013-05-24 16:31:13 1774720 ----a-w- C:\Windows\SysWow64\BootMan.exe
2013-05-24 16:31:13 16776 ----a-w- C:\Windows\System32\epmntdrv.sys
2013-05-24 16:31:13 14848 ----a-w- C:\Windows\SysWow64\EuEpmGdi.dll
2013-05-24 16:31:13 14216 ----a-w- C:\Windows\SysWow64\epmntdrv.sys
2013-05-24 16:31:13 11264 ----a-w- C:\Windows\System32\EuEpmGdi.dll
2013-05-24 16:31:13 100232 ----a-w- C:\Windows\System32\setupempdrvx64.exe
2013-05-24 16:31:07 -------- d-----w- C:\Program Files (x86)\EASEUS
2013-05-24 16:27:05 -------- d-----w- C:\Windows\SysWow64\Wat
2013-05-24 16:27:05 -------- d-----w- C:\Windows\System32\Wat
2013-05-24 15:58:13 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-24 15:58:13 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-24 15:58:04 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-24 15:58:02 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2688BBD1-3261-4286-819E-9D23B773EE49}\mpengine.dll
2013-05-24 15:38:03 -------- d-----r- C:\Program Files (x86)\Skype
2013-05-24 15:29:45 70144 ----a-w- C:\Windows\System32\appinfo.dll
2013-05-24 15:29:45 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-05-24 15:29:45 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-05-24 15:29:45 111448 ----a-w- C:\Windows\System32\consent.exe
2013-05-24 15:27:41 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2013-05-24 15:24:29 -------- d-----w- C:\Users\SS\AppData\Roaming\SumatraPDF
2013-05-24 15:24:26 -------- d-----w- C:\Program Files (x86)\SumatraPDF
2013-05-24 15:24:15 -------- d-----w- C:\Program Files\TeraCopy
2013-05-24 15:05:44 -------- d-----w- C:\Users\SS\AppData\Roaming\uTorrent
2013-05-24 15:05:24 -------- d-----w- C:\Program Files (x86)\VideoLAN
2013-05-24 15:01:52 589312 ----a-w- C:\Windows\System32\drivers\RTL8192su.sys
2013-05-24 15:01:52 -------- d-----w- C:\Windows\pcidevice
2013-05-24 15:01:51 -------- d-----w- C:\Program Files (x86)\D-Link
2013-05-24 14:57:29 -------- d-----w- C:\Users\SS\AppData\Local\Google
2013-05-24 14:57:26 72016 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-05-24 14:57:26 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-05-24 14:57:25 189936 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-05-24 14:57:23 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-05-24 14:57:22 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-05-24 14:56:51 41664 ----a-w- C:\Windows\avastSS.scr
2013-05-24 14:56:42 -------- d-----w- C:\Program Files\AVAST Software
2013-05-24 14:56:16 -------- d-----w- C:\ProgramData\AVAST Software
2013-05-24 14:49:43 30528 ----a-w- C:\Windows\GVTDrv64.sys
2013-05-24 14:49:30 25640 ----a-w- C:\Windows\gdrv.sys
2013-05-24 14:29:11 -------- d-----w- C:\Program Files (x86)\AMD
2013-05-24 14:10:00 31272 ----a-w- C:\Windows\System32\AppleChargerSrv.exe
2013-05-24 14:10:00 22680 ----a-w- C:\Windows\System32\drivers\AppleCharger.sys
2013-05-24 14:10:00 -------- d-----w- C:\Program Files\GIGABYTE
2013-05-24 14:10:00 -------- d-----w- C:\Program Files (x86)\GIGABYTE
2013-05-24 14:09:53 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2013-05-24 14:09:53 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2013-05-24 14:09:53 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2013-05-24 14:09:53 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2013-05-24 14:09:53 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2013-05-24 14:09:53 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2013-05-24 14:09:53 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2013-05-24 14:09:53 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2013-05-24 14:09:39 41984 ----a-w- C:\Windows\System32\drivers\USB3Ver.dll
2013-05-24 14:09:18 -------- d-----w- C:\Windows\SysWow64\Atheros_L1e
2013-05-24 14:07:46 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-05-24 14:07:38 15168 ----a-w- C:\Windows\System32\drivers\IntelMEFWVer.dll
2013-05-24 14:06:56 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2013-05-24 14:06:54 62784 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2013-05-24 14:06:54 -------- d-----w- C:\Intel
2013-05-24 14:03:15 -------- d-sh--w- C:\Windows\Installer
2013-05-24 14:01:08 207400 ----a-w- C:\Windows\GSetup.exe
2013-05-24 13:59:56 -------- d-----w- C:\Users\SS\AppData\Local\VirtualStore
2013-05-24 13:57:34 142336 ----a-w- C:\Windows\System32\poqexec.exe
2013-05-24 13:57:34 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2013-05-24 13:56:26 -------- d-sh--w- C:\Recovery
2013-05-24 04:20:59 9728 ----a-w- C:\Windows\System32\IGFXDEVLib.dll
2013-05-24 04:16:22 110744 ----a-w- C:\Windows\System32\drivers\L1C62x64.sys
.
==================== Find3M ====================
.
2013-05-01 21:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-04-05 01:08:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-04-05 01:00:30 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-04-05 00:59:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-04-05 00:56:16 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-04-05 00:55:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-04-04 22:11:34 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-04-04 21:57:45 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
.
============= FINISH: 17:53:00.86 ===============
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm
Advertisement
Register to Remove

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 25th, 2013, 4:28 pm

checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 25th, 2013, 4:31 pm

Hi ssmad,

I use to backup my photos and videos while I'm in the field working


When you say working, is the computer / disk used as part of a business or paid work?
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 4:50 pm

hey deltalima,

Thanx for the quick reply.

No the photos and videos aren't themselves aren't they are personal taken on work trips.
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 25th, 2013, 5:03 pm

ssmad wrote:hey deltalima,

Thanx for the quick reply.

No the photos and videos aren't themselves aren't they are personal taken on work trips.


this is very important data for a shoot which cannot be conducted again.


I'm not sure I follow, are these "personal videos" or "important data for a shoot"?
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 5:17 pm

deltalima I'm a amature photographer/videographer. I get to travel to some amazing places cause of my work and the shoots I conduct in those places are for me irreplaceable. This is all the data that i shot from my last trip in Tajikistan and Afghanistan and I most likely will never be get another chance to go there again!

help please!
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 25th, 2013, 5:36 pm

Hi ssmad,

Please run a new san with DDS and post BOTH logs.

Next

CKScanner

  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Double-click on CKScanner.exe and click Search For Files (Right click and choose "Run as administrator" in Vista/Win7).
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Next

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it (Right click and choose "Run as administrator" in Vista/Win7).
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Next

codecheck

  • Please download codecheck from here to your Desktop.
  • Make sure that codecheck.exe is on the your Desktop before running the application!
  • Double-click on codecheck.exe.
  • After a very short time a codecheck.txt icon will appear on your Desktop
  • Double-click on the codecheck.txt icon on your Desktop and copy/paste the contents in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 6:43 pm

Hey deltalima,

here are all the diagnostic logs. Thanx for the help.

DDS1

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483
Run by SS at 3:34:25 on 2013-05-26
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16275.14069 [GMT 5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskeng.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\SS\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [AdobeBridge] <no file>
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WIRELE~1.LNK - C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{7754D541-F12F-4EEE-91EA-80F37D1DB23E} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\
FF - prefs.js: browser.startup.homepage - Yahoo.com
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Users\SS\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-05-24 19:56; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: 2013-05-24 20:07; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-05-24 20:30; {dc572301-7619-498c-a57d-39143191b318}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
FF - ExtSQL: 2013-05-24 20:30; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-05-24 20:30; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
FF - ExtSQL: 2013-05-24 20:30; {AE93811A-5C9A-4d34-8462-F7B864FC4696}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi
FF - ExtSQL: 2013-05-24 20:31; {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi
FF - ExtSQL: 2013-05-24 20:31; {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - ExtSQL: 2013-05-24 20:31; {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - ExtSQL: 2013-05-24 20:31; tineye@ideeinc.com; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\tineye@ideeinc.com.xpi
FF - ExtSQL: 2013-05-24 20:31; isreaditlater@ideashower.com; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\isreaditlater@ideashower.com.xpi
FF - ExtSQL: 2013-05-24 20:31; add-to-searchbox@maltekraus.de; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\add-to-searchbox@maltekraus.de.xpi
FF - ExtSQL: 2013-05-24 20:31; adblockpopups@jessehakanen.net; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\adblockpopups@jessehakanen.net.xpi
FF - ExtSQL: 2013-05-24 20:43; {1280606b-2510-4fe0-97ef-9b5a22eafe30}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-5-24 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-5-24 189936]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-5-24 19264]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2013-5-24 22680]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-5-24 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-5-24 378432]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-5-24 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-5-24 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-5-24 46808]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2013-5-24 166720]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-5-25 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-5-25 701512]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-5-24 365376]
R2 WlanWpsSvc;WlanWpsSvc;C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [2013-5-24 167936]
R3 ICCS;Intel(R) Integrated Clock Controller Service - Intel(R) ICCS;C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [2013-5-24 160256]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-5-24 342528]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-5-24 357184]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-5-24 789824]
R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2013-5-24 110744]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-25 25928]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\Windows\System32\drivers\RTL8192su.sys [2013-5-24 589312]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-4-19 161384]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2013-5-24 16776]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2013-5-24 9096]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2013-5-24 30528]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-10 19456]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-1-10 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-10 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-1-10 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-5-24 1255736]
.
=============== Created Last 30 ================
.
2013-05-25 11:29:03 -------- d-----w- C:\Users\SS\AppData\Roaming\Malwarebytes
2013-05-25 11:28:57 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-05-25 11:28:57 -------- d-----w- C:\ProgramData\Malwarebytes
2013-05-25 11:28:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-25 11:28:44 -------- d-----w- C:\Users\SS\AppData\Local\Programs
2013-05-25 08:06:56 -------- d-----w- C:\Users\SS\AppData\Local\Diagnostics
2013-05-25 07:54:37 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2013-05-25 07:44:05 -------- d-----w- C:\Users\SS\AppData\Local\Adobe
2013-05-25 07:16:02 -------- d-----w- C:\Program Files (x86)\Auslogics
2013-05-25 02:30:08 -------- d-----w- C:\Windows\Panther
2013-05-25 02:29:54 -------- d-sh--w- C:\Boot
2013-05-24 19:08:49 -------- d-----w- C:\Users\SS\AppData\Local\Macromedia
2013-05-24 18:53:14 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-24 18:53:13 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-24 17:42:36 -------- d-----w- C:\Users\SS\AppData\Local\Microsoft Games
2013-05-24 17:28:38 -------- d-----w- C:\Program Files\WDCSAM
2013-05-24 17:18:11 -------- d-----w- C:\Users\SS\AppData\Local\MediaMonkey
2013-05-24 17:18:10 -------- d-----w- C:\Program Files (x86)\MediaMonkey
2013-05-24 17:17:34 -------- d-----w- C:\Program Files (x86)\Media Monkey
2013-05-24 16:55:33 -------- d-----w- C:\Users\SS\AppData\Roaming\TeraCopy
2013-05-24 16:31:13 9096 ----a-w- C:\Windows\System32\EuGdiDrv.sys
2013-05-24 16:31:13 86408 ----a-w- C:\Windows\SysWow64\setupempdrv03.exe
2013-05-24 16:31:13 8456 ----a-w- C:\Windows\SysWow64\EuGdiDrv.sys
2013-05-24 16:31:13 2209920 ----a-w- C:\Windows\System32\BootMan.exe
2013-05-24 16:31:13 1774720 ----a-w- C:\Windows\SysWow64\BootMan.exe
2013-05-24 16:31:13 16776 ----a-w- C:\Windows\System32\epmntdrv.sys
2013-05-24 16:31:13 14848 ----a-w- C:\Windows\SysWow64\EuEpmGdi.dll
2013-05-24 16:31:13 14216 ----a-w- C:\Windows\SysWow64\epmntdrv.sys
2013-05-24 16:31:13 11264 ----a-w- C:\Windows\System32\EuEpmGdi.dll
2013-05-24 16:31:13 100232 ----a-w- C:\Windows\System32\setupempdrvx64.exe
2013-05-24 16:31:07 -------- d-----w- C:\Program Files (x86)\EASEUS
2013-05-24 16:27:05 -------- d-----w- C:\Windows\SysWow64\Wat
2013-05-24 16:27:05 -------- d-----w- C:\Windows\System32\Wat
2013-05-24 15:58:13 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-24 15:58:13 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-24 15:58:04 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-24 15:58:02 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2688BBD1-3261-4286-819E-9D23B773EE49}\mpengine.dll
2013-05-24 15:38:03 -------- d-----r- C:\Program Files (x86)\Skype
2013-05-24 15:29:45 70144 ----a-w- C:\Windows\System32\appinfo.dll
2013-05-24 15:29:45 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-05-24 15:29:45 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-05-24 15:29:45 111448 ----a-w- C:\Windows\System32\consent.exe
2013-05-24 15:27:41 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2013-05-24 15:24:29 -------- d-----w- C:\Users\SS\AppData\Roaming\SumatraPDF
2013-05-24 15:24:26 -------- d-----w- C:\Program Files (x86)\SumatraPDF
2013-05-24 15:24:15 -------- d-----w- C:\Program Files\TeraCopy
2013-05-24 15:05:44 -------- d-----w- C:\Users\SS\AppData\Roaming\uTorrent
2013-05-24 15:05:24 -------- d-----w- C:\Program Files (x86)\VideoLAN
2013-05-24 15:01:52 589312 ----a-w- C:\Windows\System32\drivers\RTL8192su.sys
2013-05-24 15:01:52 -------- d-----w- C:\Windows\pcidevice
2013-05-24 15:01:51 -------- d-----w- C:\Program Files (x86)\D-Link
2013-05-24 14:57:29 -------- d-----w- C:\Users\SS\AppData\Local\Google
2013-05-24 14:57:26 72016 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-05-24 14:57:26 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-05-24 14:57:25 189936 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-05-24 14:57:23 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-05-24 14:57:22 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-05-24 14:56:51 41664 ----a-w- C:\Windows\avastSS.scr
2013-05-24 14:56:42 -------- d-----w- C:\Program Files\AVAST Software
2013-05-24 14:56:16 -------- d-----w- C:\ProgramData\AVAST Software
2013-05-24 14:49:43 30528 ----a-w- C:\Windows\GVTDrv64.sys
2013-05-24 14:49:30 25640 ----a-w- C:\Windows\gdrv.sys
2013-05-24 14:29:11 -------- d-----w- C:\Program Files (x86)\AMD
2013-05-24 14:10:00 31272 ----a-w- C:\Windows\System32\AppleChargerSrv.exe
2013-05-24 14:10:00 22680 ----a-w- C:\Windows\System32\drivers\AppleCharger.sys
2013-05-24 14:10:00 -------- d-----w- C:\Program Files\GIGABYTE
2013-05-24 14:10:00 -------- d-----w- C:\Program Files (x86)\GIGABYTE
2013-05-24 14:09:53 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2013-05-24 14:09:53 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2013-05-24 14:09:53 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2013-05-24 14:09:53 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2013-05-24 14:09:53 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2013-05-24 14:09:53 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2013-05-24 14:09:53 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2013-05-24 14:09:53 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2013-05-24 14:09:39 41984 ----a-w- C:\Windows\System32\drivers\USB3Ver.dll
2013-05-24 14:09:18 -------- d-----w- C:\Windows\SysWow64\Atheros_L1e
2013-05-24 14:07:46 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-05-24 14:07:38 15168 ----a-w- C:\Windows\System32\drivers\IntelMEFWVer.dll
2013-05-24 14:06:56 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2013-05-24 14:06:54 62784 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2013-05-24 14:06:54 -------- d-----w- C:\Intel
2013-05-24 14:03:15 -------- d-sh--w- C:\Windows\Installer
2013-05-24 14:01:08 207400 ----a-w- C:\Windows\GSetup.exe
2013-05-24 13:59:56 -------- d-----w- C:\Users\SS\AppData\Local\VirtualStore
2013-05-24 13:57:34 142336 ----a-w- C:\Windows\System32\poqexec.exe
2013-05-24 13:57:34 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2013-05-24 13:56:26 -------- d-sh--w- C:\Recovery
2013-05-24 04:20:59 9728 ----a-w- C:\Windows\System32\IGFXDEVLib.dll
2013-05-24 04:16:22 110744 ----a-w- C:\Windows\System32\drivers\L1C62x64.sys
.
==================== Find3M ====================
.
2013-05-01 21:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-04-05 01:08:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-04-05 01:00:30 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-04-05 00:59:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-04-05 00:56:16 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-04-05 00:55:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-04-04 22:11:34 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-04-04 21:57:45 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
.
============= FINISH: 3:34:57.16 ===============


DDS2

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483
Run by SS at 3:34:25 on 2013-05-26
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16275.14069 [GMT 5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskeng.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\SS\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [AdobeBridge] <no file>
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WIRELE~1.LNK - C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{7754D541-F12F-4EEE-91EA-80F37D1DB23E} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\
FF - prefs.js: browser.startup.homepage - Yahoo.com
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Users\SS\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-05-24 19:56; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: 2013-05-24 20:07; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-05-24 20:30; {dc572301-7619-498c-a57d-39143191b318}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
FF - ExtSQL: 2013-05-24 20:30; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-05-24 20:30; {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
FF - ExtSQL: 2013-05-24 20:30; {AE93811A-5C9A-4d34-8462-F7B864FC4696}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi
FF - ExtSQL: 2013-05-24 20:31; {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi
FF - ExtSQL: 2013-05-24 20:31; {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - ExtSQL: 2013-05-24 20:31; {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - ExtSQL: 2013-05-24 20:31; tineye@ideeinc.com; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\tineye@ideeinc.com.xpi
FF - ExtSQL: 2013-05-24 20:31; isreaditlater@ideashower.com; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\isreaditlater@ideashower.com.xpi
FF - ExtSQL: 2013-05-24 20:31; add-to-searchbox@maltekraus.de; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\add-to-searchbox@maltekraus.de.xpi
FF - ExtSQL: 2013-05-24 20:31; adblockpopups@jessehakanen.net; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\adblockpopups@jessehakanen.net.xpi
FF - ExtSQL: 2013-05-24 20:43; {1280606b-2510-4fe0-97ef-9b5a22eafe30}; C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-5-24 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-5-24 189936]
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-5-24 19264]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2013-5-24 22680]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-5-24 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-5-24 378432]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-5-24 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-5-24 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-5-24 46808]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2013-5-24 166720]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-5-25 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-5-25 701512]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-5-24 365376]
R2 WlanWpsSvc;WlanWpsSvc;C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe [2013-5-24 167936]
R3 ICCS;Intel(R) Integrated Clock Controller Service - Intel(R) ICCS;C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [2013-5-24 160256]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-5-24 342528]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-5-24 357184]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-5-24 789824]
R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2013-5-24 110744]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-25 25928]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\Windows\System32\drivers\RTL8192su.sys [2013-5-24 589312]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-4-19 161384]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2013-5-24 16776]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2013-5-24 9096]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2013-5-24 30528]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-10 19456]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-1-10 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-10 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-1-10 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-5-24 1255736]
.
=============== Created Last 30 ================
.
2013-05-25 11:29:03 -------- d-----w- C:\Users\SS\AppData\Roaming\Malwarebytes
2013-05-25 11:28:57 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-05-25 11:28:57 -------- d-----w- C:\ProgramData\Malwarebytes
2013-05-25 11:28:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-25 11:28:44 -------- d-----w- C:\Users\SS\AppData\Local\Programs
2013-05-25 08:06:56 -------- d-----w- C:\Users\SS\AppData\Local\Diagnostics
2013-05-25 07:54:37 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2013-05-25 07:44:05 -------- d-----w- C:\Users\SS\AppData\Local\Adobe
2013-05-25 07:16:02 -------- d-----w- C:\Program Files (x86)\Auslogics
2013-05-25 02:30:08 -------- d-----w- C:\Windows\Panther
2013-05-25 02:29:54 -------- d-sh--w- C:\Boot
2013-05-24 19:08:49 -------- d-----w- C:\Users\SS\AppData\Local\Macromedia
2013-05-24 18:53:14 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-24 18:53:13 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-24 17:42:36 -------- d-----w- C:\Users\SS\AppData\Local\Microsoft Games
2013-05-24 17:28:38 -------- d-----w- C:\Program Files\WDCSAM
2013-05-24 17:18:11 -------- d-----w- C:\Users\SS\AppData\Local\MediaMonkey
2013-05-24 17:18:10 -------- d-----w- C:\Program Files (x86)\MediaMonkey
2013-05-24 17:17:34 -------- d-----w- C:\Program Files (x86)\Media Monkey
2013-05-24 16:55:33 -------- d-----w- C:\Users\SS\AppData\Roaming\TeraCopy
2013-05-24 16:31:13 9096 ----a-w- C:\Windows\System32\EuGdiDrv.sys
2013-05-24 16:31:13 86408 ----a-w- C:\Windows\SysWow64\setupempdrv03.exe
2013-05-24 16:31:13 8456 ----a-w- C:\Windows\SysWow64\EuGdiDrv.sys
2013-05-24 16:31:13 2209920 ----a-w- C:\Windows\System32\BootMan.exe
2013-05-24 16:31:13 1774720 ----a-w- C:\Windows\SysWow64\BootMan.exe
2013-05-24 16:31:13 16776 ----a-w- C:\Windows\System32\epmntdrv.sys
2013-05-24 16:31:13 14848 ----a-w- C:\Windows\SysWow64\EuEpmGdi.dll
2013-05-24 16:31:13 14216 ----a-w- C:\Windows\SysWow64\epmntdrv.sys
2013-05-24 16:31:13 11264 ----a-w- C:\Windows\System32\EuEpmGdi.dll
2013-05-24 16:31:13 100232 ----a-w- C:\Windows\System32\setupempdrvx64.exe
2013-05-24 16:31:07 -------- d-----w- C:\Program Files (x86)\EASEUS
2013-05-24 16:27:05 -------- d-----w- C:\Windows\SysWow64\Wat
2013-05-24 16:27:05 -------- d-----w- C:\Windows\System32\Wat
2013-05-24 15:58:13 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-05-24 15:58:13 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-24 15:58:04 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-24 15:58:02 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2688BBD1-3261-4286-819E-9D23B773EE49}\mpengine.dll
2013-05-24 15:38:03 -------- d-----r- C:\Program Files (x86)\Skype
2013-05-24 15:29:45 70144 ----a-w- C:\Windows\System32\appinfo.dll
2013-05-24 15:29:45 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-05-24 15:29:45 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-05-24 15:29:45 111448 ----a-w- C:\Windows\System32\consent.exe
2013-05-24 15:27:41 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2013-05-24 15:24:29 -------- d-----w- C:\Users\SS\AppData\Roaming\SumatraPDF
2013-05-24 15:24:26 -------- d-----w- C:\Program Files (x86)\SumatraPDF
2013-05-24 15:24:15 -------- d-----w- C:\Program Files\TeraCopy
2013-05-24 15:05:44 -------- d-----w- C:\Users\SS\AppData\Roaming\uTorrent
2013-05-24 15:05:24 -------- d-----w- C:\Program Files (x86)\VideoLAN
2013-05-24 15:01:52 589312 ----a-w- C:\Windows\System32\drivers\RTL8192su.sys
2013-05-24 15:01:52 -------- d-----w- C:\Windows\pcidevice
2013-05-24 15:01:51 -------- d-----w- C:\Program Files (x86)\D-Link
2013-05-24 14:57:29 -------- d-----w- C:\Users\SS\AppData\Local\Google
2013-05-24 14:57:26 72016 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-05-24 14:57:26 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-05-24 14:57:25 189936 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-05-24 14:57:23 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-05-24 14:57:22 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-05-24 14:56:51 41664 ----a-w- C:\Windows\avastSS.scr
2013-05-24 14:56:42 -------- d-----w- C:\Program Files\AVAST Software
2013-05-24 14:56:16 -------- d-----w- C:\ProgramData\AVAST Software
2013-05-24 14:49:43 30528 ----a-w- C:\Windows\GVTDrv64.sys
2013-05-24 14:49:30 25640 ----a-w- C:\Windows\gdrv.sys
2013-05-24 14:29:11 -------- d-----w- C:\Program Files (x86)\AMD
2013-05-24 14:10:00 31272 ----a-w- C:\Windows\System32\AppleChargerSrv.exe
2013-05-24 14:10:00 22680 ----a-w- C:\Windows\System32\drivers\AppleCharger.sys
2013-05-24 14:10:00 -------- d-----w- C:\Program Files\GIGABYTE
2013-05-24 14:10:00 -------- d-----w- C:\Program Files (x86)\GIGABYTE
2013-05-24 14:09:53 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2013-05-24 14:09:53 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2013-05-24 14:09:53 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2013-05-24 14:09:53 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2013-05-24 14:09:53 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2013-05-24 14:09:53 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2013-05-24 14:09:53 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2013-05-24 14:09:53 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2013-05-24 14:09:39 41984 ----a-w- C:\Windows\System32\drivers\USB3Ver.dll
2013-05-24 14:09:18 -------- d-----w- C:\Windows\SysWow64\Atheros_L1e
2013-05-24 14:07:46 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-05-24 14:07:38 15168 ----a-w- C:\Windows\System32\drivers\IntelMEFWVer.dll
2013-05-24 14:06:56 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2013-05-24 14:06:54 62784 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2013-05-24 14:06:54 -------- d-----w- C:\Intel
2013-05-24 14:03:15 -------- d-sh--w- C:\Windows\Installer
2013-05-24 14:01:08 207400 ----a-w- C:\Windows\GSetup.exe
2013-05-24 13:59:56 -------- d-----w- C:\Users\SS\AppData\Local\VirtualStore
2013-05-24 13:57:34 142336 ----a-w- C:\Windows\System32\poqexec.exe
2013-05-24 13:57:34 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2013-05-24 13:56:26 -------- d-sh--w- C:\Recovery
2013-05-24 04:20:59 9728 ----a-w- C:\Windows\System32\IGFXDEVLib.dll
2013-05-24 04:16:22 110744 ----a-w- C:\Windows\System32\drivers\L1C62x64.sys
.
==================== Find3M ====================
.
2013-05-01 21:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-04-05 01:08:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-04-05 01:00:30 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-04-05 00:59:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-04-05 00:56:16 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-04-05 00:55:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-04-04 22:11:34 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-04-04 21:57:45 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
.
============= FINISH: 3:34:57.16 ===============


CKSanner

CKScanner 2.3 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.MGNAEI
----- EOF -----

MGADiag

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-Q6MMK-KYK6X-VKM6G
Windows Product Key Hash: 289NoAWl2ZoVfuieux/315WkDIc=
Windows Product ID: 00426-OEM-8992662-00173
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {FA7C8188-F76F-4A2C-A4F3-2C46669EC557}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130318-1533
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{FA7C8188-F76F-4A2C-A4F3-2C46669EC557}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-VKM6G</PKey><PID>00426-OEM-8992662-00173</PID><PIDType>2</PIDType><SID>S-1-5-21-1413790130-785985914-1171661357</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>To be filled by O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>F7</Version><SMBIOSVersion major="2" minor="7"/><Date>20120821000000.000000+000</Date></BIOS><HWID>C74A0400018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pakistan Standard Time(GMT+05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>_ASUS_</OEMID><OEMTableID>Notebook</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00178-926-600173-02-1033-7601.0000-1442013
Installation ID: 015285727602547871518184381295093204268680411230338153
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: VKM6G
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 5/26/2013 3:38:06 AM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 5:25:2013 04:59
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: MgAAAAAABAABAAEAAAACAAAAAgABAAEAHKK0gBZSlJZ0uGAakj4o0/QB/EXAjH+0lmM=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC ALASKA A M I
FACP ALASKA A M I
HPET ALASKA A M I
MCFG
SSDT IdeRef IdeTable
SSDT IdeRef IdeTable
SSDT IdeRef IdeTable
DMAR INTEL SNB
SLIC _ASUS_ Notebook


Codecheck

Codecheck Version 1.0

05026
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 25th, 2013, 6:53 pm

You posted the DDS log twice, please post the Attach.txt log.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 7:11 pm

sorry.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 5/24/2013 6:58:15 PM
System Uptime: 5/26/2013 3:29:06 AM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | H77-DS3H
Processor: Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz | Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz | 2698/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 98 GiB total, 48.314 GiB free.
D: is FIXED (NTFS) - 371 GiB total, 330.625 GiB free.
E: is FIXED (NTFS) - 364 GiB total, 282.159 GiB free.
F: is FIXED (NTFS) - 1030 GiB total, 595.251 GiB free.
G: is FIXED (NTFS) - 466 GiB total, 238.877 GiB free.
I: is FIXED (NTFS) - 931 GiB total, 369.806 GiB free.
T: is FIXED (NTFS) - 931 GiB total, 387.292 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP10: 5/24/2013 7:30:22 PM - Installed AutoGreen B12.0206.1
RP11: 5/24/2013 7:53:19 PM - Device Driver Package Install: LG Monitors
RP12: 5/24/2013 7:56:38 PM - avast! Free Antivirus Setup
RP13: 5/24/2013 8:01:45 PM - Installed D-Link DWA-131 Wireless N Nano USB Adapter
RP14: 5/24/2013 8:04:17 PM - Windows Update
RP15: 5/24/2013 8:09:42 PM - Windows Update
RP16: 5/24/2013 8:49:40 PM - Windows Update
RP17: 5/24/2013 9:26:50 PM - Windows Update
RP18: 5/24/2013 10:28:00 PM - Installed SES Driver
RP19: 5/25/2013 1:05:04 PM - Installed Adobe Photoshop Lightroom 4.1 64-bit.
.
==== Installed Programs ======================
.
@BIOS
µTorrent
Adobe Flash Player 11 Plugin
Adobe Photoshop CS6
Adobe Photoshop Lightroom 4.1 64-bit
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Auslogics Duplicate File Finder
AutoGreen B12.0206.1
avast! Free Antivirus
D-Link DWA-131 Wireless N Nano USB Adapter
EASEUS Partition Master 6.0.1 Professional
Easy Tune 6 B12.1121.1
Google Talk Plugin
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) SDK for OpenCL - CPU Only Runtime Package
Intel(R) USB 3.0 eXtensible Host Controller Driver
Intel® Trusted Connect Service Client
Malwarebytes Anti-Malware version 1.75.0.1300
Media Monkey 3.2.5
MediaMonkey 3.2
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft_VC80_CRT_x86
Microsoft_VC90_CRT_x86
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
ON_OFF Charge B12.1025.1
PDF Settings CS6
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
SES Driver
Skype™ 6.3
SumatraPDF
TeraCopy 2.27
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VLC media player 2.0.6
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (03/06/2009 1.0.0008.0)
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
5/26/2013 3:32:27 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR4.
5/26/2013 2:11:26 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.
5/25/2013 6:31:34 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
5/25/2013 6:30:47 AM, Error: volmgr [46] - Crash dump initialization failed!
5/25/2013 11:58:41 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR9.
5/25/2013 11:57:59 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR8.
5/25/2013 11:57:36 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR7.
5/25/2013 11:57:10 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR6.
5/25/2013 11:54:36 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR5.
5/24/2013 7:08:15 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR5.
5/24/2013 7:08:02 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
5/24/2013 6:59:41 PM, Error: Service Control Manager [7023] -
.
==== End Of File ===========================
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 25th, 2013, 7:30 pm

Hi ssmad,

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it (Right click and choose "Run as administrator" in Vista/Win7).
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file (Right click and choose "Run as administrator" in Vista/Win7). If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 8:23 pm

hey deltalima,

OTL

OTL logfile created on: 5/26/2013 4:44:26 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\SS\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

15.89 Gb Total Physical Memory | 13.09 Gb Available Physical Memory | 82.35% Memory free
31.78 Gb Paging File | 29.01 Gb Available in Paging File | 91.26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 48.30 Gb Free Space | 49.51% Space Free | Partition Type: NTFS
Drive D: | 370.62 Gb Total Space | 330.59 Gb Free Space | 89.20% Space Free | Partition Type: NTFS
Drive E: | 364.24 Gb Total Space | 282.16 Gb Free Space | 77.47% Space Free | Partition Type: NTFS
Drive F: | 1030.49 Gb Total Space | 595.25 Gb Free Space | 57.76% Space Free | Partition Type: NTFS
Drive G: | 465.75 Gb Total Space | 238.88 Gb Free Space | 51.29% Space Free | Partition Type: NTFS
Drive I: | 931.48 Gb Total Space | 369.81 Gb Free Space | 39.70% Space Free | Partition Type: NTFS
Drive T: | 931.48 Gb Total Space | 387.29 Gb Free Space | 41.58% Space Free | Partition Type: NTFS

Computer Name: SS-PC | User Name: SS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\SS\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe (Intel Corporation)
PRC - C:\Program Files (x86)\D-Link\DWA-131 revA\wirelesscm.exe (D-Link Corp.)
PRC - C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe ()


========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files (x86)\D-Link\DWA-131 revA\WlanDll.dll ()


========== Services (SafeList) ==========

SRV:64bit: - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (Intel(R) -- C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel(R) Corporation)
SRV:64bit: - (AppleChargerSrv) -- C:\Windows\SysNative\AppleChargerSrv.exe ()
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (cphs) -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe (Intel Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (jhi_service) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe (Intel Corporation)
SRV - (ICCS) -- C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe (Intel Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (WlanWpsSvc) -- C:\Program Files (x86)\D-Link\DWA-131 revA\WlanWpsSvc.exe ()


========== Driver Services (SafeList) ==========

DRV:64bit: - (aswSnx) -- C:\Windows\SysNative\drivers\aswSnx.sys (AVAST Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (AVAST Software)
DRV:64bit: - (aswVmm) -- C:\Windows\SysNative\drivers\aswVmm.sys ()
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\drivers\aswRdr2.sys (AVAST Software)
DRV:64bit: - (aswRvrt) -- C:\Windows\SysNative\drivers\aswRvrt.sys ()
DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (AVAST Software)
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (AVAST Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (AVAST Software)
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (terminpt) -- C:\Windows\SysNative\drivers\terminpt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (AppleCharger) -- C:\Windows\SysNative\drivers\AppleCharger.sys ()
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (L1C) -- C:\Windows\SysNative\drivers\L1C62x64.sys (Qualcomm Atheros Co., Ltd.)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV:64bit: - (iusb3xhc) -- C:\Windows\SysNative\drivers\iusb3xhc.sys (Intel Corporation)
DRV:64bit: - (iusb3hub) -- C:\Windows\SysNative\drivers\iusb3hub.sys (Intel Corporation)
DRV:64bit: - (iusb3hcs) -- C:\Windows\SysNative\drivers\iusb3hcs.sys (Intel Corporation)
DRV:64bit: - (tsusbhub) -- C:\Windows\SysNative\drivers\tsusbhub.sys (Microsoft Corporation)
DRV:64bit: - (Synth3dVsc) -- C:\Windows\SysNative\drivers\Synth3dVsc.sys (Microsoft Corporation)
DRV:64bit: - (dmvsc) -- C:\Windows\SysNative\drivers\dmvsc.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (epmntdrv) -- C:\Windows\SysNative\epmntdrv.sys ()
DRV:64bit: - (EuGdiDrv) -- C:\Windows\SysNative\EuGdiDrv.sys ()
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (RTL8192su) -- C:\Windows\SysNative\drivers\RTL8192su.sys (Realtek Semiconductor Corporation )
DRV:64bit: - (WDC_SAM) -- C:\Windows\SysNative\drivers\wdcsam64.sys (Western Digital Technologies)
DRV - (GVTDrv64) -- C:\Windows\GVTDrv64.sys ()
DRV - (gdrv) -- C:\Windows\gdrv.sys (Windows (R) Server 2003 DDK provider)
DRV - (epmntdrv) -- C:\Windows\SysWOW64\epmntdrv.sys ()
DRV - (EuGdiDrv) -- C:\Windows\SysWOW64\EuGdiDrv.sys ()
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1413790130-785985914-1171661357-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "Yahoo.com"
FF - prefs.js..extensions.enabledAddons: %7Bdc572301-7619-498c-a57d-39143191b318%7D:0.4.1.0
FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.14
FF - prefs.js..extensions.enabledAddons: %7BD4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389%7D:0.9.10
FF - prefs.js..extensions.enabledAddons: %7BAE93811A-5C9A-4d34-8462-F7B864FC4696%7D:4.16
FF - prefs.js..extensions.enabledAddons: %7B1A2D0EC4-75F5-4c91-89C4-3656F6E44B68%7D:0.5.4
FF - prefs.js..extensions.enabledAddons: %7B0FED7D55-65D4-47b6-A6DE-9A4ADB55355F%7D:1.0.8
FF - prefs.js..extensions.enabledAddons: %7B0538E3E3-7E9B-4d49-8831-A227C80A7AD3%7D:2.2.2
FF - prefs.js..extensions.enabledAddons: tineye%40ideeinc.com:1.1
FF - prefs.js..extensions.enabledAddons: isreaditlater%40ideashower.com:3.0.1
FF - prefs.js..extensions.enabledAddons: add-to-searchbox%40maltekraus.de:2.0
FF - prefs.js..extensions.enabledAddons: adblockpopups%40jessehakanen.net:0.7
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:8.0.1489
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O1DPlugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\SS\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\SS\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\SS\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/05/24 19:56:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2013/05/24 20:06:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Extensions
[2013/05/24 20:43:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions
[2013/05/24 20:31:00 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2013/05/24 20:31:00 | 000,000,000 | ---D | M] (Autocopy) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2013/05/24 20:30:59 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2013/05/24 20:31:00 | 000,134,804 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\adblockpopups@jessehakanen.net.xpi
[2013/05/24 20:31:00 | 000,025,781 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\add-to-searchbox@maltekraus.de.xpi
[2013/05/24 20:31:00 | 000,223,719 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\isreaditlater@ideashower.com.xpi
[2013/05/24 20:31:00 | 000,008,001 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\tineye@ideeinc.com.xpi
[2013/05/24 20:43:11 | 000,534,383 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi
[2013/05/24 20:31:00 | 000,087,920 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi
[2013/05/24 20:30:59 | 000,377,738 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi
[2013/05/24 20:07:52 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/05/24 20:30:59 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
[2013/05/24 20:30:59 | 000,765,412 | ---- | M] () (No name found) -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
[2013/05/24 23:29:24 | 000,001,041 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\-dailymotion.xml
[2013/05/24 20:19:05 | 000,002,868 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\allmusic.xml
[2013/05/24 20:18:28 | 000,002,506 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\duckduckgo.xml
[2013/05/25 15:12:39 | 000,001,062 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\goodreads.xml
[2013/05/24 20:18:10 | 000,002,730 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\google-images.xml
[2013/05/24 20:18:34 | 000,002,176 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\google-maps.xml
[2013/05/24 20:19:17 | 000,002,228 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\google-play---apps.xml
[2013/05/24 20:18:06 | 000,002,387 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\google-us.xml
[2013/05/24 20:18:02 | 000,002,533 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\imdb.xml
[2013/05/24 20:18:17 | 000,001,846 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\isohunt---bittorrent.xml
[2013/05/24 20:18:20 | 000,002,787 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\kickasstorrents-by-seeders.xml
[2013/05/24 20:19:12 | 000,002,226 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\merriam-webster-dictionary.xml
[2013/05/24 20:18:13 | 000,001,927 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\mycroft-project.xml
[2013/05/24 20:18:40 | 000,002,253 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\rotten-tomatoes.xml
[2013/05/24 20:18:55 | 000,001,081 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\thesauruscom.xml
[2013/05/24 20:17:57 | 000,002,383 | ---- | M] () -- C:\Users\SS\AppData\Roaming\Mozilla\Firefox\Profiles\64glyqu5.default\searchplugins\youtube.xml
[2013/05/24 20:04:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2013/05/24 20:04:49 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/05/24 19:56:56 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF

O1 HOSTS File: ([2009/06/11 02:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AdobeCS6ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [USB3MON] C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Intel Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1413790130-785985914-1171661357-1000..\Run: [AdobeBridge] File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7754D541-F12F-4EEE-91EA-80F37D1DB23E}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/05/26 04:41:23 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\SS\Desktop\OTL.exe
[2013/05/26 03:55:29 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\calibre
[2013/05/26 03:55:19 | 000,000,000 | ---D | C] -- C:\Program Files\Calibre2
[2013/05/26 03:55:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre 64bit - E-book Management
[2013/05/26 03:38:12 | 000,000,000 | ---D | C] -- C:\MGADiagToolOutput
[2013/05/26 03:38:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2013/05/26 03:33:57 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\SS\Desktop\dds.com
[2013/05/26 03:32:58 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Users\SS\Desktop\MGADiag.exe
[2013/05/25 16:29:03 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Malwarebytes
[2013/05/25 16:28:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/05/25 16:28:57 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/05/25 16:28:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013/05/25 16:28:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/05/25 16:28:44 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Programs
[2013/05/25 13:06:56 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Diagnostics
[2013/05/25 12:54:37 | 000,000,000 | ---D | C] -- C:\ProgramData\regid.1986-12.com.adobe
[2013/05/25 12:52:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Adobe
[2013/05/25 12:50:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2013/05/25 12:48:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2013/05/25 12:45:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2013/05/25 12:44:05 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Adobe
[2013/05/25 12:16:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2013/05/25 12:16:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Auslogics
[2013/05/25 07:30:08 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2013/05/25 07:29:54 | 000,000,000 | -HSD | C] -- C:\Boot
[2013/05/25 06:33:37 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2013/05/25 06:31:31 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2013/05/25 06:30:54 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2013/05/25 03:38:09 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\vlc
[2013/05/25 03:29:58 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\WinRAR
[2013/05/25 00:08:49 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Macromedia
[2013/05/25 00:08:49 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Macromedia
[2013/05/25 00:08:49 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Adobe
[2013/05/24 23:53:14 | 000,692,104 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/05/24 23:53:13 | 000,071,048 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/05/24 23:53:12 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2013/05/24 23:53:09 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2013/05/24 22:42:36 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Microsoft Games
[2013/05/24 22:28:59 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2013/05/24 22:28:38 | 000,000,000 | ---D | C] -- C:\Program Files\WDCSAM
[2013/05/24 22:18:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MediaMonkey
[2013/05/24 22:18:11 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\MediaMonkey
[2013/05/24 22:18:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MediaMonkey
[2013/05/24 22:17:34 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Media Monkey
[2013/05/24 22:17:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Monkey
[2013/05/24 22:17:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Media Monkey
[2013/05/24 21:55:33 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\TeraCopy
[2013/05/24 21:31:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EASEUS Partition Master 6.0.1 Professional Edition
[2013/05/24 21:31:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\EASEUS
[2013/05/24 21:27:05 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2013/05/24 21:27:05 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2013/05/24 20:56:23 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/05/24 20:56:23 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/05/24 20:56:22 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/05/24 20:56:22 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/05/24 20:56:22 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/05/24 20:56:21 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/05/24 20:56:21 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/05/24 20:56:21 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/05/24 20:56:21 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/05/24 20:56:21 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/05/24 20:56:21 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013/05/24 20:56:21 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/05/24 20:56:20 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/05/24 20:56:20 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/05/24 20:56:20 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/05/24 20:38:07 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Skype
[2013/05/24 20:38:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2013/05/24 20:38:03 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2013/05/24 20:38:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2013/05/24 20:38:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2013/05/24 20:29:45 | 001,930,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\authui.dll
[2013/05/24 20:29:45 | 001,796,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\authui.dll
[2013/05/24 20:29:45 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\shdocvw.dll
[2013/05/24 20:29:45 | 000,111,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\consent.exe
[2013/05/24 20:28:32 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2013/05/24 20:28:32 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2013/05/24 20:28:32 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2013/05/24 20:28:32 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2013/05/24 20:28:32 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2013/05/24 20:28:31 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2013/05/24 20:28:25 | 005,550,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013/05/24 20:28:25 | 003,968,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013/05/24 20:28:25 | 003,913,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013/05/24 20:28:25 | 000,112,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe
[2013/05/24 20:28:25 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2013/05/24 20:28:25 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll
[2013/05/24 20:28:24 | 000,288,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[2013/05/24 20:28:24 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wwanprotdim.dll
[2013/05/24 20:28:23 | 000,265,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\dxgmms1.sys
[2013/05/24 20:28:23 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdd.dll
[2013/05/24 20:28:23 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usb8023.sys
[2013/05/24 20:24:29 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\SumatraPDF
[2013/05/24 20:24:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SumatraPDF
[2013/05/24 20:24:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeraCopy
[2013/05/24 20:24:15 | 000,000,000 | ---D | C] -- C:\Program Files\TeraCopy
[2013/05/24 20:05:44 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\uTorrent
[2013/05/24 20:05:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2013/05/24 20:05:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VideoLAN
[2013/05/24 20:04:58 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Mozilla
[2013/05/24 20:04:58 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Mozilla
[2013/05/24 20:04:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2013/05/24 20:04:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2013/05/24 20:04:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013/05/24 20:04:37 | 002,622,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll
[2013/05/24 20:04:37 | 000,057,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe
[2013/05/24 20:04:37 | 000,044,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups2.dll
[2013/05/24 20:04:33 | 000,701,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll
[2013/05/24 20:04:33 | 000,099,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll
[2013/05/24 20:04:33 | 000,038,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll
[2013/05/24 20:04:25 | 000,186,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll
[2013/05/24 20:04:25 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe
[2013/05/24 20:04:05 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2013/05/24 20:04:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2013/05/24 20:04:02 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2013/05/24 20:01:52 | 000,589,312 | ---- | C] (Realtek Semiconductor Corporation ) -- C:\Windows\SysNative\drivers\RTL8192su.sys
[2013/05/24 20:01:52 | 000,000,000 | ---D | C] -- C:\Windows\pcidevice
[2013/05/24 20:01:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\D-Link
[2013/05/24 20:01:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\D-Link
[2013/05/24 19:57:29 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Google
[2013/05/24 19:57:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2013/05/24 19:57:28 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013/05/24 19:57:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013/05/24 19:57:27 | 000,378,432 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013/05/24 19:57:26 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013/05/24 19:57:26 | 000,072,016 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013/05/24 19:57:26 | 000,064,288 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013/05/24 19:57:22 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2013/05/24 19:57:22 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013/05/24 19:56:51 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013/05/24 19:56:42 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013/05/24 19:56:16 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013/05/24 19:49:30 | 000,025,640 | ---- | C] (Windows (R) Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2013/05/24 19:29:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIGABYTE
[2013/05/24 19:29:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD
[2013/05/24 19:10:00 | 000,000,000 | ---D | C] -- C:\Program Files\GIGABYTE
[2013/05/24 19:10:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GIGABYTE
[2013/05/24 19:09:39 | 000,041,984 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\USB3Ver.dll
[2013/05/24 19:09:18 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Atheros_L1e
[2013/05/24 19:08:56 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\RTCOM
[2013/05/24 19:08:56 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2013/05/24 19:08:49 | 002,674,320 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtPgEx64.dll
[2013/05/24 19:08:49 | 002,605,400 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\WavesGUILib.dll
[2013/05/24 19:08:49 | 001,560,168 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RTSnMg64.cpl
[2013/05/24 19:08:49 | 000,518,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSX64.dll
[2013/05/24 19:08:49 | 000,331,880 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtlCPAPI64.dll
[2013/05/24 19:08:49 | 000,211,184 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSH64.dll
[2013/05/24 19:08:49 | 000,198,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSHP64.dll
[2013/05/24 19:08:49 | 000,155,888 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSWOW64.dll
[2013/05/24 19:08:48 | 003,615,888 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkAPO64.dll
[2013/05/24 19:08:48 | 001,262,696 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RTCOM64.dll
[2013/05/24 19:08:48 | 000,897,152 | ---- | C] (Creative Technology Ltd.) -- C:\Windows\SysNative\MBAPO64.dll
[2013/05/24 19:08:48 | 000,869,520 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkApi64.dll
[2013/05/24 19:08:48 | 000,753,280 | ---- | C] (Creative Technology Ltd.) -- C:\Windows\SysWow64\MBAPO32.dll
[2013/05/24 19:08:48 | 000,375,128 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEP64A.dll
[2013/05/24 19:08:48 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DHT64.dll
[2013/05/24 19:08:48 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DAA64.dll
[2013/05/24 19:08:48 | 000,204,120 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEED64A.dll
[2013/05/24 19:08:48 | 000,149,608 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkCfg64.dll
[2013/05/24 19:08:48 | 000,105,616 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RCoInstII64.dll
[2013/05/24 19:08:48 | 000,101,208 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEL64A.dll
[2013/05/24 19:08:48 | 000,083,072 | ---- | C] (Creative Technology Ltd.) -- C:\Windows\SysNative\MBWrp64.dll
[2013/05/24 19:08:48 | 000,078,680 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEG64A.dll
[2013/05/24 19:08:48 | 000,065,112 | ---- | C] (Creative Technology Ltd.) -- C:\Windows\SysNative\MBppld64.dll
[2013/05/24 19:08:48 | 000,060,504 | ---- | C] (Creative Technology Ltd.) -- C:\Windows\SysNative\MBPPCn64.dll
[2013/05/24 19:08:48 | 000,014,952 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\SysNative\RtkCoLDR64.dll
[2013/05/24 19:08:47 | 002,131,288 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioEQ.dll
[2013/05/24 19:08:47 | 001,015,640 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPOShell64.dll
[2013/05/24 19:08:47 | 000,318,808 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPO20.dll
[2013/05/24 19:08:46 | 002,533,952 | ---- | C] (Fortemedia Corporation) -- C:\Windows\SysNative\FMAPO64.dll
[2013/05/24 19:08:45 | 001,706,640 | ---- | C] (Realtek Semiconductor Corp.) -- C:\Windows\RtlExUpd.dll
[2013/05/24 19:08:45 | 000,202,336 | ---- | C] (Andrea Electronics Corporation) -- C:\Windows\SysNative\AERTAC64.dll
[2013/05/24 19:08:45 | 000,108,640 | ---- | C] (Andrea Electronics Corporation) -- C:\Windows\SysNative\AERTAR64.dll
[2013/05/24 19:08:45 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Temp
[2013/05/24 19:08:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Realtek
[2013/05/24 19:08:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\InstallShield
[2013/05/24 19:08:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intel
[2013/05/24 19:08:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Intel
[2013/05/24 19:08:23 | 000,056,832 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\OpenCL.DLL
[2013/05/24 19:08:23 | 000,056,320 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\OpenCL.DLL
[2013/05/24 19:07:46 | 000,053,248 | ---- | C] (Windows XP Bundled build C-Centric Single User) -- C:\Windows\SysWow64\CSVer.dll
[2013/05/24 19:07:38 | 000,015,168 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\IntelMEFWVer.dll
[2013/05/24 19:07:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Intel
[2013/05/24 19:07:13 | 000,000,000 | ---D | C] -- C:\Program Files\Intel
[2013/05/24 19:06:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\postureAgent
[2013/05/24 19:06:54 | 000,062,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\HECIx64.sys
[2013/05/24 19:06:54 | 000,000,000 | ---D | C] -- C:\Intel
[2013/05/24 19:06:53 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\InstallShield Installation Information
[2013/05/24 19:06:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Intel
[2013/05/24 19:06:53 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\InstallShield
[2013/05/24 19:03:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2013/05/24 19:03:15 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2013/05/24 19:00:10 | 000,000,000 | R--D | C] -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2013/05/24 19:00:10 | 000,000,000 | R--D | C] -- C:\Users\SS\Searches
[2013/05/24 19:00:10 | 000,000,000 | R--D | C] -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2013/05/24 19:00:09 | 000,000,000 | -H-D | C] -- C:\Users\SS\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2013/05/24 19:00:01 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Identities
[2013/05/24 18:59:58 | 000,000,000 | R--D | C] -- C:\Users\SS\Contacts
[2013/05/24 18:59:56 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\VirtualStore
[2013/05/24 18:58:17 | 000,000,000 | --SD | C] -- C:\Users\SS\AppData\Roaming\Microsoft
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Videos
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Saved Games
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Pictures
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Music
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Links
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Favorites
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Downloads
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Documents
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\Desktop
[2013/05/24 18:58:17 | 000,000,000 | R--D | C] -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\AppData\Local\Temporary Internet Files
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Templates
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Start Menu
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\SendTo
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Recent
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\PrintHood
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\NetHood
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Documents\My Videos
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Documents\My Pictures
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Documents\My Music
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\My Documents
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Local Settings
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\AppData\Local\History
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Cookies
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\Application Data
[2013/05/24 18:58:17 | 000,000,000 | -HSD | C] -- C:\Users\SS\AppData\Local\Application Data
[2013/05/24 18:58:17 | 000,000,000 | -H-D | C] -- C:\Users\SS\AppData
[2013/05/24 18:58:17 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Temp
[2013/05/24 18:58:17 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Local\Microsoft
[2013/05/24 18:58:17 | 000,000,000 | ---D | C] -- C:\Users\SS\AppData\Roaming\Media Center Programs
[2013/05/24 18:57:34 | 000,142,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\poqexec.exe
[2013/05/24 18:57:34 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\poqexec.exe
[2013/05/24 18:56:26 | 000,000,000 | -HSD | C] -- C:\Recovery
[2013/05/24 09:21:01 | 000,524,800 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\iglhsip64.dll
[2013/05/24 09:21:01 | 000,519,680 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\iglhsip32.dll
[2013/05/24 09:21:01 | 000,509,248 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxsrvc.exe
[2013/05/24 09:21:01 | 000,437,760 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrtrk.lrc
[2013/05/24 09:21:01 | 000,437,248 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrtha.lrc
[2013/05/24 09:21:01 | 000,410,624 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxTMM.dll
[2013/05/24 09:21:01 | 000,276,288 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\IntelCpHeciSvc.exe
[2013/05/24 09:21:01 | 000,241,664 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\IntelOpenCL64.dll
[2013/05/24 09:21:01 | 000,216,064 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\iglhcp64.dll
[2013/05/24 09:21:01 | 000,195,584 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\IntelOpenCL32.dll
[2013/05/24 09:21:01 | 000,180,224 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\iglhcp32.dll
[2013/05/24 09:21:01 | 000,170,304 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxtray.exe
[2013/05/24 09:21:01 | 000,116,224 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxCoIn_v2843.dll
[2013/05/24 09:21:01 | 000,063,488 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxsrvc.dll
[2013/05/24 09:21:01 | 000,056,832 | ---- | C] (Khronos Group) -- C:\Windows\SysNative\Intel_OpenCL_ICD64.dll
[2013/05/24 09:21:01 | 000,056,320 | ---- | C] (Khronos Group) -- C:\Windows\SysWow64\Intel_OpenCL_ICD32.dll
[2013/05/24 09:21:00 | 009,007,616 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxress.dll
[2013/05/24 09:21:00 | 000,439,808 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrfra.lrc
[2013/05/24 09:21:00 | 000,439,808 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxresn.lrc
[2013/05/24 09:21:00 | 000,439,296 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrrus.lrc
[2013/05/24 09:21:00 | 000,439,296 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrrom.lrc
[2013/05/24 09:21:00 | 000,438,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrsky.lrc
[2013/05/24 09:21:00 | 000,438,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrptg.lrc
[2013/05/24 09:21:00 | 000,438,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrplk.lrc
[2013/05/24 09:21:00 | 000,438,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrnld.lrc
[2013/05/24 09:21:00 | 000,438,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrita.lrc
[2013/05/24 09:21:00 | 000,438,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrhrv.lrc
[2013/05/24 09:21:00 | 000,438,272 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrhun.lrc
[2013/05/24 09:21:00 | 000,438,272 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrfin.lrc
[2013/05/24 09:21:00 | 000,437,760 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrsve.lrc
[2013/05/24 09:21:00 | 000,437,760 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrslv.lrc
[2013/05/24 09:21:00 | 000,437,760 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrptb.lrc
[2013/05/24 09:21:00 | 000,437,760 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrnor.lrc
[2013/05/24 09:21:00 | 000,435,712 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrheb.lrc
[2013/05/24 09:21:00 | 000,432,128 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrjpn.lrc
[2013/05/24 09:21:00 | 000,431,104 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrkor.lrc
[2013/05/24 09:20:59 | 004,571,136 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxcmjit64.dll
[2013/05/24 09:20:59 | 003,776,512 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igfxcmjit32.dll
[2013/05/24 09:20:59 | 000,604,160 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igfxcmrt32.dll
[2013/05/24 09:20:59 | 000,501,760 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxcmrt64.dll
[2013/05/24 09:20:59 | 000,482,304 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfx11cmrt64.dll
[2013/05/24 09:20:59 | 000,448,512 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igfx11cmrt32.dll
[2013/05/24 09:20:59 | 000,441,856 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxdev.dll
[2013/05/24 09:20:59 | 000,441,152 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxpers.exe
[2013/05/24 09:20:59 | 000,440,320 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrell.lrc
[2013/05/24 09:20:59 | 000,438,784 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrdeu.lrc
[2013/05/24 09:20:59 | 000,438,272 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrcsy.lrc
[2013/05/24 09:20:59 | 000,437,248 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrdan.lrc
[2013/05/24 09:20:59 | 000,435,712 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrara.lrc
[2013/05/24 09:20:59 | 000,429,056 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrcht.lrc
[2013/05/24 09:20:59 | 000,428,544 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrchs.lrc
[2013/05/24 09:20:59 | 000,386,048 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxpph.dll
[2013/05/24 09:20:59 | 000,330,240 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igfxdv32.dll
[2013/05/24 09:20:59 | 000,286,208 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxrenu.lrc
[2013/05/24 09:20:59 | 000,251,712 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxext.exe
[2013/05/24 09:20:59 | 000,142,336 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxdo.dll
[2013/05/24 09:20:59 | 000,126,976 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxcpl.cpl
[2013/05/24 09:20:59 | 000,028,672 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igfxexps.dll
[2013/05/24 09:20:59 | 000,025,088 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igfxexps32.dll
[2013/05/24 09:20:57 | 012,601,856 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igdumd64.dll
[2013/05/24 09:20:57 | 011,038,208 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igdumd32.dll
[2013/05/24 09:20:55 | 027,662,848 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igdrcl64.dll
[2013/05/24 09:20:54 | 027,641,856 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igdrcl32.dll
[2013/05/24 09:20:53 | 009,000,256 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\igdkmd64.sys
[2013/05/24 09:20:51 | 027,435,520 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igdfcl64.dll
[2013/05/24 09:20:50 | 021,816,320 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igdfcl32.dll
[2013/05/24 09:20:50 | 003,582,976 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igdbcl64.dll
[2013/05/24 09:20:50 | 002,899,968 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igdbcl32.dll
[2013/05/24 09:20:49 | 012,833,280 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\igd10umd64.dll
[2013/05/24 09:20:48 | 011,155,968 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\igd10umd32.dll
[2013/05/24 09:20:47 | 011,591,168 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\ig7icd64.dll
[2013/05/24 09:20:47 | 008,576,000 | ---- | C] (Intel Corporation) -- C:\Windows\SysWow64\ig7icd32.dll
[2013/05/24 09:20:46 | 005,899,072 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\GfxUI.exe
[2013/05/24 09:20:46 | 000,398,656 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\hkcmd.exe
[2013/05/24 09:20:46 | 000,342,528 | ---- | C] (Intel(R) Corporation) -- C:\Windows\SysNative\drivers\IntcDAud.sys
[2013/05/24 09:20:46 | 000,184,640 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\difx64.exe
[2013/05/24 09:20:46 | 000,173,568 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\gfxSrvc.dll
[2013/05/24 09:20:46 | 000,110,592 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\hccutils.dll
[2013/05/24 09:20:46 | 000,016,896 | ---- | C] (Intel(R) Corporation) -- C:\Windows\SysNative\IntcDAuC.dll
[2013/05/24 09:20:22 | 001,721,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WdfCoInstaller01009.dll
[2013/05/24 09:20:22 | 000,789,824 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\iusb3xhc.sys
[2013/05/24 09:20:22 | 000,357,184 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\iusb3hub.sys
[2013/05/24 09:20:22 | 000,019,264 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\iusb3hcs.sys
[2013/05/24 09:16:22 | 000,110,744 | ---- | C] (Qualcomm Atheros Co., Ltd.) -- C:\Windows\SysNative\drivers\L1C62x64.sys

========== Files - Modified Within 30 Days ==========

[2013/05/26 04:41:47 | 000,377,856 | ---- | M] () -- C:\Users\SS\Desktop\mbtrlnv7.exe
[2013/05/26 04:41:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\SS\Desktop\OTL.exe
[2013/05/26 04:18:05 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1413790130-785985914-1171661357-1000UA.job
[2013/05/26 03:55:22 | 000,000,930 | ---- | M] () -- C:\Users\Public\Desktop\calibre 64bit - E-book management.lnk
[2013/05/26 03:43:07 | 000,029,984 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/05/26 03:43:07 | 000,029,984 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/05/26 03:35:29 | 000,795,402 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/05/26 03:35:29 | 000,672,282 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/05/26 03:35:29 | 000,125,014 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/05/26 03:33:24 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Users\SS\Desktop\MGADiag.exe
[2013/05/26 03:33:08 | 000,025,088 | ---- | M] () -- C:\Users\SS\Desktop\codecheck.exe
[2013/05/26 03:32:31 | 000,459,264 | ---- | M] () -- C:\Users\SS\Desktop\CKScanner.exe
[2013/05/26 03:29:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/05/26 03:29:17 | 4208,992,254 | -HS- | M] () -- C:\hiberfil.sys
[2013/05/25 21:00:00 | 000,000,366 | ---- | M] () -- C:\Windows\tasks\At1.job
[2013/05/25 17:50:57 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\SS\Desktop\dds.com
[2013/05/25 16:54:19 | 004,893,280 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/05/25 16:28:58 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/05/25 13:06:18 | 000,001,735 | ---- | M] () -- C:\Users\Public\Desktop\Lightroom 4.1 64-bit.lnk
[2013/05/25 12:18:01 | 000,000,844 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1413790130-785985914-1171661357-1000Core.job
[2013/05/25 07:29:56 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2013/05/25 06:34:56 | 000,116,385 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2013/05/25 06:34:56 | 000,116,385 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2013/05/25 06:32:59 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2013/05/25 03:23:14 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2013/05/24 23:53:14 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/05/24 23:53:13 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/05/24 21:11:48 | 000,788,782 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/05/24 20:01:51 | 000,000,954 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Wireless Connection Manager.lnk
[2013/05/24 19:57:22 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2013/05/24 19:49:43 | 000,030,528 | ---- | M] () -- C:\Windows\GVTDrv64.sys
[2013/05/24 19:49:36 | 000,025,640 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2013/05/24 19:09:51 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_iusb3hcs_01009.Wdf
[2013/05/24 19:01:08 | 000,000,019 | ---- | M] () -- C:\Windows\GSetup.ini
[2013/05/24 18:58:12 | 000,420,259 | RHS- | M] () -- C:\HECVR
[2013/05/09 13:59:07 | 001,025,808 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013/05/09 13:59:07 | 000,378,432 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013/05/09 13:59:07 | 000,189,936 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013/05/09 13:59:07 | 000,072,016 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013/05/09 13:59:07 | 000,065,336 | ---- | M] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013/05/09 13:59:07 | 000,064,288 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013/05/09 13:59:06 | 000,080,816 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013/05/09 13:59:06 | 000,033,400 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013/05/09 13:58:37 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2013/05/09 13:58:11 | 000,287,840 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe

========== Files Created - No Company Name ==========

[2013/05/26 04:41:33 | 000,377,856 | ---- | C] () -- C:\Users\SS\Desktop\mbtrlnv7.exe
[2013/05/26 03:55:22 | 000,000,930 | ---- | C] () -- C:\Users\Public\Desktop\calibre 64bit - E-book management.lnk
[2013/05/26 03:33:07 | 000,025,088 | ---- | C] () -- C:\Users\SS\Desktop\codecheck.exe
[2013/05/26 03:32:30 | 000,459,264 | ---- | C] () -- C:\Users\SS\Desktop\CKScanner.exe
[2013/05/25 16:28:58 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/05/25 13:06:18 | 000,001,735 | ---- | C] () -- C:\Users\Public\Desktop\Lightroom 4.1 64-bit.lnk
[2013/05/25 13:06:18 | 000,001,731 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop Lightroom 4.1 64-bit.lnk
[2013/05/25 12:54:28 | 000,000,810 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS6 (64 Bit).lnk
[2013/05/25 12:53:53 | 000,000,784 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6 (64bit).lnk
[2013/05/25 12:52:31 | 000,000,859 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS6.lnk
[2013/05/25 12:52:27 | 000,001,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS6.lnk
[2013/05/25 12:06:12 | 000,000,896 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1413790130-785985914-1171661357-1000UA.job
[2013/05/25 12:06:12 | 000,000,844 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1413790130-785985914-1171661357-1000Core.job
[2013/05/25 07:29:56 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2013/05/25 07:29:54 | 000,383,786 | RHS- | C] () -- C:\bootmgr
[2013/05/25 06:34:43 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2013/05/25 06:34:28 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2013/05/25 06:32:59 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2013/05/25 06:30:54 | 4208,992,254 | -HS- | C] () -- C:\hiberfil.sys
[2013/05/25 03:23:14 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2013/05/24 21:31:13 | 002,209,920 | ---- | C] () -- C:\Windows\SysNative\BootMan.exe
[2013/05/24 21:31:13 | 001,774,720 | ---- | C] () -- C:\Windows\SysWow64\BootMan.exe
[2013/05/24 21:31:13 | 000,100,232 | ---- | C] () -- C:\Windows\SysNative\setupempdrvx64.exe
[2013/05/24 21:31:13 | 000,086,408 | ---- | C] () -- C:\Windows\SysWow64\setupempdrv03.exe
[2013/05/24 21:31:13 | 000,016,776 | ---- | C] () -- C:\Windows\SysNative\epmntdrv.sys
[2013/05/24 21:31:13 | 000,014,848 | ---- | C] () -- C:\Windows\SysWow64\EuEpmGdi.dll
[2013/05/24 21:31:13 | 000,014,216 | ---- | C] () -- C:\Windows\SysWow64\epmntdrv.sys
[2013/05/24 21:31:13 | 000,011,264 | ---- | C] () -- C:\Windows\SysNative\EuEpmGdi.dll
[2013/05/24 21:31:13 | 000,009,096 | ---- | C] () -- C:\Windows\SysNative\EuGdiDrv.sys
[2013/05/24 21:31:13 | 000,008,456 | ---- | C] () -- C:\Windows\SysWow64\EuGdiDrv.sys
[2013/05/24 21:30:42 | 000,000,366 | ---- | C] () -- C:\Windows\tasks\At1.job
[2013/05/24 20:24:26 | 000,001,929 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SumatraPDF.lnk
[2013/05/24 20:04:53 | 000,001,159 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2013/05/24 20:01:51 | 000,000,954 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Wireless Connection Manager.lnk
[2013/05/24 19:57:25 | 000,189,936 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013/05/24 19:57:23 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013/05/24 19:57:22 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2013/05/24 19:49:43 | 000,030,528 | ---- | C] () -- C:\Windows\GVTDrv64.sys
[2013/05/24 19:10:00 | 000,031,272 | ---- | C] () -- C:\Windows\SysNative\AppleChargerSrv.exe
[2013/05/24 19:10:00 | 000,022,680 | ---- | C] () -- C:\Windows\SysNative\drivers\AppleCharger.sys
[2013/05/24 19:09:51 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_iusb3hcs_01009.Wdf
[2013/05/24 19:08:48 | 000,293,889 | ---- | C] () -- C:\Windows\SysNative\drivers\RTAIODAT.DAT
[2013/05/24 19:06:42 | 000,788,782 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/05/24 19:01:08 | 000,207,400 | ---- | C] () -- C:\Windows\GSetup.exe
[2013/05/24 19:01:08 | 000,000,019 | ---- | C] () -- C:\Windows\GSetup.ini
[2013/05/24 19:00:16 | 000,001,409 | ---- | C] () -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2013/05/24 19:00:11 | 000,001,443 | ---- | C] () -- C:\Users\SS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2013/05/24 18:58:17 | 000,000,290 | ---- | C] () -- C:\Users\SS\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2013/05/24 18:58:17 | 000,000,272 | ---- | C] () -- C:\Users\SS\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2013/05/24 18:58:11 | 000,420,259 | RHS- | C] () -- C:\HECVR
[2013/05/24 09:21:01 | 001,981,696 | ---- | C] () -- C:\Windows\SysNative\iglhxa64.cpa
[2013/05/24 09:21:01 | 000,598,780 | ---- | C] () -- C:\Windows\SysWow64\igvpkrng700.bin
[2013/05/24 09:21:01 | 000,598,780 | ---- | C] () -- C:\Windows\SysNative\igvpkrng700.bin
[2013/05/24 09:21:01 | 000,059,425 | ---- | C] () -- C:\Windows\SysNative\iglhxo64.vp
[2013/05/24 09:21:01 | 000,059,398 | ---- | C] () -- C:\Windows\SysNative\iglhxg64.vp
[2013/05/24 09:21:01 | 000,059,230 | ---- | C] () -- C:\Windows\SysNative\iglhxc64.vp
[2013/05/24 09:21:01 | 000,059,104 | ---- | C] () -- C:\Windows\SysNative\iglhxc64_dev.vp
[2013/05/24 09:21:01 | 000,058,796 | ---- | C] () -- C:\Windows\SysNative\iglhxg64_dev.vp
[2013/05/24 09:21:01 | 000,058,109 | ---- | C] () -- C:\Windows\SysNative\iglhxo64_dev.vp
[2013/05/24 09:21:01 | 000,017,026 | ---- | C] () -- C:\Windows\SysNative\iglhxs64.vp
[2013/05/24 09:21:01 | 000,001,074 | ---- | C] () -- C:\Windows\SysNative\iglhxa64.vp
[2013/05/24 09:20:59 | 000,009,728 | ---- | C] ( ) -- C:\Windows\SysNative\IGFXDEVLib.dll
[2013/05/24 09:20:50 | 000,080,384 | ---- | C] () -- C:\Windows\SysNative\igdde64.dll
[2013/05/24 09:20:50 | 000,064,512 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2013/05/24 09:20:48 | 000,755,048 | ---- | C] () -- C:\Windows\SysWow64\igcodeckrng700.bin
[2013/05/24 09:20:48 | 000,755,048 | ---- | C] () -- C:\Windows\SysNative\igcodeckrng700.bin
[2013/05/24 09:20:46 | 000,223,233 | ---- | C] () -- C:\Windows\SysNative\Gfxres.th-TH.resources
[2013/05/24 09:20:46 | 000,209,727 | ---- | C] () -- C:\Windows\SysNative\Gfxres.el-GR.resources
[2013/05/24 09:20:46 | 000,193,862 | ---- | C] () -- C:\Windows\SysNative\Gfxres.ru-RU.resources
[2013/05/24 09:20:46 | 000,165,865 | ---- | C] () -- C:\Windows\SysNative\Gfxres.ar-SA.resources
[2013/05/24 09:20:46 | 000,163,120 | ---- | C] () -- C:\Windows\SysNative\Gfxres.ja-JP.resources
[2013/05/24 09:20:46 | 000,158,727 | ---- | C] () -- C:\Windows\SysNative\Gfxres.he-IL.resources
[2013/05/24 09:20:46 | 000,149,390 | ---- | C] () -- C:\Windows\SysNative\Gfxres.it-IT.resources
[2013/05/24 09:20:46 | 000,147,759 | ---- | C] () -- C:\Windows\SysNative\Gfxres.ko-KR.resources
[2013/05/24 09:20:46 | 000,147,101 | ---- | C] () -- C:\Windows\SysNative\Gfxres.de-DE.resources
[2013/05/24 09:20:46 | 000,147,010 | ---- | C] () -- C:\Windows\SysNative\Gfxres.es-ES.resources
[2013/05/24 09:20:46 | 000,145,715 | ---- | C] () -- C:\Windows\SysNative\Gfxres.ro-RO.resources
[2013/05/24 09:20:46 | 000,145,211 | ---- | C] () -- C:\Windows\SysNative\Gfxres.fr-FR.resources
[2013/05/24 09:20:46 | 000,144,378 | ---- | C] () -- C:\Windows\SysNative\Gfxres.tr-TR.resources
[2013/05/24 09:20:46 | 000,143,976 | ---- | C] () -- C:\Windows\SysNative\Gfxres.pt-BR.resources
[2013/05/24 09:20:46 | 000,143,730 | ---- | C] () -- C:\Windows\SysNative\Gfxres.nl-NL.resources
[2013/05/24 09:20:46 | 000,143,657 | ---- | C] () -- C:\Windows\SysNative\Gfxres.hu-HU.resources
[2013/05/24 09:20:46 | 000,142,990 | ---- | C] () -- C:\Windows\SysNative\Gfxres.pt-PT.resources
[2013/05/24 09:20:46 | 000,142,617 | ---- | C] () -- C:\Windows\SysNative\Gfxres.sv-SE.resources
[2013/05/24 09:20:46 | 000,142,423 | ---- | C] () -- C:\Windows\SysNative\Gfxres.pl-PL.resources
[2013/05/24 09:20:46 | 000,142,008 | ---- | C] () -- C:\Windows\SysNative\Gfxres.cs-CZ.resources
[2013/05/24 09:20:46 | 000,141,739 | ---- | C] () -- C:\Windows\SysNative\Gfxres.fi-FI.resources
[2013/05/24 09:20:46 | 000,141,574 | ---- | C] () -- C:\Windows\SysNative\Gfxres.sk-SK.resources
[2013/05/24 09:20:46 | 000,140,779 | ---- | C] () -- C:\Windows\SysNative\Gfxres.hr-HR.resources
[2013/05/24 09:20:46 | 000,137,621 | ---- | C] () -- C:\Windows\SysNative\Gfxres.sl-SI.resources
[2013/05/24 09:20:46 | 000,137,534 | ---- | C] () -- C:\Windows\SysNative\Gfxres.nb-NO.resources
[2013/05/24 09:20:46 | 000,136,873 | ---- | C] () -- C:\Windows\SysNative\Gfxres.da-DK.resources
[2013/05/24 09:20:46 | 000,132,360 | ---- | C] () -- C:\Windows\SysNative\Gfxres.en-US.resources
[2013/05/24 09:20:46 | 000,126,035 | ---- | C] () -- C:\Windows\SysNative\Gfxres.zh-TW.resources
[2013/05/24 09:20:46 | 000,124,403 | ---- | C] () -- C:\Windows\SysNative\Gfxres.zh-CN.resources
[2013/05/24 09:20:46 | 000,094,208 | ---- | C] () -- C:\Windows\SysNative\IccLibDll_x64.dll
[2013/05/24 09:20:46 | 000,000,255 | ---- | C] () -- C:\Windows\SysNative\GfxUI.exe.config
[2012/04/20 13:59:44 | 000,001,536 | ---- | C] () -- C:\Windows\SysWow64\IusEventLog.dll

========== ZeroAccess Check ==========

[2009/07/14 09:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/02/27 10:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 09:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 06:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 08:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 06:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 8:23 pm

OTL Extras

OTL Extras logfile created on: 5/26/2013 4:44:26 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\SS\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

15.89 Gb Total Physical Memory | 13.09 Gb Available Physical Memory | 82.35% Memory free
31.78 Gb Paging File | 29.01 Gb Available in Paging File | 91.26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97.56 Gb Total Space | 48.30 Gb Free Space | 49.51% Space Free | Partition Type: NTFS
Drive D: | 370.62 Gb Total Space | 330.59 Gb Free Space | 89.20% Space Free | Partition Type: NTFS
Drive E: | 364.24 Gb Total Space | 282.16 Gb Free Space | 77.47% Space Free | Partition Type: NTFS
Drive F: | 1030.49 Gb Total Space | 595.25 Gb Free Space | 57.76% Space Free | Partition Type: NTFS
Drive G: | 465.75 Gb Total Space | 238.88 Gb Free Space | 51.29% Space Free | Partition Type: NTFS
Drive I: | 931.48 Gb Total Space | 369.81 Gb Free Space | 39.70% Space Free | Partition Type: NTFS
Drive T: | 931.48 Gb Total Space | 387.29 Gb Free Space | 41.58% Space Free | Partition Type: NTFS

Computer Name: SS-PC | User Name: SS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1413790130-785985914-1171661357-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [Bridge] -- F:\Adobe Install Dir\Adobe Bridge CS6 (64 Bit)\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [Bridge] -- F:\Adobe Install Dir\Adobe Bridge CS6 (64 Bit)\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{8FA8A509-EDAC-42A3-896D-BC8FE7F24477}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{56E65A82-39F0-4FB3-9E06-B58CCCA4E6D6}" = calibre 64bit
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{D8CC254C-C671-4664-9A38-FA368D1E2C97}" = SES Driver
"{F4404AFD-2EF3-40C1-8C09-29E5F3B6972B}" = Intel® Trusted Connect Service Client
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F7ADB493-B913-4D61-9A63-DA736C20C3F2}" = Adobe Photoshop Lightroom 4.1 64-bit
"422991454CB076E9B856C21BBF99AF2B82317EDA" = Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (03/06/2009 1.0.0008.0)
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"TeraCopy_is1" = TeraCopy 2.27
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{240C3DDD-C5E9-4029-9DF7-95650D040CF2}" = Intel(R) USB 3.0 eXtensible Host Controller Driver
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3DECD372-76A1-4483-BF10-B547790A3261}" = ON_OFF Charge B12.1025.1
"{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B12.1121.1
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{6845255F-15CC-4DD1-94D5-D38F370118B3}_is1" = Auslogics Duplicate File Finder
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}" = Adobe Photoshop CS6
"{91B9368F-6C6F-3DB5-9CBA-6CAD56035B26}" = Google Talk Plugin
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}" = @BIOS
"{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}" = PDF Settings CS6
"{C75FAD21-EC08-42F3-92D6-C9C0AB355345}" = AutoGreen B12.0206.1
"{D9198056-A296-4583-A790-C0E73694CFE8}" = D-Link DWA-131 Wireless N Nano USB Adapter
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FCB3772C-B7D0-4933-B1A9-3707EBACC573}" = Intel(R) SDK for OpenCL - CPU Only Runtime Package
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"EASEUS Partition Master Professional Edition_is1" = EASEUS Partition Master 6.0.1 Professional
"InstallShield_{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B12.1121.1
"InstallShield_{C75FAD21-EC08-42F3-92D6-C9C0AB355345}" = AutoGreen B12.0206.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Media Monkey" = Media Monkey 3.2.5
"MediaMonkey_is1" = MediaMonkey 3.2
"Mozilla Firefox 21.0 (x86 en-US)" = Mozilla Firefox 21.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"SumatraPDF" = SumatraPDF
"VLC media player" = VLC media player 2.0.6

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/24/2013 12:30:02 PM | Computer Name = SS-PC | Source = WinMgmt | ID = 10
Description =

Error - 5/25/2013 2:55:50 AM | Computer Name = SS-PC | Source = WinMgmt | ID = 10
Description =

Error - 5/25/2013 6:57:33 AM | Computer Name = SS-PC | Source = Application Hang | ID = 1002
Description = The program explorer.exe version 6.1.7601.17567 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 478 Start
Time: 01ce591f26529b5a Termination Time: 5 Application Path: C:\Windows\explorer.exe

Report
Id: f58c54aa-c528-11e2-9216-94de8025841f

Error - 5/25/2013 7:30:20 AM | Computer Name = SS-PC | Source = Application Hang | ID = 1002
Description = The program mbam-setup-1.75.0.1300.tmp version 51.52.0.0 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 8c8 Start
Time: 01ce593b02d798eb Termination Time: 5 Application Path: C:\Users\SS\AppData\Local\Temp\is-2LEVP.tmp\mbam-setup-1.75.0.1300.tmp

Report
Id:

Error - 5/25/2013 7:54:13 AM | Computer Name = SS-PC | Source = WinMgmt | ID = 10
Description =

Error - 5/25/2013 8:02:55 AM | Computer Name = SS-PC | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.1.7601.17567 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 5bc Start
Time: 01ce593e6dfe41d2 Termination Time: 60000 Application Path: C:\Windows\Explorer.EXE

Report
Id: dae89afb-c532-11e2-b0a9-94de8025841f

Error - 5/25/2013 11:29:42 AM | Computer Name = SS-PC | Source = WinMgmt | ID = 10
Description =

Error - 5/25/2013 4:55:43 PM | Computer Name = SS-PC | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.1.7601.17567 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 55c Start
Time: 01ce595c7f63d257 Termination Time: 60000 Application Path: C:\Windows\Explorer.EXE

Report
Id: 491be571-c57d-11e2-a536-94de8025841f

Error - 5/25/2013 5:04:39 PM | Computer Name = SS-PC | Source = WinMgmt | ID = 10
Description =

Error - 5/25/2013 6:31:05 PM | Computer Name = SS-PC | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 5/25/2013 6:32:27 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:32:27 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:32:27 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:32:27 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:32:27 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:37:33 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:37:33 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:37:33 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:37:33 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.

Error - 5/25/2013 6:37:33 PM | Computer Name = SS-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk4\DR4.


< End of report >
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 8:27 pm

Gmer Part1

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-05-26 05:18:30
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST2000VX000-1CU164 rev.CV22 1863.02GB
Running: mbtrlnv7.exe; Driver: C:\Users\SS\AppData\Local\Temp\pxldypoc.sys


---- User code sections - GMER 2.1 ----

.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 000000014a1f0470
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 000000014a1f0460
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 000000014a1f0370
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 000000014a1f0480
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 000000014a1f03e0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 000000014a1f0320
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 000000014a1f03b0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 000000014a1f0390
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 000000014a1f02e0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 000000014a1f0440
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 000000014a1f02d0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 000000014a1f0310
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 000000014a1f03c0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 000000014a1f03f0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 000000014a1f0230
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0xffffffffd330e890}
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 000000014a1f0490
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 000000014a1f03a0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 000000014a1f02f0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 000000014a1f0350
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 000000014a1f0290
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 000000014a1f02b0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 000000014a1f03d0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 000000014a1f0330
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0xffffffffd330e590}
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 000000014a1f0410
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 000000014a1f0240
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 000000014a1f01e0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 000000014a1f0250
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0xffffffffd330e090}
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 000000014a1f04a0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 000000014a1f04b0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 000000014a1f0300
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 000000014a1f0360
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 000000014a1f02a0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 000000014a1f02c0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 000000014a1f0380
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 000000014a1f0340
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 000000014a1f0450
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 000000014a1f0260
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 000000014a1f0270
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 000000014a1f0400
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 000000014a1f01f0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 000000014a1f0210
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 000000014a1f0200
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 000000014a1f0420
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 000000014a1f0430
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 000000014a1f0220
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 000000014a1f0280
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000077040470
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000077040460
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000077040370
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000077040480
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000000770403e0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000077040320
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000000770403b0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000077040390
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000000770402e0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000077040440
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000000770402d0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000077040310
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000000770403c0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000000770403f0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000077040230
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000077040490
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000000770403a0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000000770402f0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000077040350
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000077040290
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000000770402b0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000000770403d0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000077040330
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000077040410
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000077040240
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000000770401e0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000077040250
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000000770404a0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000000770404b0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000077040300
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000077040360
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000000770402a0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000000770402c0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000077040380
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000077040340
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000077040450
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000077040260
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 0000000077040270
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 0000000077040400
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 00000000770401f0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 0000000077040210
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 0000000077040200
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 0000000077040420
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 0000000077040430
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 0000000077040220
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 0000000077040280
.text C:\Windows\system32\wininit.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dceecd 1 byte [62]
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 000000014a1f0470
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 000000014a1f0460
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 000000014a1f0370
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 000000014a1f0480
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 000000014a1f03e0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 000000014a1f0320
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 000000014a1f03b0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 000000014a1f0390
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 000000014a1f02e0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 000000014a1f0440
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 000000014a1f02d0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 000000014a1f0310
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 000000014a1f03c0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 000000014a1f03f0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 000000014a1f0230
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0xffffffffd330e890}
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 000000014a1f0490
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 000000014a1f03a0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 000000014a1f02f0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 000000014a1f0350
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 000000014a1f0290
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 000000014a1f02b0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 000000014a1f03d0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 000000014a1f0330
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0xffffffffd330e590}
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 000000014a1f0410
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 000000014a1f0240
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 000000014a1f01e0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 000000014a1f0250
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0xffffffffd330e090}
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 000000014a1f04a0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 000000014a1f04b0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 000000014a1f0300
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 000000014a1f0360
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 000000014a1f02a0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 000000014a1f02c0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 000000014a1f0380
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 000000014a1f0340
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 000000014a1f0450
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 000000014a1f0260
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 000000014a1f0270
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 000000014a1f0400
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 000000014a1f01f0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 000000014a1f0210
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 000000014a1f0200
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 000000014a1f0420
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 000000014a1f0430
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 000000014a1f0220
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 000000014a1f0280
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000100070470
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000100070460
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000100070370
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000100070480
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000100070320
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000100070390
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000100070440
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000100070310
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000100070230
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0xffffffff8918e890}
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000100070490
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000100070350
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000100070290
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000100070330
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0xffffffff8918e590}
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000100070410
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000100070240
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000100070250
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0xffffffff8918e090}
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000001000704b0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000100070300
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000100070360
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000100070380
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000100070340
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000100070450
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000100070260
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 0000000100070270
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 0000000100070400
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 0000000100070210
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 0000000100070200
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 0000000100070420
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 0000000100070430
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 0000000100070220
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 0000000100070280
.text C:\Windows\system32\services.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dceecd 1 byte [62]
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000077040470
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000077040460
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000077040370
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000077040480
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000000770403e0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000077040320
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000000770403b0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000077040390
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000000770402e0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000077040440
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000000770402d0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000077040310
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000000770403c0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000000770403f0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000077040230
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000077040490
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000000770403a0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000000770402f0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000077040350
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000077040290
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000000770402b0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000000770403d0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000077040330
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000077040410
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000077040240
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000000770401e0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000077040250
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000000770404a0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000000770404b0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000077040300
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000077040360
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000000770402a0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000000770402c0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000077040380
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000077040340
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000077040450
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000077040260
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 0000000077040270
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 0000000077040400
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 00000000770401f0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 0000000077040210
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 0000000077040200
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 0000000077040420
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 0000000077040430
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 0000000077040220
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 0000000077040280
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000077040470
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000077040460
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000077040370
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000077040480
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000000770403e0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000077040320
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000000770403b0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000077040390
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000000770402e0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000077040440
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000000770402d0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000077040310
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000000770403c0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000000770403f0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000077040230
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000077040490
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000000770403a0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000000770402f0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000077040350
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000077040290
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000000770402b0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000000770403d0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000077040330
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000077040410
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000077040240
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000000770401e0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000077040250
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000000770404a0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000000770404b0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000077040300
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000077040360
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000000770402a0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000000770402c0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000077040380
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000077040340
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000077040450
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000077040260
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 0000000077040270
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 0000000077040400
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 00000000770401f0
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 0000000077040210
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 0000000077040200
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 0000000077040420
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 0000000077040430
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 0000000077040220
.text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 0000000077040280
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000077040470
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000077040460
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000077040370
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000077040480
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000000770403e0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000077040320
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000000770403b0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000077040390
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000000770402e0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000077040440
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000000770402d0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000077040310
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000000770403c0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000000770403f0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000077040230
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000077040490
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000000770403a0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000000770402f0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000077040350
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000077040290
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000000770402b0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000000770403d0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000077040330
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000077040410
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000077040240
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000000770401e0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000077040250
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000000770404a0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000000770404b0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000077040300
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000077040360
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000000770402a0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000000770402c0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000077040380
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000077040340
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000077040450
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000077040260
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 0000000077040270
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 0000000077040400
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 00000000770401f0
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 0000000077040210
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 0000000077040200
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 0000000077040420
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 0000000077040430
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 0000000077040220
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 0000000077040280
.text C:\Windows\system32\winlogon.exe[772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dceecd 1 byte [62]
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000100070470
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000100070460
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000100070370
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000100070480
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000100070320
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000100070390
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000100070440
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000100070310
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000100070230
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0xffffffff8918e890}
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000100070490
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000100070350
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000100070290
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000100070330
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0xffffffff8918e590}
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000100070410
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000100070240
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000100070250
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0xffffffff8918e090}
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 25th, 2013, 8:32 pm

Gmer Part2

.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 000000014a1f0300
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 000000014a1f0360
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 000000014a1f02a0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 000000014a1f02c0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 000000014a1f0380
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 000000014a1f0340
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 000000014a1f0450
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 000000014a1f0260
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 000000014a1f0270
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 000000014a1f0400
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 000000014a1f01f0
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 000000014a1f0210
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 000000014a1f0200
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 000000014a1f0420
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 000000014a1f0430
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 000000014a1f0220
.text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 000000014a1f0280
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000077040470
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000077040460
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000077040370
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000077040480
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000000770403e0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000077040320
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000000770403b0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000077040390
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000000770402e0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000077040440
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000000770402d0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000077040310
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000000770403c0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000000770403f0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000077040230
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000077040490
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000000770403a0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000000770402f0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000077040350
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000077040290
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000000770402b0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000000770403d0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000077040330
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000077040410
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000077040240
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000000770401e0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000077040250
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000000770404a0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000000770404b0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000077040300
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000077040360
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000000770402a0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000000770402c0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000077040380
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000077040340
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000077040450
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000077040260
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 0000000077040270
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 0000000077040400
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 00000000770401f0
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 0000000077040210
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 0000000077040200
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 0000000077040420
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 0000000077040430
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 0000000077040220
.text C:\Windows\system32\wininit.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 0000000077040280
.text C:\Windows\system32\wininit.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dceecd 1 byte [62]
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 000000014a1f0470
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 000000014a1f0460
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 000000014a1f0370
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 000000014a1f0480
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 000000014a1f03e0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 000000014a1f0320
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 000000014a1f03b0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 000000014a1f0390
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 000000014a1f02e0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 000000014a1f0440
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 000000014a1f02d0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 000000014a1f0310
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 000000014a1f03c0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 000000014a1f03f0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 000000014a1f0230
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0xffffffffd330e890}
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 000000014a1f0490
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 000000014a1f03a0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 000000014a1f02f0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 000000014a1f0350
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 000000014a1f0290
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 000000014a1f02b0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 000000014a1f03d0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 000000014a1f0330
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0xffffffffd330e590}
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 000000014a1f0410
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 000000014a1f0240
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 000000014a1f01e0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 000000014a1f0250
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0xffffffffd330e090}
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 000000014a1f04a0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 000000014a1f04b0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 000000014a1f0300
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 000000014a1f0360
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 000000014a1f02a0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 000000014a1f02c0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 000000014a1f0380
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 000000014a1f0340
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 000000014a1f0450
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 000000014a1f0260
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 000000014a1f0270
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 000000014a1f0400
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 000000014a1f01f0
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 000000014a1f0210
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 000000014a1f0200
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 000000014a1f0420
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 000000014a1f0430
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 000000014a1f0220
.text C:\Windows\system32\csrss.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 000000014a1f0280
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000100070470
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000100070460
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000100070370
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000100070480
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000001000703e0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000100070320
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000001000703b0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000100070390
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000001000702e0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000100070440
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000001000702d0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000100070310
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000001000703c0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000001000703f0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000100070230
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0xffffffff8918e890}
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000100070490
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000001000703a0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000001000702f0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000100070350
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000100070290
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000001000702b0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000001000703d0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000100070330
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0xffffffff8918e590}
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000100070410
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000100070240
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000001000701e0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000100070250
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0xffffffff8918e090}
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000001000704a0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000001000704b0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000100070300
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000100070360
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000001000702a0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000001000702c0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000100070380
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000100070340
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000100070450
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000100070260
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ee2830 5 bytes JMP 0000000100070270
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ee2840 5 bytes JMP 0000000100070400
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ee2a00 5 bytes JMP 00000001000701f0
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ee2a10 5 bytes JMP 0000000100070210
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ee2a80 5 bytes JMP 0000000100070200
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ee2ae0 5 bytes JMP 0000000100070420
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ee2af0 5 bytes JMP 0000000100070430
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ee2b00 5 bytes JMP 0000000100070220
.text C:\Windows\system32\services.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ee2be0 5 bytes JMP 0000000100070280
.text C:\Windows\system32\services.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076dceecd 1 byte [62]
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ee13c0 5 bytes JMP 0000000077040470
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ee1410 5 bytes JMP 0000000077040460
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ee1570 5 bytes JMP 0000000077040370
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ee15c0 5 bytes JMP 0000000077040480
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ee15d0 5 bytes JMP 00000000770403e0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ee1680 5 bytes JMP 0000000077040320
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ee16b0 5 bytes JMP 00000000770403b0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ee16d0 5 bytes JMP 0000000077040390
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ee1710 5 bytes JMP 00000000770402e0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076ee1760 5 bytes JMP 0000000077040440
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ee1790 5 bytes JMP 00000000770402d0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ee17b0 5 bytes JMP 0000000077040310
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ee17f0 5 bytes JMP 00000000770403c0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ee1840 5 bytes JMP 00000000770403f0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ee19a0 1 byte JMP 0000000077040230
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076ee19a2 3 bytes {JMP 0x15e890}
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ee1b60 5 bytes JMP 0000000077040490
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ee1b90 5 bytes JMP 00000000770403a0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ee1c70 5 bytes JMP 00000000770402f0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ee1c80 5 bytes JMP 0000000077040350
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ee1ce0 5 bytes JMP 0000000077040290
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ee1d70 5 bytes JMP 00000000770402b0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ee1d90 5 bytes JMP 00000000770403d0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ee1da0 1 byte JMP 0000000077040330
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076ee1da2 3 bytes {JMP 0x15e590}
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ee1e10 5 bytes JMP 0000000077040410
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ee1e40 5 bytes JMP 0000000077040240
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ee2100 5 bytes JMP 00000000770401e0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ee21c0 1 byte JMP 0000000077040250
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076ee21c2 3 bytes {JMP 0x15e090}
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ee21f0 5 bytes JMP 00000000770404a0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ee2200 5 bytes JMP 00000000770404b0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ee2230 5 bytes JMP 0000000077040300
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ee2240 5 bytes JMP 0000000077040360
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ee22a0 5 bytes JMP 00000000770402a0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ee22f0 5 bytes JMP 00000000770402c0
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ee2320 5 bytes JMP 0000000077040380
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ee2330 5 bytes JMP 0000000077040340
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ee2620 5 bytes JMP 0000000077040450
.text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ee2820 5 bytes JMP 0000000077040260
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 103 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware